diff --git a/.config/.semgrep/semgrep.log b/.config/.semgrep/semgrep.log new file mode 100644 index 0000000..cb6c8fe --- /dev/null +++ b/.config/.semgrep/semgrep.log @@ -0,0 +1,121 @@ +2025-05-10 00:33:24,807 - semgrep.notifications - WARNING - METRICS: Using configs from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev. +To disable Registry rule metrics, use "--metrics=off". +Using configs only from local files (like --config=xyz.yml) does not enable metrics. + +More information: https://semgrep.dev/docs/metrics + +2025-05-10 00:33:24,810 - semgrep.run_scan - DEBUG - semgrep version 1.2.0 +2025-05-10 00:33:24,819 - semgrep.git - DEBUG - Failed to get project url from 'git ls-remote': Command failed with exit code: 128 +----- +Command failed with output: +fatal: No remote configured to list refs from. + + +Failed to run 'git ls-remote --get-url'. Possible reasons: + +- the git binary is not available +- the current working directory is not a git repository +- the baseline commit is not a parent of the current commit + (if you are running through semgrep-app, check if you are setting `SEMGREP_BRANCH` or `SEMGREP_BASELINE_COMMIT` properly) +- the current working directory is not marked as safe + (fix with `git config --global --add safe.directory $(pwd)`) + +Try running the command yourself to debug the issue. +2025-05-10 00:33:24,820 - semgrep.config_resolver - DEBUG - Loading local config from /home/runner/workspace/.config/.semgrep/semgrep_rules.json +2025-05-10 00:33:24,823 - semgrep.config_resolver - DEBUG - Done loading local config from /home/runner/workspace/.config/.semgrep/semgrep_rules.json +2025-05-10 00:33:24,831 - semgrep.config_resolver - DEBUG - Saving rules to /tmp/semgrep-mthvn42m.rules +2025-05-10 00:33:25,197 - semgrep.semgrep_core - DEBUG - Failed to open resource semgrep-core-proprietary: [Errno 2] No such file or directory: '/tmp/_MEI1ufMVi/semgrep/bin/semgrep-core-proprietary'. +2025-05-10 00:33:25,912 - semgrep.rule_lang - DEBUG - semgrep-core validation response: valid=True +2025-05-10 00:33:25,913 - semgrep.rule_lang - DEBUG - semgrep-core validation succeeded +2025-05-10 00:33:25,913 - semgrep.rule_lang - DEBUG - RPC validation succeeded +2025-05-10 00:33:25,913 - semgrep.config_resolver - DEBUG - loaded 1 configs in 1.0931837558746338 +2025-05-10 00:33:26,154 - semgrep.run_scan - VERBOSE - running 1250 rules from 1 config /home/runner/workspace/.config/.semgrep/semgrep_rules.json_0 +2025-05-10 00:33:26,154 - semgrep.run_scan - VERBOSE - No .semgrepignore found. Using default .semgrepignore rules. See the docs for the list of default ignores: https://semgrep.dev/docs/cli-usage/#ignore-files +2025-05-10 00:33:26,158 - semgrep.run_scan - VERBOSE - Rules: +2025-05-10 00:33:26,158 - semgrep.run_scan - VERBOSE - +2025-05-10 00:33:26,661 - semgrep.core_runner - DEBUG - Passing whole rules directly to semgrep_core +2025-05-10 00:33:26,855 - semgrep.core_runner - DEBUG - Running Semgrep engine with command: +2025-05-10 00:33:26,855 - semgrep.core_runner - DEBUG - /tmp/_MEI1ufMVi/semgrep/bin/opengrep-core -json -rules /tmp/tmp6vt4ey5_.json -j 8 -targets /tmp/tmpsta40moi -timeout 5 -timeout_threshold 3 -max_memory 0 -fast +2025-05-10 00:33:29,983 - semgrep.core_runner - DEBUG - --- semgrep-core stderr --- +[00.07][INFO]: Executed as: /tmp/_MEI1ufMVi/semgrep/bin/opengrep-core -json -rules /tmp/tmp6vt4ey5_.json -j 8 -targets /tmp/tmpsta40moi -timeout 5 -timeout_threshold 3 -max_memory 0 -fast +[00.07][INFO]: Version: 1.2.0 +[00.07][INFO]: Parsing rules in /tmp/tmp6vt4ey5_.json +[00.82][INFO]: scan: processing 303 files (skipping 0), with 487 rules (skipping 0 ) +[03.08][INFO]: Custom ignore pattern: None +[03.08][INFO]: Custom ignore pattern: None +--- end semgrep-core stderr --- +2025-05-10 00:33:29,991 - semgrep.rule_match - DEBUG - match_key = ('', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 0ee74fd49637bebe183eca7188dbde26e386314e62cc2e7ba1ee60b377b638243fcd84e6c6fa04886198ccacfa6a711bfbcc61a28f9ddc913d5b3c53083cbc90_0 +2025-05-10 00:33:29,992 - semgrep.rule_match - DEBUG - match_key = (' rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css" / (?is).*integrity= (google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com) .*rel\\s*=\\s*[\'"]?preconnect.* href="... :// ..." href="//..." href=\'... :// ...\' href=\'//...\' src="... :// ..." src="//..." src=\'... :// ...\' src=\'//...\' ', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 1068497918b233fd4d3e50f287aaf6ab1a03059c638e7dd12249612bb34d624f7036ebd3f250440227c595b791530ce2bb70f5a13d3e4f169ddcde97bedfc6bc_0 +2025-05-10 00:33:29,993 - semgrep.rule_match - DEBUG - match_key = (' rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css" / (?is).*integrity= (google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com) .*rel\\s*=\\s*[\'"]?preconnect.* href="... :// ..." href="//..." href=\'... :// ...\' href=\'//...\' src="... :// ..." src="//..." src=\'... :// ...\' src=\'//...\' ', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 1068497918b233fd4d3e50f287aaf6ab1a03059c638e7dd12249612bb34d624f7036ebd3f250440227c595b791530ce2bb70f5a13d3e4f169ddcde97bedfc6bc_0 +2025-05-10 00:33:29,993 - semgrep.rule_match - DEBUG - match_key = (' rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css" / (?is).*integrity= (google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com) .*rel\\s*=\\s*[\'"]?preconnect.* href="... :// ..." href="//..." href=\'... :// ...\' href=\'//...\' src="... :// ..." src="//..." src=\'... :// ...\' src=\'//...\' ', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 1068497918b233fd4d3e50f287aaf6ab1a03059c638e7dd12249612bb34d624f7036ebd3f250440227c595b791530ce2bb70f5a13d3e4f169ddcde97bedfc6bc_0 +2025-05-10 00:33:29,994 - semgrep.rule_match - DEBUG - match_key = ('', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 0ee74fd49637bebe183eca7188dbde26e386314e62cc2e7ba1ee60b377b638243fcd84e6c6fa04886198ccacfa6a711bfbcc61a28f9ddc913d5b3c53083cbc90_0 +2025-05-10 00:33:29,995 - semgrep.rule_match - DEBUG - match_key = (' type="text/javascript" src="https://replit.com/public/js/replit-dev-banner.js" (?is).*integrity= (google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com) .*rel\\s*=\\s*[\'"]?preconnect.* href="... :// ..." href="//..." href=\'... :// ...\' href=\'//...\' src="... :// ..." src="//..." src=\'... :// ...\' src=\'//...\' ', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 0728b64e224596592d04447ba8a642ff94e1fb9fcc07be26d49dc7e7f6898e638ad16ffcaca086932c58f4c6400fe32603323afef02cf9bfebcb0e4a53562a40_0 +2025-05-10 00:33:29,995 - semgrep.rule_match - DEBUG - match_key = (' type="text/javascript" src="https://replit.com/public/js/replit-dev-banner.js" (?is).*integrity= (google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com) .*rel\\s*=\\s*[\'"]?preconnect.* href="... :// ..." href="//..." href=\'... :// ...\' href=\'//...\' src="... :// ..." src="//..." src=\'... :// ...\' src=\'//...\' ', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 0728b64e224596592d04447ba8a642ff94e1fb9fcc07be26d49dc7e7f6898e638ad16ffcaca086932c58f4c6400fe32603323afef02cf9bfebcb0e4a53562a40_0 +2025-05-10 00:33:29,995 - semgrep.rule_match - DEBUG - match_key = (' type="text/javascript" src="https://replit.com/public/js/replit-dev-banner.js" (?is).*integrity= (google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com) .*rel\\s*=\\s*[\'"]?preconnect.* href="... :// ..." href="//..." href=\'... :// ...\' href=\'//...\' src="... :// ..." src="//..." src=\'... :// ...\' src=\'//...\' ', PosixPath('client/index.html'), 'config..semgrep.vendored-rules.html.security.audit.missing-integrity') match_id = 0728b64e224596592d04447ba8a642ff94e1fb9fcc07be26d49dc7e7f6898e638ad16ffcaca086932c58f4c6400fe32603323afef02cf9bfebcb0e4a53562a40_0 +2025-05-10 00:33:29,998 - semgrep.core_runner - DEBUG - semgrep ran in 0:00:03.337440 on 103 files +2025-05-10 00:33:30,000 - semgrep.core_runner - DEBUG - findings summary: 2 warning, 0 error, 0 info +2025-05-10 00:33:30,004 - semgrep.app.auth - DEBUG - Getting API token from settings file +2025-05-10 00:33:30,004 - semgrep.app.auth - DEBUG - No API token found in settings file +2025-05-10 00:33:30,005 - semgrep.semgrep_core - DEBUG - Failed to open resource semgrep-core-proprietary: [Errno 2] No such file or directory: '/tmp/_MEI1ufMVi/semgrep/bin/semgrep-core-proprietary'. +2025-05-10 00:33:30,110 - semgrep.output - VERBOSE - +======================================== +Files skipped: +======================================== + + Always skipped by Opengrep: + + • + + Skipped by .gitignore: + (Disable by passing --no-git-ignore) + + • + + Skipped by .semgrepignore: + - https://semgrep.dev/docs/ignoring-files-folders-code/#understand-semgrep-defaults + + • + + Skipped by --include patterns: + + • + + Skipped by --exclude patterns: + + • + + Files skipped due to insufficient read permissions: + + • + + Skipped by limiting to files smaller than 1000000 bytes: + (Adjust with the --max-target-bytes flag) + + • attached_assets/8w-oevrI.jpeg + • attached_assets/DSC01368 2.jpeg + • attached_assets/DSC01380.jpeg + • attached_assets/DSC01394 2.jpeg + • attached_assets/DSC01466 2.jpeg + • attached_assets/Fadia-132.jpg + • attached_assets/Fadia-15.jpg + • attached_assets/Fadia-156.jpg + • attached_assets/save.jpeg + • client/src/assets/Fadia-132.jpg + • client/src/assets/Fadia-15.jpg + • client/src/assets/Fadia-156.jpg + • generated-icon.png + + Partially analyzed due to parsing or internal Opengrep errors + + • client/index.html (1 lines skipped) + • tailwind.config.ts (1 lines skipped) + +2025-05-10 00:33:30,111 - semgrep.output - INFO - Some files were skipped or only partially analyzed. + Scan was limited to files tracked by git. + Partially scanned: 2 files only partially analyzed due to parsing or internal Opengrep errors + Scan skipped: 13 files larger than 1.0 MB + For a full list of skipped files, run opengrep with the --verbose flag. + +Ran 443 rules on 103 files: 2 findings. +2025-05-10 00:33:30,112 - semgrep.app.version - DEBUG - Version cache does not exist +2025-05-10 00:33:30,133 - semgrep.metrics - VERBOSE - Not sending pseudonymous metrics since metrics are configured to OFF and registry usage is False diff --git a/.config/.semgrep/semgrep_rules.json b/.config/.semgrep/semgrep_rules.json new file mode 100644 index 0000000..f4f47ad --- /dev/null +++ b/.config/.semgrep/semgrep_rules.json @@ -0,0 +1,85514 @@ +{ + "rules": [ + { + "id": "vendored-rules.bash.curl.security.curl-eval", + "languages": [ + "bash" + ], + "message": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "bash", + "curl" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern": "eval ..." + } + ], + "pattern-sources": [ + { + "pattern": "$(curl ...)\n" + }, + { + "pattern": "`curl ...`\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.bash.curl.security.curl-pipe-bash", + "languages": [ + "bash" + ], + "message": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "bash", + "curl" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "curl ... | ... bash ..." + }, + { + "pattern": "curl ... | ... /bin/bash ..." + }, + { + "pattern": "... bash <(curl ...)" + }, + { + "pattern": "... /bin/bash <(curl ...)" + }, + { + "pattern": "... bash -c \"$(curl ...)\"" + }, + { + "pattern": "... /bin/bash -c \"$(curl ...)\"" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.bash.lang.security.ifs-tampering", + "languages": [ + "bash" + ], + "message": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-20: Improper Input Validation" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "bash" + ] + }, + "pattern": "IFS=...", + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.double-free", + "languages": [ + "c" + ], + "message": "Variable '$VAR' was freed twice. This can lead to undefined behavior.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-415: Double Free" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection", + "A01:2017 - Injection" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/415.html", + "https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "c" + ] + }, + "patterns": [ + { + "pattern-not": "free($VAR);\n...\n$VAR = NULL;\n...\nfree($VAR);\n" + }, + { + "pattern-not": "free($VAR);\n...\n$VAR = malloc(...);\n...\nfree($VAR);\n" + }, + { + "pattern-inside": "free($VAR);\n...\n$FREE($VAR);\n" + }, + { + "metavariable-pattern": { + "metavariable": "$FREE", + "pattern": "free" + } + }, + { + "focus-metavariable": "$FREE" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.c.lang.security.function-use-after-free", + "languages": [ + "c" + ], + "message": "Variable '$VAR' was passed to a function after being freed. This can lead to undefined behavior.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-416: Use After Free" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://cwe.mitre.org/data/definitions/416.html", + "https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "c" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FUNC(..., <... $VAR ...>, ...)" + }, + { + "pattern": "$FUNC(..., <... $VAR->$ACCESSOR ...>, ...)" + }, + { + "pattern": "$FUNC(..., <... (*$VAR).$ACCESSOR ...>, ...)" + }, + { + "pattern": "$FUNC(..., <... $VAR[$NUM] ...>, ...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$FUNC", + "regex": "(?!^free$)" + } + }, + { + "pattern-inside": "free($VAR); ..." + }, + { + "pattern-not-inside": "free($VAR); ... $VAR = NULL; ..." + }, + { + "pattern-not-inside": "free($VAR); ... $VAR = malloc(...); ..." + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.info-leak-on-non-formated-string", + "languages": [ + "c" + ], + "message": "Use %s, %d, %c... to format your variables, otherwise this could leak information.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-532: Insertion of Sensitive Information into Log File" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A09:2021 - Security Logging and Monitoring Failures" + ], + "references": [ + "http://nebelwelt.net/files/13PPREW.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern": "printf(argv[$NUM]);", + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.insecure-use-gets-fn", + "languages": [ + "c" + ], + "message": "Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-676: Use of Potentially Dangerous Function" + ], + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern": "gets(...)", + "severity": "ERROR" + }, + { + "fix": "memset_s($...VARS)", + "id": "vendored-rules.c.lang.security.insecure-use-memset", + "languages": [ + "c" + ], + "message": "When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While `memset()` is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the `memset_s()` function instead. `memset_s()` is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using `memset_s()` instead of `memset()`, you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-14: Compiler Removal of Code to Clear Buffers" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/14.html", + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern": "memset($...VARS)", + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.insecure-use-printf-fn", + "languages": [ + "c" + ], + "message": "Avoid using user-controlled format strings passed into 'sprintf', 'printf' and 'vsprintf'. These functions put you at risk of buffer overflow vulnerabilities through the use of format string exploits. Instead, use 'snprintf' and 'vsnprintf'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-134: Use of Externally-Controlled Format String" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://doc.castsoftware.com/display/SBX/Never+use+sprintf%28%29+or+vsprintf%28%29+functions", + "https://www.cvedetails.com/cwe-details/134/Uncontrolled-Format-String.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "c" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FUNC($BUFFER, argv[$NUM], ...);\n...\nvsprintf(..., $BUFFER, ...);\n" + }, + { + "pattern": "vsprintf(..., argv[$NUM], ...)" + }, + { + "pattern": "$FUNC($BUFFER, argv[$NUM], ...);\n...\nsprintf(..., $BUFFER, ...);\n" + }, + { + "pattern": "sprintf(...,argv[$NUM],...)" + }, + { + "pattern": "$FUNC($BUFFER, argv[$NUM], ...);\n...\nprintf(..., $BUFFER, ...);\n" + }, + { + "pattern": "printf(...,argv[$NUM],...)" + } + ] + }, + { + "metavariable-comparison": { + "comparison": "int($NUM) > 0", + "metavariable": "$NUM" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.insecure-use-scanf-fn", + "languages": [ + "c" + ], + "message": "Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-676: Use of Potentially Dangerous Function" + ], + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern": "scanf(...)", + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.insecure-use-strcat-fn", + "languages": [ + "c" + ], + "message": "Finding triggers whenever there is a strcat or strncat used. This is an issue because strcat or strncat can lead to buffer overflow vulns. Fix this by using strcat_s instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-676: Use of Potentially Dangerous Function" + ], + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://nvd.nist.gov/vuln/detail/CVE-2019-12553", + "https://techblog.mediaservice.net/2020/04/cve-2020-2851-stack-based-buffer-overflow-in-cde-libdtsvc/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern-either": [ + { + "pattern": "strcat(...)" + }, + { + "pattern": "strncat(...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.insecure-use-string-copy-fn", + "languages": [ + "c" + ], + "message": "Finding triggers whenever there is a strcpy or strncpy used. This is an issue because strcpy does not affirm the size of the destination array and strncpy will not automatically NULL-terminate strings. This can lead to buffer overflows, which can cause program crashes and potentially let an attacker inject code in the program. Fix this by using strcpy_s instead (although note that strcpy_s is an optional part of the C11 standard, and so may not be available).", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-676: Use of Potentially Dangerous Function" + ], + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://cwe.mitre.org/data/definitions/676", + "https://nvd.nist.gov/vuln/detail/CVE-2019-11365" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern-either": [ + { + "pattern": "strcpy(...)" + }, + { + "pattern": "strncpy(...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.insecure-use-strtok-fn", + "languages": [ + "c" + ], + "message": "Avoid using 'strtok()'. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-676: Use of Potentially Dangerous Function" + ], + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged", + "https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS", + "https://stackoverflow.com/a/40335556" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern": "strtok(...)", + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.random-fd-exhaustion", + "languages": [ + "c" + ], + "message": "Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling" + ], + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://lwn.net/Articles/606141/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "c" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$FD = open(\"/dev/urandom\", ...);\n...\nread($FD, ...);\n" + }, + { + "pattern-not": "$FD = open(\"/dev/urandom\", ...);\n...\n$BYTES_READ = read($FD, ...);\n" + } + ] + }, + { + "patterns": [ + { + "pattern": "$FD = open(\"/dev/random\", ...);\n...\nread($FD, ...);\n" + }, + { + "pattern-not": "$FD = open(\"/dev/random\", ...);\n...\n$BYTES_READ = read($FD, ...);\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.c.lang.security.use-after-free", + "languages": [ + "c" + ], + "message": "Variable '$VAR' was used after being freed. This can lead to undefined behavior.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-416: Use After Free" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://cwe.mitre.org/data/definitions/416.html", + "https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "c" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$VAR->$ACCESSOR" + }, + { + "pattern": "(*$VAR).$ACCESSOR" + }, + { + "pattern": "$VAR[$NUM]" + } + ] + }, + { + "pattern-inside": "free($VAR); ..." + }, + { + "pattern-not-inside": "$VAR = NULL; ..." + }, + { + "pattern-not-inside": "free($VAR); ... $VAR = malloc(...); ..." + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.clojure.lang.security.command-injection-shell-call", + "languages": [ + "clojure" + ], + "message": "A call to clojure.java.shell has been found, this could lead to an RCE if the inputs are user-controllable. Please ensure their origin is validated and sanitized.", + "metadata": { + "author": "Gabriel Marquet ", + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://clojuredocs.org/clojure.java.shell/sh" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "clojure" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "(ns ...\n...\n(:require \n... \n[clojure.java.shell ... [sh]]\n...\n))\n...\n" + }, + { + "pattern-inside": "(ns ...\n...\n(:use \n... \n[clojure.java.shell ... [sh]]\n...\n))\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "(sh $BASH ...)" + }, + { + "metavariable-regex": { + "metavariable": "$BASH", + "regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "(sh $ARG ...)" + }, + { + "pattern-not": "(sh \"...\" ...)" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.clojure.lang.security.documentbuilderfactory-xxe", + "languages": [ + "clojure" + ], + "message": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://xerces.apache.org/xerces2-j/features.html" + ], + "source-rule-url": "https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/xxe-clojure-xml/xxe-clojure-xml.yml", + "subcategory": [ + "vuln" + ], + "technology": [ + "clojure", + "xml" + ] + }, + "patterns": [ + { + "pattern-inside": "(ns ... (:require [clojure.xml :as ...]))\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "(def ... ... ( ... ))\n" + }, + { + "pattern-inside": "(defn ... ... ( ... ))\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "(clojure.xml/parse $INPUT)" + }, + { + "patterns": [ + { + "pattern-inside": "(doto (javax.xml.parsers.SAXParserFactory/newInstance) ...)\n" + }, + { + "pattern": "(.setFeature \"http://apache.org/xml/features/disallow-doctype-decl\" false)" + }, + { + "pattern-not-inside": "(doto (javax.xml.parsers.SAXParserFactory/newInstance)\n ...\n (.setFeature \"http://xml.org/sax/features/external-general-entities\" false)\n ...\n (.setFeature \"http://xml.org/sax/features/external-parameter-entities\" false)\n ...)\n" + }, + { + "pattern-not-inside": "(doto (javax.xml.parsers.SAXParserFactory/newInstance)\n ...\n (.setFeature \"http://xml.org/sax/features/external-parameter-entities\" false)\n ...\n (.setFeature \"http://xml.org/sax/features/external-general-entities\" false)\n ...)\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.clojure.lang.security.use-of-md5", + "languages": [ + "clojure" + ], + "message": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.", + "metadata": { + "author": "Gabriel Marquet ", + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-328: Use of Weak Hash" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", + "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html" + ], + "source-rule-url": "https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml", + "subcategory": [ + "vuln" + ], + "technology": [ + "clojure" + ] + }, + "pattern-either": [ + { + "pattern": "(MessageDigest/getInstance \"MD5\")" + }, + { + "pattern": "(MessageDigest/getInstance MessageDigestAlgorithms/MD5)" + }, + { + "pattern": "(MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)" + }, + { + "pattern": "(java.security.MessageDigest/getInstance \"MD5\")" + }, + { + "pattern": "(java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)" + }, + { + "pattern": "(java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.clojure.lang.security.use-of-sha1", + "languages": [ + "clojure" + ], + "message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "CWE-328: Use of Weak Hash" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", + "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "clojure" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(MessageDigest/getInstance $ALGO)" + }, + { + "pattern": "(java.security.MessageDigest/getInstance $ALGO)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$ALGO", + "regex": "(((org\\.apache\\.commons\\.codec\\.digest\\.)?MessageDigestAlgorithms/)?\"?(SHA-1|SHA1)\"?)" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.clojure.security.clojure-read-string.read-string-unsafe", + "languages": [ + "clojure" + ], + "message": "The default core Clojure read-string method is dangerous and can lead to deserialization vulnerabilities. Use the edn/read-string instead.", + "metadata": { + "author": "Gabriel Marquet ", + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2020-top25": true, + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "http://www.learningclojure.com/2013/02/clojures-reader-is-unsafe.html#post-body-2898830171141471587", + "https://ericnormand.me/article/clojure-web-security", + "https://github.com/jafingerhut/jafingerhut.github.com/blob/master/clojure-info/using-edn-safely.md#vulnerabilities-in-clojurecores-read-and-read-string" + ], + "source-rule-url": "https://github.com/clj-holmes/clj-holmes-rules/tree/main/security/clojure-read-string", + "subcategory": [ + "audit" + ], + "technology": [ + "clojure" + ] + }, + "patterns": [ + { + "pattern-not-inside": "(ns ...\n(... :exclude [read read-string]))\n...\n(defn $VAR [$X]...)\n" + }, + { + "pattern-inside": "(defn $VAR [$X]...)\n" + }, + { + "pattern": "(read-string $X)\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.dotnet.security.mvc-missing-antiforgery", + "languages": [ + "csharp" + ], + "message": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-352: Cross-Site Request Forgery (CSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery", + "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net", + "mvc" + ] + }, + "patterns": [ + { + "pattern": "[$HTTPMETHOD]\npublic IActionResult $METHOD(...){\n ...\n}\n" + }, + { + "pattern-inside": "using Microsoft.AspNetCore.Mvc;\n...\n" + }, + { + "pattern-not": "[ValidateAntiForgeryToken]\npublic IActionResult $METHOD(...){\n ...\n}\n" + }, + { + "pattern-not": "[Consumes(...)]\npublic IActionResult $METHOD(...){\n ...\n}\n" + }, + { + "metavariable-regex": { + "metavariable": "$HTTPMETHOD", + "regex": "Http(Post|Put|Delete|Patch)" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.net-webconfig-debug", + "languages": [ + "generic" + ], + "message": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from ``", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-11: ASP.NET Misconfiguration: Creating Debug Binary" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/", + "https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "paths": { + "include": [ + "*web.config*" + ] + }, + "patterns": [ + { + "pattern": "\n" + }, + { + "pattern-inside": "\n ...\n\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.net-webconfig-trace-enabled", + "languages": [ + "generic" + ], + "message": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-1323: Improper Management of Sensitive Trace Data" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": "A05:2021 - Security Misconfiguration", + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance", + "https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "paths": { + "include": [ + "*web.config*" + ] + }, + "patterns": [ + { + "pattern": "\n" + }, + { + "pattern-inside": "\n ...\n\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.razor-template-injection", + "languages": [ + "csharp" + ], + "message": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net", + "razor", + "asp" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "not_conflicting": true, + "pattern": "$F(...)" + } + ], + "pattern-sinks": [ + { + "pattern": "Razor.Parse(...)\n" + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$ARG" + }, + { + "pattern-inside": "public ActionResult $METHOD(..., string $ARG,...){...}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.use_deprecated_cipher_algorithm", + "languages": [ + "csharp" + ], + "message": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern": "$KEYTYPE.Create(...);" + }, + { + "metavariable-pattern": { + "metavariable": "$KEYTYPE", + "pattern-either": [ + { + "pattern": "DES" + }, + { + "pattern": "RC2" + } + ] + } + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.dotnet.security.use_ecb_mode", + "languages": [ + "csharp" + ], + "message": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0", + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "($KEYTYPE $KEY).EncryptEcb(...);" + }, + { + "pattern": "($KEYTYPE $KEY).DecryptEcb(...);" + }, + { + "pattern": "($KEYTYPE $KEY).Mode = CipherMode.ECB;" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$KEYTYPE", + "pattern-either": [ + { + "pattern": "SymmetricAlgorithm" + }, + { + "pattern": "Aes" + }, + { + "pattern": "Rijndael" + }, + { + "pattern": "DES" + }, + { + "pattern": "TripleDES" + }, + { + "pattern": "RC2" + } + ] + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.use_weak_rng_for_keygeneration", + "languages": [ + "csharp" + ], + "message": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks", + "https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors", + "https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "($KEYTYPE $CIPHER).Key = $SINK;" + }, + { + "focus-metavariable": "$SINK" + }, + { + "metavariable-pattern": { + "metavariable": "$KEYTYPE", + "pattern-either": [ + { + "pattern": "SymmetricAlgorithm" + }, + { + "pattern": "Aes" + }, + { + "pattern": "Rijndael" + }, + { + "pattern": "DES" + }, + { + "pattern": "TripleDES" + }, + { + "pattern": "RC2" + } + ] + } + } + ] + }, + { + "pattern": "new AesGcm(...)" + }, + { + "pattern": "new AesCcm(...)" + }, + { + "pattern": "new ChaCha20Poly1305(...)" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "(System.Random $RNG).NextBytes($KEY); ..." + }, + { + "pattern": "$KEY" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.dotnet.security.use_weak_rsa_encryption_padding", + "languages": [ + "csharp" + ], + "message": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-780: Use of RSA Algorithm without OAEP" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter", + "https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "pattern-either": [ + { + "pattern": "(RSAPKCS1KeyExchangeFormatter $FORMATER).CreateKeyExchange(...);" + }, + { + "pattern": "(RSAPKCS1KeyExchangeDeformatter $DEFORMATER).DecryptKeyExchange(...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.web-config-insecure-cookie-settings", + "languages": [ + "generic" + ], + "message": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies", + "https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL", + "https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net", + "asp", + "webforms" + ] + }, + "paths": { + "include": [ + "*web.config" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "requireSSL=\"false\"\n" + }, + { + "pattern": "cookieRequireSSL=\"false\"\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "\n" + }, + { + "pattern-inside": "\n" + }, + { + "pattern-inside": "\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.audit.ldap-injection", + "languages": [ + "csharp" + ], + "message": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection/", + "https://cwe.mitre.org/data/definitions/90", + "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "mode": "taint", + "options": { + "taint_unify_mvars": true + }, + "pattern-sanitizers": [ + { + "pattern-either": [ + { + "pattern": "Regex.Replace($INPUT, ...)" + }, + { + "pattern": "$ENCODER.LdapFilterEncode($INPUT)" + }, + { + "pattern": "$ENCODER.LdapDistinguishedNameEncode($INPUT)" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$S.Filter = ... + $INPUT + ..." + }, + { + "pattern": "$S.Filter = String.Format(...,$INPUT)" + }, + { + "pattern": "$S.Filter = String.Concat(...,$INPUT)" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$INPUT" + }, + { + "pattern-inside": "$T $M($INPUT,...) {...}" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.dotnet.security.audit.mass-assignment", + "languages": [ + "csharp" + ], + "message": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/915.html", + "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern": "View(...)" + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "public IActionResult $METHOD(..., $TYPE $ARG, ...){\n ...\n}\n" + }, + { + "pattern": "public ActionResult $METHOD(..., $TYPE $ARG, ...){\n ...\n}\n" + } + ] + }, + { + "pattern-inside": "using Microsoft.AspNetCore.Mvc;\n...\n" + }, + { + "pattern-not": "public IActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){\n ...\n}\n" + }, + { + "pattern-not": "public ActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){\n ...\n}\n" + }, + { + "focus-metavariable": "$ARG" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.audit.misconfigured-lockout-option", + "languages": [ + "csharp" + ], + "message": "A misconfigured lockout mechanism allows an attacker to execute brute-force attacks. Account lockout must be correctly configured and enabled to prevent these attacks.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-307: Improper Restriction of Excessive Authentication Attempts" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures", + "https://cwe.mitre.org/data/definitions/307.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "dotnet" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SIGNIN.PasswordSignInAsync(...,lockoutOnFailure: false,...);\n" + }, + { + "pattern": "$SIGNIN.CheckPasswordSignInAsync(...,lockoutOnFailure: false,...);\n" + } + ] + }, + { + "pattern-inside": "public async $TYPE $METHOD(...) {\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.audit.missing-or-broken-authorization", + "languages": [ + "csharp" + ], + "message": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-862: Missing Authorization" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "cwe2023-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control", + "https://cwe.mitre.org/data/definitions/862.html", + "https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net", + "mvc" + ] + }, + "patterns": [ + { + "pattern": "public class $CLASS : Controller {\n ...\n}\n" + }, + { + "pattern-inside": "using Microsoft.AspNetCore.Mvc;\n...\n" + }, + { + "pattern-not": "[AllowAnonymous]\npublic class $CLASS : Controller {\n ...\n}\n" + }, + { + "pattern-not": "[Authorize]\npublic class $CLASS : Controller {\n ...\n}\n" + }, + { + "pattern-not": "[Authorize(Roles = ...)]\npublic class $CLASS : Controller {\n ...\n}\n" + }, + { + "pattern-not": "[Authorize(Policy = ...)]\npublic class $CLASS : Controller {\n ...\n}\n" + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.csharp.dotnet.security.audit.open-directory-listing", + "languages": [ + "csharp" + ], + "message": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-548: Exposure of Information Through Directory Listing" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A06:2017 - Security Misconfiguration", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/548.html", + "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/", + "https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net", + "mvc" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(IApplicationBuilder $APP).UseDirectoryBrowser(...);" + }, + { + "pattern": "$BUILDER.Services.AddDirectoryBrowser(...);" + } + ] + }, + { + "pattern-inside": "public void Configure(...) {\n ...\n}\n" + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.csharp.dotnet.security.audit.razor-use-of-htmlstring", + "languages": [ + "generic" + ], + "message": "ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-116: Improper Encoding or Escaping of Output" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/116.html", + "https://owasp.org/Top10/A03_2021-Injection/", + "https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-6.0#html-encoding-using-razor" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "paths": { + "include": [ + "*.cshtml" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new ...HtmlString(...)" + }, + { + "pattern": "@(new ...HtmlString(...))" + } + ] + }, + { + "pattern-not-inside": "@(new ...HtmlString(...HtmlEncode(...)))" + }, + { + "pattern-not-inside": "@(new ...HtmlString(...Encode(...)))" + }, + { + "pattern-not-inside": "new ...HtmlString(...HtmlEncode(...))" + }, + { + "pattern-not-inside": "new ...HtmlString(...Encode(...))" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.dotnet.security.audit.xpath-injection", + "languages": [ + "csharp" + ], + "message": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection/", + "https://cwe.mitre.org/data/definitions/643.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern-either": [ + { + "pattern": "XPathExpression $EXPR = $NAV.Compile(\"...\" + $INPUT + \"...\");" + }, + { + "pattern": "var $EXPR = $NAV.Compile(\"...\" + $INPUT + \"...\");" + }, + { + "pattern": "XPathNodeIterator $NODE = $NAV.Select(\"...\" + $INPUT + \"...\");" + }, + { + "pattern": "var $NODE = $NAV.Select(\"...\" + $INPUT + \"...\");" + }, + { + "pattern": "Object $OBJ = $NAV.Evaluate(\"...\" + $INPUT + \"...\");" + }, + { + "pattern": "var $OBJ = $NAV.Evaluate(\"...\" + $INPUT + \"...\");" + } + ] + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "pattern": "$T $M($INPUT,...) {...}" + }, + { + "pattern": "$T $M(...) {\n ...\n string $INPUT;\n}\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.missing-hsts-header", + "languages": [ + "csharp" + ], + "message": "The HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-346: Origin Validation Error" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/346.html", + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "dotnet" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "public void Configure(...) {\n ...\n (IApplicationBuilder $APP). ...;\n ...\n}\n" + }, + { + "focus-metavariable": "$APP" + }, + { + "pattern-not-inside": "public void Configure(...) {\n ...\n (IApplicationBuilder $APP).UseHsts(...);\n ...\n}\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "public void ConfigureServices(...) {\n ...\n (IServiceCollection $SERVICES). ...;\n ...\n}\n" + }, + { + "focus-metavariable": "$SERVICES" + }, + { + "pattern-not-inside": "public void ConfigureServices(...) {\n ...\n (IServiceCollection $SERVICES).AddHsts(...);\n ...\n}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.open-redirect", + "languages": [ + "csharp" + ], + "message": "A query string parameter may contain a URL value that could cause the web application to redirect the request to a malicious website controlled by an attacker. Make sure to sanitize this parameter sufficiently.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/601.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "csharp" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "Redirect(...)" + }, + { + "pattern-not-inside": "if (IsLocalUrl(...)) { \n ... \n Redirect(...); \n ...\n}\n" + }, + { + "pattern-not-inside": "if ($URL.IsLocalUrl(...)) { \n ... \n Redirect(...); \n ...\n}\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$PARAM" + }, + { + "pattern-inside": "public $TYPE $FUNCNAME (..., string $PARAM, ...) {\n ...\n}\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.stacktrace-disclosure", + "languages": [ + "csharp" + ], + "message": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-209: Generation of Error Message Containing Sensitive Information" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A06:2017 - Security Misconfiguration", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/209.html", + "https://owasp.org/Top10/A04_2021-Insecure_Design/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "csharp" + ] + }, + "patterns": [ + { + "pattern": "$APP.UseDeveloperExceptionPage(...);" + }, + { + "pattern-not-inside": "if ($ENV.IsDevelopment(...)) {\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "fix": "true\n", + "id": "vendored-rules.csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation", + "languages": [ + "csharp" + ], + "message": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-613: Insufficient Session Expiration" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A02:2017 - Broken Authentication", + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/", + "https://cwe.mitre.org/data/definitions/613.html", + "https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "csharp" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$LIFETIME = $FALSE" + }, + { + "pattern-inside": "new TokenValidationParameters {...}" + } + ] + }, + { + "patterns": [ + { + "pattern": "(TokenValidationParameters $OPTS). ... .$LIFETIME = $FALSE\n" + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$LIFETIME", + "regex": "(RequireExpirationTime|ValidateLifetime)" + } + }, + { + "metavariable-regex": { + "metavariable": "$FALSE", + "regex": "(false)" + } + }, + { + "focus-metavariable": "$FALSE" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.cryptography.X509-subject-name-validation", + "languages": [ + "csharp" + ], + "message": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-295: Improper Certificate Validation" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.IdentityModel.Tokens;\n...\n" + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "X509SecurityToken $TOK = $RHS;\n...\n" + }, + { + "pattern-inside": "$T $M(..., X509SecurityToken $TOK, ...) {\n ...\n}\n" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$RHS", + "pattern-either": [ + { + "pattern": "$T as X509SecurityToken" + }, + { + "pattern": "new X509SecurityToken(...)" + } + ] + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "X509Certificate2 $CERT = new X509Certificate2(...);\n...\n" + }, + { + "pattern-inside": "$T $M(..., X509Certificate2 $CERT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "foreach (X509Certificate2 $CERT in $COLLECTION) {\n ...\n}\n" + } + ] + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "String.Equals($NAME, \"...\")" + }, + { + "pattern": "String.Equals(\"...\", $NAME)" + }, + { + "pattern": "$NAME.Equals(\"...\")" + }, + { + "pattern": "$NAME == \"...\"" + }, + { + "pattern": "$NAME != \"...\"" + }, + { + "pattern": "\"...\" == $NAME\n" + }, + { + "pattern": "\"...\" != $NAME\n" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$NAME", + "pattern-either": [ + { + "pattern": "$TOK.Certificate.SubjectName.Name" + }, + { + "pattern": "$CERT.SubjectName.Name" + }, + { + "pattern": "$CERT.GetNameInfo(...)" + } + ] + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.cryptography.X509Certificate2-privkey", + "languages": [ + "C#" + ], + "message": "X509Certificate2.PrivateKey is obsolete. Use a method such as GetRSAPrivateKey() or GetECDsaPrivateKey(). Alternatively, use the CopyWithPrivateKey() method to create a new instance with a private key. Further, if you set X509Certificate2.PrivateKey to `null` or set it to another key without deleting it first, the private key will be left on disk. ", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-310: CWE CATEGORY: Cryptographic Issues" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.privatekey" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Security.Cryptography;\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "X509Certificate2Collection $COLLECTION = ...;\n...\n" + }, + { + "pattern-inside": "X509Certificate2 $CERT = ...;\n...\n" + } + ] + }, + { + "pattern": "$CERT.PrivateKey" + } + ], + "severity": "WARNING" + }, + { + "fix": "RequireSignedTokens = true", + "id": "vendored-rules.csharp.lang.security.cryptography.unsigned-security-token", + "languages": [ + "csharp" + ], + "message": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-347: Improper Verification of Cryptographic Signature" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control/", + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/", + "https://cwe.mitre.org/data/definitions/347" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "csharp" + ] + }, + "patterns": [ + { + "pattern": "RequireSignedTokens = false" + }, + { + "pattern-inside": "new TokenValidationParameters {\n ...\n}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.filesystem.unsafe-path-combine", + "languages": [ + "csharp" + ], + "message": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/", + "https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "pattern": "Path.GetFileName(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "$X = Path.GetFileName(...);\n...\n" + }, + { + "pattern": "$X" + } + ] + }, + { + "patterns": [ + { + "pattern": "$X" + }, + { + "pattern-inside": "if(<... Path.GetFileName($X) != $X ...>){\n ...\n throw new $EXCEPTION(...);\n}\n...\n" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$X" + }, + { + "pattern": "File.$METHOD($X,...)\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "(?i)^(read|write)" + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$A" + }, + { + "pattern-inside": "Path.Combine(...,$A,...)\n" + }, + { + "pattern-inside": "public $TYPE $M(...,$A,...){...}\n" + }, + { + "pattern-not-inside": "<... Path.GetFileName($A) != $A ...>\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.http.http-listener-wildcard-bindings", + "languages": [ + "C#" + ], + "message": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-706: Use of Incorrectly-Resolved Name or Reference" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Net;\n...\n" + }, + { + "pattern": "$LISTENER.Prefixes.Add(\"$PREFIX\")" + }, + { + "metavariable-regex": { + "metavariable": "$PREFIX", + "regex": "(http|https)://(\\*|\\+)(.[a-zA-Z]{2,})?:[0-9]+" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.injections.os-command-injection", + "languages": [ + "csharp" + ], + "message": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/Command_Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Diagnostics;\n...\n" + }, + { + "pattern-inside": "public $T $F(..., $ARG, ...)\n{\n ...\n}\n" + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "Process.Start($ARG, ...);\n" + }, + { + "focus-metavariable": "$ARG" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "Process $PROC = new Process();\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "$PROC.StartInfo.FileName = $ARG;\n...\n" + }, + { + "pattern-inside": "$PROC.StartInfo.Arguments = <... $ARG ...>;\n...\n" + } + ] + }, + { + "pattern": "$PROC.Start();\n" + } + ] + }, + { + "patterns": [ + { + "patterns": [ + { + "pattern-inside": "ProcessStartInfo $PSINFO = new ProcessStartInfo()\n{\n ...\n};\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "FileName = $ARG;\n...\n" + }, + { + "pattern-inside": "Arguments = <... $ARG ...>;\n...\n" + } + ] + } + ] + }, + { + "pattern": "Process.Start($PSINFO);\n" + }, + { + "focus-metavariable": "$PSINFO" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "Process $PROC = new Process()\n{\n StartInfo = new ProcessStartInfo()\n {\n ...\n }\n};\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "FileName = $ARG;\n...\n" + }, + { + "pattern-inside": "Arguments = $ARG;\n...\n" + } + ] + }, + { + "pattern": "$PROC.Start();\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-binaryformatter-deserialization", + "languages": [ + "C#" + ], + "message": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Runtime.Serialization.Formatters.Binary;\n...\n" + }, + { + "pattern": "new BinaryFormatter();\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.data-contract-resolver", + "languages": [ + "C#" + ], + "message": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern": "class $MYDCR : DataContractResolver { ... }\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-fastjson-deserialization", + "languages": [ + "C#" + ], + "message": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://github.com/mgholam/fastJSON#security-warning-update" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using fastJSON;\n...\n" + }, + { + "pattern": "new JSONParameters\n{\n BadListTypeChecking = false\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-fspickler-deserialization", + "languages": [ + "C#" + ], + "message": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using MBrace.FsPickler.Json;\n...\n" + }, + { + "pattern": "FsPickler.CreateJsonSerializer();\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full", + "languages": [ + "C#" + ], + "message": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0", + "https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new BinaryServerFormatterSinkProvider { TypeFilterLevel = $LEVEL }" + }, + { + "patterns": [ + { + "pattern-inside": "$TYPE $SP = new BinaryServerFormatterSinkProvider(...);\n...\n" + }, + { + "pattern": "$SP.TypeFilterLevel = $LEVEL\n" + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$LEVEL", + "regex": "(.*)TypeFilterLevel\\.(Full|Low)" + } + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$DICT[\"typeFilterLevel\"] = $VAL;\n...\n" + }, + { + "pattern": "new BinaryServerFormatterSinkProvider(..., $DICT, ...)" + }, + { + "metavariable-regex": { + "metavariable": "$VAL", + "regex": "(\\\"Full\\\"|\\\"Low\\\")" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-javascriptserializer-deserialization", + "languages": [ + "C#" + ], + "message": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Web.Script.Serialization;\n...\n" + }, + { + "pattern": "new JavaScriptSerializer((SimpleTypeResolver $RESOLVER))\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-losformatter-deserialization", + "languages": [ + "C#" + ], + "message": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Web.UI;\n...\n" + }, + { + "pattern": "new LosFormatter();\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-netdatacontract-deserialization", + "languages": [ + "C#" + ], + "message": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Runtime.Serialization;\n...\n" + }, + { + "pattern": "new NetDataContractSerializer();\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-newtonsoft-deserialization", + "languages": [ + "csharp" + ], + "message": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net", + "newtonsoft", + "json" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "TypeNameHandling = TypeNameHandling.$TYPEHANDLER" + }, + { + "pattern": "$SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER;\n...\nJsonConvert.DeserializeObject<$TYPE>(...,$SETTINGS);\n" + }, + { + "pattern": "$SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER;\n...\nJsonConvert.DeserializeObject(...,$SETTINGS);\n" + } + ] + }, + { + "pattern-inside": "using Newtonsoft.Json;\n...\n" + }, + { + "metavariable-regex": { + "metavariable": "$TYPEHANDLER", + "regex": "(All|Auto|Objects|Arrays)" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-soapformatter-deserialization", + "languages": [ + "C#" + ], + "message": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Runtime.Serialization.Formatters.Soap;\n...\n" + }, + { + "pattern": "new SoapFormatter();\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.memory.memory-marshal-create-span", + "languages": [ + "C#" + ], + "message": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-125: Out-of-bounds Read" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0", + "https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "pattern-either": [ + { + "pattern": "MemoryMarshal.CreateSpan(...)" + }, + { + "pattern": "MemoryMarshal.CreateReadOnlySpan(...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout", + "languages": [ + "C#" + ], + "message": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-1333: Inefficient Regular Expression Complexity" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": "A01:2017 - Injection", + "references": [ + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", + "https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout", + "https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Text.RegularExpressions;\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "new Regex(..., TimeSpan.InfiniteMatchTimeout)" + }, + { + "patterns": [ + { + "pattern": "new Regex(..., TimeSpan.FromSeconds($TIME))" + }, + { + "metavariable-comparison": { + "comparison": "$TIME > 5", + "metavariable": "$TIME" + } + } + ] + }, + { + "pattern": "new Regex(..., TimeSpan.FromMinutes(...))" + }, + { + "pattern": "new Regex(..., TimeSpan.FromHours(...))" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.regular-expression-dos.regular-expression-dos", + "languages": [ + "C#" + ], + "message": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-1333: Inefficient Regular Expression Complexity" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": "A01:2017 - Injection", + "references": [ + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", + "https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Text.RegularExpressions;\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "public $T $F($X)\n{\n Regex $Y = new Regex($P);\n ...\n $Y.Match($X);\n}\n" + }, + { + "pattern": "public $T $F($X)\n{\n Regex $Y = new Regex($P, $O);\n ...\n $Y.Match($X);\n}\n" + }, + { + "pattern": "public $T $F($X)\n{\n ... Regex.Match($X, $P);\n}\n" + }, + { + "pattern": "public $T $F($X)\n{\n ... Regex.Match($X, $P, $O);\n}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.sqli.csharp-sqli", + "languages": [ + "csharp" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "csharp" + ] + }, + "mode": "taint", + "pattern-propagators": [ + { + "from": "$X", + "pattern": "(StringBuilder $B).$ANY(...,(string $X),...)", + "to": "$B" + } + ], + "pattern-sanitizers": [ + { + "by-side-effect": true, + "pattern-either": [ + { + "pattern": "$CMD.Parameters.add(...)\n" + }, + { + "pattern": "$CMD.Parameters[$IDX] = ...\n" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "new $PATTERN($CMD,...)\n" + }, + { + "focus-metavariable": "$CMD" + } + ] + }, + { + "patterns": [ + { + "pattern": "$CMD.$PATTERN = $VALUE;\n" + }, + { + "focus-metavariable": "$VALUE" + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$PATTERN", + "regex": "^(SqlCommand|CommandText|OleDbCommand|OdbcCommand|OracleCommand)$" + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "(string $X)\n" + }, + { + "pattern-not": "\"...\"\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.ssrf.ssrf", + "languages": [ + "csharp" + ], + "message": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Net.Http;\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$T $F(..., $X, ...)\n{\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetAsync(<... $X ...>, ...);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetAsync($B, ...);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetStringAsync(<... $X ...>);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetStringAsync($B);\n}\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.ssrf.ssrf", + "languages": [ + "csharp" + ], + "message": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using RestSharp;\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n... new RestClient(<... $X ...>);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\n... new RestClient($B);\n}\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.ssrf.ssrf", + "languages": [ + "csharp" + ], + "message": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Net;\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$T $F(..., $X, ...)\n{\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenRead(<... $X ...>);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenRead($B);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenReadAsync(<... $X ...>, ...);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenReadAsync($B, ...);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\nWebClient $Y = new WebClient();\n...\n... $Y.DownloadString(<... $X ...>);\n}\n" + }, + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nWebClient $Y = new WebClient();\n...\n... $Y.DownloadString($B);\n}\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.ssrf.ssrf", + "languages": [ + "csharp" + ], + "message": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/918.html", + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + ".net" + ] + }, + "patterns": [ + { + "pattern-inside": "using System.Net;\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$T $F(..., $X, ...)\n{\n...\n... WebRequest.Create(<... $X ...>);\n}\n" + }, + { + "pattern": "$T $F($X)\n{\n...\n$A $B = <... $X ...>;\n...\n... WebRequest.Create($B);\n}\n" + }, + { + "pattern": "$T $F($X)\n{\n...\n$A $B = <... $X ...>;\n...\n$C $D = <... $B ...>;\n...\n... WebRequest.Create($D);\n}\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.csharp.lang.security.xxe.xmldocument-unsafe-parser-override", + "languages": [ + "csharp" + ], + "message": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://www.jardinesoftware.net/2016/05/26/xxe-and-net/", + "https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net", + "xml" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$XMLDOCUMENT.$METHOD(...)\n" + }, + { + "pattern-inside": "XmlDocument $XMLDOCUMENT = new XmlDocument(...);\n...\n$XMLDOCUMENT.XmlResolver = new XmlUrlResolver(...);\n... \n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$ARG" + }, + { + "pattern-inside": "public $T $M(...,string $ARG,...){...}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override", + "languages": [ + "csharp" + ], + "message": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://www.jardinesoftware.net/2016/05/26/xxe-and-net/", + "https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net", + "xml" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "XmlReader $READER = XmlReader.Create(...,$RS,...);\n" + }, + { + "pattern-inside": "XmlReaderSettings $RS = new XmlReaderSettings();\n...\n$RS.DtdProcessing = DtdProcessing.Parse;\n... \n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$ARG" + }, + { + "pattern-inside": "public $T $M(...,string $ARG,...){...}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.lang.security.xxe.xmltextreader-unsafe-defaults", + "languages": [ + "csharp" + ], + "message": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://www.jardinesoftware.net/2016/05/26/xxe-and-net/", + "https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + ".net", + "xml" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$READER.$METHOD(...)\n" + }, + { + "pattern-not-inside": "$READER.DtdProcessing = DtdProcessing.Prohibit;\n...\n" + }, + { + "pattern-inside": "XmlTextReader $READER = new XmlTextReader(...);\n...\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$ARG" + }, + { + "pattern-inside": "public $T $M(...,string $ARG,...){...}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.csharp.razor.security.html-raw-json", + "languages": [ + "generic" + ], + "message": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "razor" + ] + }, + "paths": { + "include": [ + "*.cshtml" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "@Html.Raw(Json.Encode(...))" + }, + { + "pattern": "@Html.Raw(JsonConvert.SerializeObject(...))" + }, + { + "pattern": "@Html.Raw(...ToJson(...))" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.dockerfile.audit.dockerfile-source-not-pinned", + "languages": [ + "dockerfile" + ], + "message": "To ensure reproducible builds, pin Dockerfile `FROM` commands to a specific hash. You can find the hash by running `docker pull $IMAGE` and then specify it with `$IMAGE:$VERSION@sha256:`", + "metadata": { + "category": "best-practice", + "references": [ + "https://stackoverflow.com/a/33511811/4965" + ], + "technology": [ + "docker" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "FROM $IMAGE:$VERSION@$HASH" + }, + { + "metavariable-regex": { + "metavariable": "$HASH", + "regex": "(?!sha256:)" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "FROM $IMAGE" + }, + { + "pattern": "FROM $IMAGE:$VERSION" + }, + { + "pattern-not-inside": "FROM $IMAGE:$VERSION@$HASH" + } + ] + } + ] + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.dockerfile.security.dockerfile-dockerd-socket-mount", + "languages": [ + "dockerfile", + "yaml" + ], + "message": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-862: Missing Authorization", + "CWE-269: Improper Privilege Management" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", + "https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/", + "https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "dockerfile" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern": "VOLUME $X" + }, + { + "metavariable-regex": { + "metavariable": "$X", + "regex": "/var/run/docker.sock" + } + } + ] + }, + { + "patterns": [ + { + "pattern-regex": "- \"/var/run/docker.sock:.*\"" + }, + { + "pattern-inside": "volumes:\n ...\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.dockerfile.security.last-user-is-root", + "languages": [ + "dockerfile" + ], + "message": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-269: Improper Privilege Management" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://github.com/hadolint/hadolint/wiki/DL3002" + ], + "source-rule-url": "https://github.com/hadolint/hadolint/wiki/DL3002", + "subcategory": [ + "audit" + ], + "technology": [ + "dockerfile" + ] + }, + "patterns": [ + { + "pattern": "USER root" + }, + { + "pattern-not-inside": { + "patterns": [ + { + "pattern": "USER root\n...\nUSER $X\n" + }, + { + "metavariable-pattern": { + "metavariable": "$X", + "patterns": [ + { + "pattern-not": "root" + } + ] + } + } + ] + } + } + ], + "severity": "ERROR" + }, + { + "fix": "USER non-root\nENTRYPOINT $...VARS\n", + "id": "vendored-rules.dockerfile.security.missing-user-entrypoint", + "languages": [ + "dockerfile" + ], + "message": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-269: Improper Privilege Management" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "dockerfile" + ] + }, + "patterns": [ + { + "pattern": "ENTRYPOINT $...VARS\n" + }, + { + "pattern-not-inside": "USER $USER\n...\n" + } + ], + "severity": "ERROR" + }, + { + "fix": "USER non-root\nCMD $...VARS\n", + "id": "vendored-rules.dockerfile.security.missing-user", + "languages": [ + "dockerfile" + ], + "message": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-269: Improper Privilege Management" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "dockerfile" + ] + }, + "patterns": [ + { + "pattern": "CMD $...VARS\n" + }, + { + "pattern-not-inside": "USER $USER\n...\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.dockerfile.security.no-sudo-in-dockerfile", + "languages": [ + "dockerfile" + ], + "message": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-250: Execution with Unnecessary Privileges" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/250.html", + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "dockerfile" + ] + }, + "patterns": [ + { + "pattern": "RUN sudo ...\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.dockerfile.security.secret-in-build-arg", + "languages": [ + "dockerfile" + ], + "message": "Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running `docker image history` on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/538.html", + "https://docs.docker.com/engine/reference/builder/#arg" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "dockerfile" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "ARG $ARG" + }, + { + "pattern": "ARG $ARG=..." + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$ARG", + "regex": "(?i).*(password|secret|token|key|cert|api|auth)" + } + } + ], + "severity": "WARNING" + }, + { + "fix": "$MODULE.to_existing_atom($STRING)", + "id": "vendored-rules.elixir.lang.correctness.atom_exhaustion", + "languages": [ + "elixir" + ], + "message": "Atom values are appended to a global table but never removed. If input is user-controlled, dynamic instantiations such as `String.to_atom` or `List.to_atom` can lead to possible memory leaks. Instead, use `String.to_existing_atom` or `List.to_existing_atom`.", + "metadata": { + "category": "correctness", + "references": [ + "https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/atom_exhaustion.html" + ], + "technology": [ + "elixir" + ] + }, + "patterns": [ + { + "pattern": "$MODULE.to_atom($STRING)" + }, + { + "metavariable-regex": { + "metavariable": "$MODULE", + "regex": "^(String|List)$" + } + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.generic.bicep.security.secure-parameter-for-secrets", + "languages": [ + "generic" + ], + "message": "Mark sensitive parameters with the @secure() decorator. This avoids logging the value or displaying it in the Azure portal, Azure CLI, or Azure PowerShell.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-532: Insertion of Sensitive Information into Log File" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A09:2021 - Security Logging and Monitoring Failures" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/532.html", + "https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "bicep" + ] + }, + "paths": { + "include": [ + "*.bicep" + ] + }, + "patterns": [ + { + "pattern": "param $NAME string" + }, + { + "pattern-not-inside": "@secure()\nparam $NAME string\n" + }, + { + "metavariable-regex": { + "metavariable": "$NAME", + "regex": "(?i).*(password|secret|token)" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.generic.ci.audit.changed-semgrepignore", + "languages": [ + "generic" + ], + "message": "`$1` has been added to the .semgrepignore list of ignored paths. Someone from app-sec may want to audit these changes.", + "metadata": { + "category": "best-practice", + "references": [ + "https://semgrep.dev/docs/ignoring-files-folders-code/" + ], + "technology": [ + "semgrep" + ] + }, + "paths": { + "include": [ + ".semgrepignore" + ] + }, + "patterns": [ + { + "pattern-regex": "^(.*)$\n" + }, + { + "pattern-not-regex": "^\\n.*$\n" + }, + { + "pattern-not-regex": "^#.*$\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.generic.ci.security.bash_reverse_shell", + "languages": [ + "generic" + ], + "message": "Semgrep found a bash reverse shell", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "ci" + ] + }, + "pattern-either": [ + { + "pattern": "sh -i >& /dev/udp/.../... 0>&1\n" + }, + { + "pattern": "<...>/dev/tcp/.../...; sh <&... >&... 2>&\n" + }, + { + "pattern": "<...>/dev/tcp/.../...; cat <&... | while read line; do $line 2>&... >&...;done\n" + }, + { + "pattern": "sh -i ...<...> /dev/tcp/.../... ...<&... 1>&... 2>&\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.generic.gradle.security.build-gradle-password-hardcoded", + "languages": [ + "generic" + ], + "message": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-798: Use of Hard-coded Credentials" + ], + "cwe2020-top25": true, + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures" + ], + "source_rule_url": "https://semgrep.dev/playground/r/qNU2d1G/achufistov6_personal_org.groovy-build-gradle-password-hardcoded", + "subcategory": [ + "vuln" + ], + "technology": [ + "secrets" + ], + "vulnerability_class": [ + "Hard-coded Secrets" + ] + }, + "paths": { + "include": [ + "*build.gradle" + ] + }, + "patterns": [ + { + "pattern": "password = env[...] ?: \"$SECRET\"\n" + } + ], + "severity": "WARNING" + }, + { + "fix-regex": { + "regex": "{{(.*?)}}", + "replacement": "\"{{\\1}}\"" + }, + "id": "vendored-rules.generic.html-templates.security.unquoted-attribute-var", + "languages": [ + "generic" + ], + "message": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "html-templates" + ] + }, + "paths": { + "include": [ + "*.html", + "*.mustache", + "*.hbs" + ] + }, + "patterns": [ + { + "pattern-inside": "<$TAG ...>" + }, + { + "pattern-not-inside": "=\"...\"" + }, + { + "pattern-not-inside": "='...'" + }, + { + "pattern": "{{ ... }}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.generic.html-templates.security.var-in-href", + "languages": [ + "generic" + ], + "message": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (`href=\"/{{link}}\"`). You may also consider setting the Content Security Policy (CSP) header.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI", + "https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url", + "https://github.com/pugjs/pug/issues/2952", + "https://content-security-policy.com/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "html-templates" + ] + }, + "paths": { + "include": [ + "*.html", + "*.mustache", + "*.hbs" + ] + }, + "patterns": [ + { + "pattern-inside": "" + }, + { + "pattern-either": [ + { + "pattern": "href = {{ ... }}" + }, + { + "pattern": "href = \"{{ ... }}\"" + }, + { + "pattern": "href = '{{ ... }}'" + } + ] + }, + { + "pattern-not-inside": "href = {{ url_for(...) ... }}" + }, + { + "pattern-not-inside": "href = \"{{ url_for(...) ... }}\"" + }, + { + "pattern-not-inside": "href = '{{ url_for(...) ... }}'" + }, + { + "pattern-not-inside": "href = \"/{{ ... }}\"" + }, + { + "pattern-not-inside": "href = '/{{ ... }}'" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.generic.html-templates.security.var-in-script-src", + "languages": [ + "generic" + ], + "message": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A", + "https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough", + "https://github.com/ESAPI/owasp-esapi-js" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "html-templates" + ] + }, + "paths": { + "include": [ + "*.mustache", + "*.hbs", + "*.html" + ] + }, + "patterns": [ + { + "pattern-inside": "" + }, + { + "pattern-not-inside": "" + }, + { + "pattern": "` ... {{ ... }} ...`" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.lang.security.audit.xss.no-io-writestring-to-responsewriter", + "languages": [ + "go" + ], + "message": "Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/", + "https://golang.org/pkg/io/#WriteString" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "func $HANDLER(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "func(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "io.WriteString($WRITER, \"...\")" + }, + { + "pattern": "io.WriteString($WRITER, $STRING)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.lang.security.audit.xss.no-printf-in-responsewriter", + "languages": [ + "go" + ], + "message": "Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "func $HANDLER(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "func(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n" + } + ] + }, + { + "pattern": "$WRITER.Write(<... fmt.$PRINTF(...) ...>, ...)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.lang.security.audit.xss.unsafe-template-type", + "languages": [ + "go" + ], + "message": "Semgrep could not determine that the argument to 'template.HTML()' is a constant. 'template.HTML()' and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use 'template.Execute()'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML", + "https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "patterns": [ + { + "pattern-not": "template.$ANY(\"...\" + \"...\")" + }, + { + "pattern-not": "template.$ANY(\"...\")" + }, + { + "pattern-either": [ + { + "pattern": "template.HTML(...)" + }, + { + "pattern": "template.CSS(...)" + }, + { + "pattern": "template.HTMLAttr(...)" + }, + { + "pattern": "template.JS(...)" + }, + { + "pattern": "template.JSStr(...)" + }, + { + "pattern": "template.Srcset(...)" + }, + { + "pattern": "template.URL(...)" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.lang.security.audit.xxe.parsing-external-entities-enabled", + "languages": [ + "go" + ], + "message": "Detected enabling of \"XMLParseNoEnt\", which allows parsing of external entities and can lead to XXE if user controlled data is parsed by the library. Instead, do not enable \"XMLParseNoEnt\" or be sure to adequately sanitize user-controlled data when it is being parsed by this library.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://knowledge-base.secureflag.com/vulnerabilities/xml_injection/xml_entity_expansion_go_lang.html", + "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "libxml2" + ] + }, + "patterns": [ + { + "pattern-inside": "import (\"github.com/lestrrat-go/libxml2/parser\")\n...\n" + }, + { + "pattern": "$PARSER := parser.New(parser.XMLParseNoEnt)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.lang.security.injection.open-redirect", + "languages": [ + "go" + ], + "message": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "description": "An HTTP redirect was found to be crafted from user-input leading to an open redirect vulnerability", + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "references": [ + "https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "go" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "http.Redirect($W, $REQ, $URL, ...)" + }, + { + "focus-metavariable": "$URL" + } + ], + "requires": "INPUT and not CLEAN" + } + ], + "pattern-sources": [ + { + "label": "INPUT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "($REQUEST : *http.Request).$ANYTHING\n" + }, + { + "pattern": "($REQUEST : http.Request).$ANYTHING\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$ANYTHING", + "regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$" + } + } + ] + }, + { + "label": "CLEAN", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$URLSTR\" + $INPUT\n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "fmt.Fprintf($F, \"$URLSTR\", $INPUT, ...)" + }, + { + "pattern": "fmt.Sprintf(\"$URLSTR\", $INPUT, ...)" + }, + { + "pattern": "fmt.Printf(\"$URLSTR\", $INPUT, ...)" + } + ] + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$URLSTR", + "regex": ".*//[a-zA-Z0-10]+\\..*" + } + } + ], + "requires": "INPUT" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.lang.security.injection.raw-html-format", + "languages": [ + "go" + ], + "message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "HIGH", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "go" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "pattern": "html.EscapeString(...)" + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "fmt.Printf(\"$HTMLSTR\", ...)" + }, + { + "pattern": "fmt.Sprintf(\"$HTMLSTR\", ...)" + }, + { + "pattern": "fmt.Fprintf($W, \"$HTMLSTR\", ...)" + }, + { + "pattern": "\"$HTMLSTR\" + ..." + } + ] + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$HTMLSTR", + "pattern": "<$TAG ..." + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "($REQUEST : *http.Request).$ANYTHING\n" + }, + { + "pattern": "($REQUEST : http.Request).$ANYTHING\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$ANYTHING", + "regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.lang.security.injection.tainted-sql-string", + "languages": [ + "go" + ], + "message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/doc/database/sql-injection", + "https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "go" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sanitizers": [ + { + "pattern-either": [ + { + "pattern": "strconv.Atoi(...)" + }, + { + "pattern": "($X: bool)\n" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$SQLSTR\" + ...\n" + }, + { + "patterns": [ + { + "pattern-inside": "$VAR = \"$SQLSTR\";\n...\n" + }, + { + "pattern": "$VAR += ..." + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "var $SB strings.Builder\n...\n" + }, + { + "pattern-inside": "$SB.WriteString(\"$SQLSTR\")\n...\n$SB.String(...)\n" + }, + { + "pattern": "$SB.WriteString(...)\n" + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(select|delete|insert|create|update|alter|drop).*" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "fmt.Fprintf($F, \"$SQLSTR\", ...)" + }, + { + "pattern": "fmt.Sprintf(\"$SQLSTR\", ...)" + }, + { + "pattern": "fmt.Printf(\"$SQLSTR\", ...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "\\s*(?i)(select|delete|insert|create|update|alter|drop)\\b.*%(v|s|q).*" + } + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "($REQUEST : *http.Request).$ANYTHING\n" + }, + { + "pattern": "($REQUEST : http.Request).$ANYTHING\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$ANYTHING", + "regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$" + } + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.go.lang.security.injection.tainted-url-host", + "languages": [ + "go" + ], + "message": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://goteleport.com/blog/ssrf-attacks/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "go" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$CLIENT := &http.Client{...}\n...\n" + }, + { + "pattern": "$CLIENT.$METHOD($URL, ...)" + } + ] + }, + { + "pattern": "http.$METHOD($URL, ...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(Get|Head|Post|PostForm)$" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "http.NewRequest(\"$METHOD\", $URL, ...)\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(GET|HEAD|POST|POSTFORM)$" + } + } + ] + } + ] + }, + { + "focus-metavariable": "$URL" + } + ], + "requires": "INPUT and not CLEAN" + } + ], + "pattern-sources": [ + { + "label": "INPUT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "($REQUEST : *http.Request).$ANYTHING\n" + }, + { + "pattern": "($REQUEST : http.Request).$ANYTHING\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$ANYTHING", + "regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$" + } + } + ] + }, + { + "label": "CLEAN", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$URLSTR\" + $INPUT\n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "fmt.Fprintf($F, \"$URLSTR\", $INPUT, ...)" + }, + { + "pattern": "fmt.Sprintf(\"$URLSTR\", $INPUT, ...)" + }, + { + "pattern": "fmt.Printf(\"$URLSTR\", $INPUT, ...)" + } + ] + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$URLSTR", + "regex": ".*//[a-zA-Z0-10]+\\..*" + } + } + ], + "requires": "INPUT" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.otto.security.audit.dangerous-execution", + "languages": [ + "go" + ], + "message": "Detected non-static script inside otto VM. Audit the input to 'VM.Run'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "otto", + "vm" + ] + }, + "patterns": [ + { + "pattern-inside": "$VM = otto.New(...)\n...\n" + }, + { + "pattern-not": "$VM.Run(\"...\", ...)" + }, + { + "pattern": "$VM.Run(...)" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.go.template.security.go-insecure-templates", + "languages": [ + "go" + ], + "message": "usage of insecure template types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML", + "https://twitter.com/empijei/status/1275177219011350528" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "template" + ] + }, + "patterns": [ + { + "pattern-inside": "import \"html/template\"\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "var $VAR template.HTML = $EXP" + }, + { + "pattern": "var $VAR template.CSS = $EXP" + }, + { + "pattern": "var $VAR template.HTMLAttr = $EXP" + }, + { + "pattern": "var $VAR template.JS = $EXP" + }, + { + "pattern": "var $VAR template.JSStr = $EXP" + }, + { + "pattern": "var $VAR template.Srcset = $EXP" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.go.template.security.go-ssti", + "languages": [ + "go" + ], + "message": "A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. When using \"html/template\" always check that user inputs are validated and sanitized before included within the template.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine" + ], + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://www.onsecurity.io/blog/go-ssti-method-research/", + "http://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "go" + ] + }, + "patterns": [ + { + "pattern-inside": "import (\"html/template\")\n...\n" + }, + { + "pattern": "$TEMPLATE = fmt.Sprintf(\"...\", $ARG, ...)" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "func $FN(..., $REQ *http.Request, ...){\n...\n}\n" + }, + { + "pattern-inside": "func $FN(..., $REQ http.Request, ...){\n...\n}\n" + }, + { + "pattern-inside": "func(..., $REQ *http.Request, ...){\n...\n}\n" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$ARG := $REQ.URL.Query().Get(...)\n...\n$T, $ERR := $TMPL.Parse($TEMPLATE)\n" + }, + { + "pattern-inside": "$ARG := $REQ.Form.Get(...)\n...\n$T, $ERR := $TMPL.Parse($TEMPLATE)\n" + }, + { + "pattern-inside": "$ARG := $REQ.PostForm.Get(...)\n...\n$T, $ERR := $TMPL.Parse($TEMPLATE)\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.html.security.plaintext-http-link", + "languages": [ + "html" + ], + "message": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-319: Cleartext Transmission of Sensitive Information" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/319.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "html" + ] + }, + "patterns": [ + { + "pattern": "..." + }, + { + "metavariable-regex": { + "metavariable": "$URL", + "regex": "^(?i)http://" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.html.security.audit.eval-detected", + "languages": [ + "html" + ], + "message": "Detected the use of eval(...). This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Follow OWASP best practices to ensure you handle XSS within a JavaScript context correct, and consider using safer APIs to evaluate user-input such as JSON.parse(...). ", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection", + "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "browser" + ] + }, + "patterns": [ + { + "pattern-inside": "\n" + }, + { + "metavariable-pattern": { + "language": "javascript", + "metavariable": "$...A", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X(...)" + } + ] + }, + { + "pattern-not": "$X(\"...\")" + }, + { + "metavariable-regex": { + "metavariable": "$X", + "regex": "^(eval)$" + } + }, + { + "focus-metavariable": "$X" + } + ] + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.html.security.audit.insecure-document-method", + "languages": [ + "html" + ], + "message": "Detected the use of an inner/outerHTML assignment. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use a dangerous web API, consider using a sanitization library such as DOMPurify to sanitize the HTML before it is assigned.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "browser" + ] + }, + "patterns": [ + { + "pattern-inside": "\n" + }, + { + "metavariable-pattern": { + "language": "javascript", + "metavariable": "$...A", + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X. ... .innerHTML = ..." + }, + { + "pattern": "$X. ... .outerHTML = ..." + } + ] + }, + { + "pattern-not": "$X. ... .$V = \"...\"" + } + ] + } + ] + }, + { + "focus-metavariable": "$X" + } + ] + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.html.security.audit.missing-integrity", + "languages": [ + "generic" + ], + "message": "This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-353: Missing Support for Integrity Check" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "html" + ] + }, + "paths": { + "include": [ + "*.html" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "" + }, + { + "pattern": "" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$...A", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "src='... :// ...'" + }, + { + "pattern": "src=\"... :// ...\"" + }, + { + "pattern": "href='... :// ...'" + }, + { + "pattern": "href=\"... :// ...\"" + }, + { + "pattern": "src='//...'" + }, + { + "pattern": "src=\"//...\"" + }, + { + "pattern": "href='//...'" + }, + { + "pattern": "href=\"//...\"" + } + ] + }, + { + "pattern-not-regex": "(?is).*integrity=" + }, + { + "pattern-not-regex": "(google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com)" + }, + { + "pattern-not-regex": ".*rel\\s*=\\s*['\"]?preconnect.*" + } + ] + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.android.security.exported_activity", + "languages": [ + "generic" + ], + "message": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-926: Improper Export of Android Application Components" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A5:2021 Security Misconfiguration" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/926.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "Android" + ] + }, + "paths": { + "exclude": [ + "sources/", + "classes3.dex", + "*.so" + ], + "include": [ + "*AndroidManifest.xml" + ] + }, + "patterns": [ + { + "pattern-not-inside": "" + }, + { + "pattern-inside": " \n" + }, + { + "pattern-either": [ + { + "pattern": "\n" + }, + { + "pattern": " ... />\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.aws-lambda.security.tainted-sql-string", + "languages": [ + "java" + ], + "message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/SQL_Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$SQLSTR\" + ...\n" + }, + { + "pattern": "\"$SQLSTR\".concat(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "StringBuilder $SB = new StringBuilder(\"$SQLSTR\");\n...\n" + }, + { + "pattern": "$SB.append(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VAR = \"$SQLSTR\";\n...\n" + }, + { + "pattern": "$VAR += ..." + } + ] + }, + { + "pattern": "String.format(\"$SQLSTR\", ...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b" + } + }, + { + "pattern-not-inside": "System.out.$PRINTLN(...)\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$EVENT" + }, + { + "pattern-either": [ + { + "pattern": "$HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n" + }, + { + "pattern": "$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.aws-lambda.security.tainted-sqli", + "languages": [ + "java" + ], + "message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "sql", + "java", + "aws-lambda" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(java.sql.CallableStatement $STMT) = ...; \n" + }, + { + "pattern": "(java.sql.Statement $STMT) = ...;\n" + }, + { + "pattern": "(java.sql.PreparedStatement $STMT) = ...;\n" + }, + { + "pattern": "$VAR = $CONN.prepareStatement(...)\n" + }, + { + "pattern": "$PATH.queryForObject(...);\n" + }, + { + "pattern": "(java.util.Map $STMT) = $PATH.queryForMap(...);\n" + }, + { + "pattern": "(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...;\n" + }, + { + "patterns": [ + { + "pattern-inside": "(String $SQL) = \"$SQLSTR\" + ...;\n...\n" + }, + { + "pattern": "$PATH.$SQLCMD(..., $SQL, ...);" + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)" + } + }, + { + "metavariable-regex": { + "metavariable": "$SQLCMD", + "regex": "(execute|query|executeUpdate|batchUpdate)" + } + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": "$EVENT" + }, + { + "pattern-either": [ + { + "pattern": "$HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n" + }, + { + "pattern": "$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.java-jwt.security.java-jwt-hardcoded-secret", + "languages": [ + "java" + ], + "message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-798: Use of Hard-coded Credentials" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "secrets", + "jwt" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(Algorithm $ALG) = $ALGO.$HMAC(\"$Y\");\n" + }, + { + "pattern": "$SECRET = \"$Y\";\n...\n(Algorithm $ALG) = $ALGO.$HMAC($SECRET);\n" + }, + { + "pattern": "class $CLASS {\n ...\n $TYPE $SECRET = \"$Y\";\n ...\n $RETURNTYPE $FUNC (...) {\n ...\n (Algorithm $ALG) = $ALGO.$HMAC($SECRET);\n ...\n }\n ...\n}\n" + } + ] + }, + { + "focus-metavariable": "$Y" + }, + { + "metavariable-regex": { + "metavariable": "$HMAC", + "regex": "(HMAC384|HMAC256|HMAC512)" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.java-jwt.security.java-jwt-none-alg", + "languages": [ + "java" + ], + "message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "vuln" + ], + "technology": [ + "jwt" + ] + }, + "pattern-either": [ + { + "pattern": "$JWT.sign(com.auth0.jwt.algorithms.Algorithm.none());\n" + }, + { + "pattern": "$NONE = com.auth0.jwt.algorithms.Algorithm.none();\n...\n$JWT.sign($NONE);\n" + }, + { + "pattern": "class $CLASS {\n ...\n $TYPE $NONE = com.auth0.jwt.algorithms.Algorithm.none();\n ...\n $RETURNTYPE $FUNC (...) {\n ...\n $JWT.sign($NONE);\n ...\n }\n ...\n}" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.java-jwt.security.audit.java-jwt-decode-without-verify", + "languages": [ + "java" + ], + "message": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-345: Insufficient Verification of Data Authenticity" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "vuln" + ], + "technology": [ + "jwt" + ] + }, + "patterns": [ + { + "pattern": "com.auth0.jwt.JWT.decode(...);\n" + }, + { + "pattern-not-inside": "class $CLASS {\n ...\n $RETURNTYPE $FUNC (...) {\n ...\n $VERIFIER.verify(...);\n ...\n }\n}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.jax-rs.security.insecure-resteasy-deserialization", + "languages": [ + "java" + ], + "message": "When a Restful webservice endpoint is configured to use wildcard mediaType {*/*} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://access.redhat.com/blogs/766093/posts/3162112" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jax-rs" + ] + }, + "pattern-either": [ + { + "pattern": "@Consumes({\"application/x-java-serialized-object\"})\n" + }, + { + "pattern": "@Consumes({\"*/*\"})\n" + }, + { + "pattern": "@Consumes(\"*/*\")\n" + }, + { + "pattern": "@Consumes({MediaType.WILDCARD_TYPE})\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.jax-rs.security.default-resteasy-provider-abuse", + "languages": [ + "java" + ], + "message": "When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution. Instead, add a @Consumes annotation to the function or class.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://access.redhat.com/blogs/766093/posts/3162112" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jax-rs" + ] + }, + "patterns": [ + { + "pattern": "@Path(\"...\")\npublic $RETURNTYPE $METHOD(...) { ...}\n" + }, + { + "pattern-not-inside": "@GET\npublic $RETURNTYPE $METHOD(...) { ...}\n" + }, + { + "pattern-not-inside": "@Path(\"...\")\n@Consumes(...)\npublic $RETURNTYPE $METHOD(...) { ...}\n" + }, + { + "pattern-not-inside": "@Consumes(...)\npublic class $CLASSNAME { ... }\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.jax-rs.security.jax-rs-path-traversal", + "languages": [ + "java" + ], + "message": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://www.owasp.org/index.php/Path_Traversal" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN", + "subcategory": [ + "vuln" + ], + "technology": [ + "jax-rs" + ] + }, + "pattern-either": [ + { + "pattern": "$RETURNTYPE $FUNC (..., @PathParam(...) $TYPE $VAR, ...) {\n ...\n new File(..., $VAR, ...);\n ...\n}\n" + }, + { + "pattern": "$RETURNTYPE $FUNC (..., @javax.ws.rs.PathParam(...) $TYPE $VAR, ...) {\n ...\n new File(..., $VAR, ...);\n ...\n}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.jboss.security.seam-log-injection", + "languages": [ + "java" + ], + "message": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION", + "subcategory": [ + "audit" + ], + "technology": [ + "jboss" + ] + }, + "patterns": [ + { + "pattern": "$LOG.$INFO($X + $Y,...)\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "import org.jboss.seam.log.Log;\n...\n" + }, + { + "pattern-inside": "org.jboss.seam.log.Log $LOG = ...;\n...\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$INFO", + "regex": "(debug|error|fatal|info|trace|warn)" + } + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.jboss.security.find-sql-string-concatenation", + "languages": [ + "java" + ], + "message": "In $METHOD, $X is used to construct a SQL query via string concatenation.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "jboss" + ] + }, + "pattern-either": [ + { + "pattern": "$RETURN $METHOD(...,String $X,...){\n ...\n Session $SESSION = ...;\n ...\n String $QUERY = ... + $X + ...;\n ...\n PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);\n ...\n ResultSet $RESULT = $PS.executeQuery();\n ...\n}\n" + }, + { + "pattern": "$RETURN $METHOD(...,String $X,...){\n ...\n String $QUERY = ... + $X + ...;\n ...\n Session $SESSION = ...;\n ...\n PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);\n ...\n ResultSet $RESULT = $PS.executeQuery();\n ...\n}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.jjwt.security.jjwt-none-alg", + "languages": [ + "java" + ], + "message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.", + "metadata": { + "asvs": { + "control_id": "3.5.3 Insecue Stateless Session Tokens", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "audit" + ], + "technology": [ + "jwt" + ] + }, + "patterns": [ + { + "pattern": "io.jsonwebtoken.Jwts.builder();\n" + }, + { + "pattern-not-inside": "$RETURNTYPE $FUNC(...) {\n ...\n $JWTS.signWith(...);\n ...\n}" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.do-privileged-use", + "languages": [ + "java" + ], + "message": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-269: Improper Privilege Management" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html", + "https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation", + "http://phrack.org/papers/escaping_the_java_sandbox.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-inside": "import java.security.*;\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "AccessController.doPrivileged(...);" + }, + { + "pattern": "class $ACTION implements PrivilegedAction { ... }" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.httpservlet-path-traversal", + "languages": [ + "java" + ], + "message": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://www.owasp.org/index.php/Path_Traversal" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "pattern": "org.apache.commons.io.FilenameUtils.getName(...)" + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(java.io.File $FILE) = ...\n" + }, + { + "pattern": "(java.io.FileOutputStream $FOS) = ...\n" + }, + { + "pattern": "new java.io.FileInputStream(...)\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(HttpServletRequest $REQ)\n" + }, + { + "patterns": [ + { + "pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n" + }, + { + "pattern": "$COOKIE.getValue(...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(...);\n...\n" + }, + { + "pattern": "$PARAM = $VALS[$INDEX];\n" + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.insecure-jms-deserialization", + "languages": [ + "java" + ], + "message": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.", + "metadata": { + "asvs": { + "control_id": "5.5.3 Insecue Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-inside": "public class $JMS_LISTENER implements MessageListener {\n ...\n public void onMessage(Message $JMS_MSG) {\n ...\n }\n}\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "$X = $Y.getObject(...);" + }, + { + "pattern-inside": "$X = ($Z) $Y.getObject(...);" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.jackson-unsafe-deserialization", + "languages": [ + "java" + ], + "message": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A8:2017 Insecure Deserialization", + "A8:2021 Software and Data Integrity Failures" + ], + "references": [ + "https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038", + "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jackson" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "ObjectMapper $OM = new ObjectMapper(...);\n...\n" + }, + { + "pattern-inside": "$OM.enableDefaultTyping();\n...\n" + }, + { + "pattern": "$OM.readValue($JSON, ...);" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "class $CLASS {\n ...\n @JsonTypeInfo(use = Id.CLASS,...)\n $TYPE $VAR;\n ...\n}\n" + }, + { + "metavariable-regex": { + "metavariable": "$TYPE", + "regex": "(Object|Serializable|Comparable)" + } + }, + { + "pattern": "$OM.readValue($JSON, $CLASS.class);" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "class $CLASS {\n ...\n ObjectMapper $OM;\n ...\n $INITMETHODTYPE $INITMETHOD(...) {\n ...\n $OM = new ObjectMapper();\n ...\n $OM.enableDefaultTyping();\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "$METHODTYPE $METHOD(...) {\n ... \n}\n" + }, + { + "pattern": "$OM.readValue($JSON, ...);" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.servletresponse-writer-xss", + "languages": [ + "java" + ], + "message": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-inside": "$TYPE $FUNC(..., HttpServletResponse $RESP, ...) { ... }" + }, + { + "pattern-inside": "$VAR = $REQ.getParameter(...); ..." + }, + { + "pattern-either": [ + { + "pattern": "$RESP.getWriter(...).write(..., $VAR, ...);" + }, + { + "pattern": "$WRITER = $RESP.getWriter(...);\n...\n$WRITER.write(..., $VAR, ...);\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.use-snakeyaml-constructor", + "languages": [ + "java" + ], + "message": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "snakeyaml" + ] + }, + "patterns": [ + { + "pattern": "$Y = new org.yaml.snakeyaml.Yaml();\n...\n$Y.load(...);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.xmlinputfactory-external-entities-enabled", + "languages": [ + "java" + ], + "message": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(\"javax.xml.stream.isSupportingExternalEntities\", true);" + }, + { + "pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, true);" + }, + { + "pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(\"javax.xml.stream.isSupportingExternalEntities\", Boolean.TRUE);" + }, + { + "pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, Boolean.TRUE);" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.xmlinputfactory-possible-xxe", + "languages": [ + "java" + ], + "message": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf", + "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", false);\n ...\n}\n" + }, + { + "pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);\n ...\n}\n" + }, + { + "pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", Boolean.FALSE);\n ...\n}\n" + }, + { + "pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);\n ...\n}\n" + }, + { + "pattern-either": [ + { + "pattern": "javax.xml.stream.XMLInputFactory.newFactory(...)" + }, + { + "pattern": "new XMLInputFactory(...)" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.anonymous-ldap-bind", + "languages": [ + "java" + ], + "message": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-287: Improper Authentication" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A02:2017 - Broken Authentication", + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern": "$ENV.put($CTX.SECURITY_AUTHENTICATION, \"none\");\n...\n$DCTX = new InitialDirContext($ENV, ...);\n", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.bad-hexa-conversion", + "languages": [ + "java" + ], + "message": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-704: Incorrect Type Conversion or Cast" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": "A03:2017 - Sensitive Data Exposure", + "references": [ + "https://cwe.mitre.org/data/definitions/704.html" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern": "$X $METHOD(...) {\n ...\n MessageDigest $MD = ...;\n ...\n $MD.digest(...);\n ...\n Integer.toHexString(...);\n}", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.blowfish-insufficient-key-size", + "languages": [ + "java" + ], + "message": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-326: Inadequate Encryption Strength" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern": "$KEYGEN = KeyGenerator.getInstance(\"Blowfish\");\n...\n$KEYGEN.init($SIZE);\n" + }, + { + "metavariable-comparison": { + "comparison": "$SIZE < 128", + "metavariable": "$SIZE" + } + } + ], + "severity": "WARNING" + }, + { + "fix": "\"AES/GCM/NoPadding\"\n", + "id": "vendored-rules.java.lang.security.audit.cbc-padding-oracle", + "languages": [ + "java" + ], + "message": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://capec.mitre.org/data/definitions/463.html", + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes", + "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-inside": "Cipher.getInstance(\"=~/.*\\/CBC\\/PKCS5Padding/\")" + }, + { + "pattern": "\"=~/.*\\/CBC\\/PKCS5Padding/\"\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.command-injection-formatted-runtime-call", + "languages": [ + "java" + ], + "message": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "metavariable-pattern": { + "metavariable": "$RUNTIME", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(java.lang.Runtime $R)" + }, + { + "pattern": "java.lang.Runtime.getRuntime(...)" + } + ] + } + ] + } + }, + { + "pattern-either": [ + { + "pattern": "$RUNTIME.exec($X + $Y);" + }, + { + "pattern": "$RUNTIME.exec(String.format(...));" + }, + { + "pattern": "$RUNTIME.loadLibrary($X + $Y);" + }, + { + "pattern": "$RUNTIME.loadLibrary(String.format(...));" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RUNTIME.exec(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $ARG,...)\n" + }, + { + "pattern": "$RUNTIME.exec(Arrays.asList(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...),...)\n" + }, + { + "pattern": "$RUNTIME.exec(new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...},...)\n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RUNTIME.exec($CMD,\"-c\",$ARG,...)\n" + }, + { + "pattern": "$RUNTIME.exec(Arrays.asList($CMD,\"-c\",$ARG,...),...)\n" + }, + { + "pattern": "$RUNTIME.exec(new String[]{$CMD,\"-c\",$ARG,...},...)\n" + } + ] + }, + { + "pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\";\n...\n" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RUNTIME.exec($CMD, $EXECUTE, $ARG, ...)\n" + } + ] + }, + { + "pattern-inside": "$CMD = new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", ...};\n...\n" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RUNTIME.exec(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", $BASH, $ARG,...)\n" + }, + { + "pattern": "$RUNTIME.exec(Arrays.asList(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",$BASH,$ARG,...),...)\n" + }, + { + "pattern": "$RUNTIME.exec(new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",$BASH,$ARG,...},...)\n" + } + ] + }, + { + "pattern-inside": "$BASH = new String[]{\"=~/(-c)/\", ...};\n...\n" + } + ] + } + ] + }, + { + "pattern-not-inside": "$ARG = \"...\";\n...\n" + }, + { + "pattern-not": "$RUNTIME.exec(\"...\",\"...\",\"...\",...)\n" + }, + { + "pattern-not": "$RUNTIME.exec(new String[]{\"...\",\"...\",\"...\",...},...)\n" + }, + { + "pattern-not": "$RUNTIME.exec(Arrays.asList(\"...\",\"...\",\"...\",...),...)\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.audit.command-injection-process-builder", + "languages": [ + "java" + ], + "message": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern": "new ProcessBuilder($CMD,...)\n" + }, + { + "pattern-not-inside": "$CMD = \"...\";\n...\n" + }, + { + "pattern-not-inside": "$CMD = Arrays.asList(\"...\",...);\n...\n" + }, + { + "pattern-not-inside": "$CMD = new String[]{\"...\",...};\n...\n" + }, + { + "pattern-not": "new ProcessBuilder(\"...\",...)\n" + }, + { + "pattern-not": "new ProcessBuilder(new String[]{\"...\",...},...)\n" + }, + { + "pattern-not": "new ProcessBuilder(Arrays.asList(\"...\",...),...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern": "$PB.command($CMD,...)\n" + }, + { + "pattern-inside": "$TYPE $PB = new ProcessBuilder(...);\n...\n" + }, + { + "pattern-not-inside": "$CMD = \"...\";\n...\n" + }, + { + "pattern-not-inside": "$CMD = Arrays.asList(\"...\",...);\n...\n" + }, + { + "pattern-not-inside": "$CMD = new String[]{\"...\",...};\n...\n" + }, + { + "pattern-not": "$PB.command(\"...\",...)\n" + }, + { + "pattern-not": "$PB.command(new String[]{\"...\",...},...)\n" + }, + { + "pattern-not": "$PB.command(Arrays.asList(\"...\",...),...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new ProcessBuilder(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...)\n" + }, + { + "pattern": "new ProcessBuilder(\"cmd\",\"/c\",$ARG,...)\n" + }, + { + "pattern": "new ProcessBuilder(Arrays.asList(\"cmd\",\"/c\",$ARG,...),...)\n" + }, + { + "pattern": "new ProcessBuilder(new String[]{\"cmd\",\"/c\",$ARG,...},...)\n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new ProcessBuilder($CMD,\"/c\",$ARG,...)\n" + }, + { + "pattern": "new ProcessBuilder(Arrays.asList($CMD,\"/c\",$ARG,...),...)\n" + }, + { + "pattern": "new ProcessBuilder(new String[]{$CMD,\"/c\",$ARG,...},...)\n" + } + ] + }, + { + "pattern-inside": "$CMD = \"cmd\";\n...\n" + } + ] + } + ] + }, + { + "pattern-not-inside": "$ARG = \"...\";\n...\n" + }, + { + "pattern-not": "new ProcessBuilder(\"...\",\"...\",\"...\",...)\n" + }, + { + "pattern-not": "new ProcessBuilder(new String[]{\"...\",\"...\",\"...\",...},...)\n" + }, + { + "pattern-not": "new ProcessBuilder(Arrays.asList(\"...\",\"...\",\"...\",...),...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$PB.command(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...)\n" + }, + { + "pattern": "$PB.command(\"cmd\",\"/c\",$ARG,...)\n" + }, + { + "pattern": "$PB.command(Arrays.asList(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...),...)\n" + }, + { + "pattern": "$PB.command(Arrays.asList(\"cmd\",\"/c\",$ARG,...),...)\n" + }, + { + "pattern": "$PB.command(new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...},...)\n" + }, + { + "pattern": "$PB.command(new String[]{\"cmd\",\"/c\",$ARG,...},...)\n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$PB.command($CMD,\"-c\",$ARG,...)\n" + }, + { + "pattern": "$PB.command(Arrays.asList($CMD,\"-c\",$ARG,...),...)\n" + }, + { + "pattern": "$PB.command(new String[]{$CMD,\"-c\",$ARG,...},...)\n" + } + ] + }, + { + "pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\";\n...\n" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$PB.command($CMD,\"/c\",$ARG,...)\n" + }, + { + "pattern": "$PB.command(Arrays.asList($CMD,\"/c\",$ARG,...),...)\n" + }, + { + "pattern": "$PB.command(new String[]{$CMD,\"/c\",$ARG,...},...)\n" + } + ] + }, + { + "pattern-inside": "$CMD = \"cmd\";\n...\n" + } + ] + } + ] + }, + { + "pattern-inside": "$TYPE $PB = new ProcessBuilder(...);\n...\n" + }, + { + "pattern-not-inside": "$ARG = \"...\";\n...\n" + }, + { + "pattern-not": "$PB.command(\"...\",\"...\",\"...\",...)\n" + }, + { + "pattern-not": "$PB.command(new String[]{\"...\",\"...\",\"...\",...},...)\n" + }, + { + "pattern-not": "$PB.command(Arrays.asList(\"...\",\"...\",\"...\",...),...)\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.audit.cookie-missing-httponly", + "languages": [ + "java" + ], + "message": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'", + "metadata": { + "asvs": { + "control_id": "3.4.2 Missing Cookie Attribute", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/Top10/A05_2021-Security_Misconfiguration" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-not-inside": "$COOKIE.setValue(\"\"); ..." + }, + { + "pattern-either": [ + { + "pattern": "$COOKIE.setHttpOnly(false);" + }, + { + "patterns": [ + { + "pattern-not-inside": "$COOKIE.setHttpOnly(...); ..." + }, + { + "pattern-not-inside": "$COOKIE = ResponseCookie.from(...). ...; ..." + }, + { + "pattern": "$RESPONSE.addCookie($COOKIE);" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.cookie-missing-secure-flag", + "languages": [ + "java" + ], + "message": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'", + "metadata": { + "asvs": { + "control_id": "3.4.1 Missing Cookie Attribute", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/Top10/A05_2021-Security_Misconfiguration" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-not-inside": "$COOKIE.setValue(\"\"); ..." + }, + { + "pattern-either": [ + { + "pattern": "$COOKIE.setSecure(false);" + }, + { + "patterns": [ + { + "pattern-not-inside": "$COOKIE.setSecure(...); ..." + }, + { + "pattern-not-inside": "$COOKIE = ResponseCookie.from(...). ...; ..." + }, + { + "pattern": "$RESPONSE.addCookie($COOKIE);" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crlf-injection-logs", + "languages": [ + "java" + ], + "message": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "class $CLASS {\n ...\n Logger $LOG = ...;\n ...\n}\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "$X $METHOD(...,HttpServletRequest $REQ,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...,ServletRequest $REQ,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n HttpServletRequest $REQ = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n ServletRequest $REQ = ...;\n ...\n}\n" + } + ] + } + ] + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n Logger $LOG = ...;\n ...\n HttpServletRequest $REQ = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n Logger $LOG = ...;\n ...\n ServletRequest $REQ = ...;\n ...\n}\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "String $VAL = $REQ.getParameter(...);\n...\n$LOG.$LEVEL(<... $VAL ...>);\n" + }, + { + "pattern": "String $VAL = $REQ.getParameter(...);\n...\n$LOG.log($LEVEL,<... $VAL ...>);\n" + }, + { + "pattern": "$LOG.$LEVEL(<... $REQ.getParameter(...) ...>);\n" + }, + { + "pattern": "$LOG.log($LEVEL,<... $REQ.getParameter(...) ...>);\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.dangerous-groovy-shell", + "languages": [ + "java" + ], + "message": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL", + "subcategory": [ + "audit" + ], + "technology": [ + "groovy" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SHELL.parse(...)\n" + }, + { + "pattern": "$SHELL.evaluate(...)\n" + }, + { + "pattern": "$SHELL.parseClass(...)\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "groovy.lang.GroovyShell $SHELL = ...;\n...\n" + }, + { + "pattern-inside": "groovy.lang.GroovyClassLoader $SHELL = ...;\n...\n" + } + ] + }, + { + "pattern-not": "$SHELL.parse(\"...\",...)\n" + }, + { + "pattern-not": "$SHELL.evaluate(\"...\",...)\n" + }, + { + "pattern-not": "$SHELL.parseClass(\"...\",...)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.el-injection", + "languages": [ + "java" + ], + "message": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "class $CLASS {\n ...\n ExpressionFactory $EF;\n ...\n $X $METHOD(...) {\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n" + }, + { + "pattern": "class $CLASS {\n ...\n ExpressionFactory $EF = ...;\n ...\n $X $METHOD(...) {\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ExpressionFactory $EF = ...;\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ExpressionFactory $EF,...) {\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n}\n" + }, + { + "pattern": "class $CLASS {\n ...\n ExpressionFactory $EF;\n ...\n $X $METHOD(...) {\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n" + }, + { + "pattern": "class $CLASS {\n ...\n ExpressionFactory $EF = ...;\n ...\n $X $METHOD(...) {\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ExpressionFactory $EF = ...;\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ExpressionFactory $EF,...) {\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(String $INPUT, ...) {\n ...\n $OBJECT.buildConstraintViolationWithTemplate($INPUT, ...);\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $EF.createValueExpression($CTX,\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $EF.createValueExpression($CTX,$S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $EF.createMethodExpression($CTX,\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $EF.createMethodExpression($CTX,$S,...);\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.formatted-sql-string", + "languages": [ + "java" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "asvs": { + "control_id": "5.3.5 Injection", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements", + "section": "V5: Validation, Sanitization and Encoding Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", + "https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps", + "https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "mode": "taint", + "options": { + "taint_assume_safe_booleans": true, + "taint_assume_safe_numbers": true + }, + "pattern-propagators": [ + { + "from": "$X", + "pattern": "(StringBuffer $S).append($X)", + "to": "$S" + }, + { + "from": "$X", + "pattern": "(StringBuilder $S).append($X)", + "to": "$S" + } + ], + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern": "(CriteriaBuilder $CB).$ANY(...)" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-not": "$S.$SQLFUNC(<... \"=~/.*TABLE *$/\" ...>)" + }, + { + "pattern-not": "$S.$SQLFUNC(<... \"=~/.*TABLE %s$/\" ...>)" + }, + { + "pattern-either": [ + { + "pattern": "(Statement $S).$SQLFUNC(...)" + }, + { + "pattern": "(PreparedStatement $P).$SQLFUNC(...)" + }, + { + "pattern": "(Connection $C).createStatement(...).$SQLFUNC(...)" + }, + { + "pattern": "(Connection $C).prepareStatement(...).$SQLFUNC(...)" + }, + { + "pattern": "(EntityManager $EM).$SQLFUNC(...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLFUNC", + "regex": "execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare" + } + } + ], + "requires": "CONCAT" + } + ], + "pattern-sources": [ + { + "label": "INPUT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(HttpServletRequest $REQ)\n" + }, + { + "patterns": [ + { + "pattern-inside": "$ANNOT $FUNC (..., $INPUT, ...) {\n ...\n}\n" + }, + { + "pattern": "(String $INPUT)" + } + ] + } + ] + }, + { + "focus-metavariable": "$INPUT" + } + ] + }, + { + "label": "CONCAT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X + $INPUT" + }, + { + "pattern": "$X += $INPUT" + }, + { + "pattern": "$STRB.append($INPUT)" + }, + { + "pattern": "String.format(..., $INPUT, ...)" + }, + { + "pattern": "String.join(..., $INPUT, ...)" + }, + { + "pattern": "(String $STR).concat($INPUT)" + }, + { + "pattern": "$INPUT.concat(...)" + }, + { + "pattern": "new $STRB(..., $INPUT, ...)" + } + ] + } + ], + "requires": "INPUT" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.audit.http-response-splitting", + "languages": [ + "java" + ], + "message": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://www.owasp.org/index.php/HTTP_Response_Splitting" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "$VAR = $REQ.getParameter(...);\n...\n$COOKIE = new Cookie(..., $VAR, ...);\n...\n$RESP.addCookie($COOKIE, ...);\n" + }, + { + "patterns": [ + { + "pattern-inside": "$RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) {\n ...\n}\n" + }, + { + "pattern": "$COOKIE = new Cookie(..., $VAR, ...);\n...\n$RESP.addCookie($COOKIE, ...);\n" + } + ] + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.java.lang.security.audit.insecure-smtp-connection", + "languages": [ + "java" + ], + "message": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-297: Improper Validation of Certificate with Host Mismatch" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-not-inside": "$EMAIL.setSSLCheckServerIdentity(true);\n...\n" + }, + { + "pattern-inside": "$EMAIL = new SimpleEmail(...);\n...\n" + }, + { + "pattern": "$EMAIL.send(...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.java-reverse-shell", + "languages": [ + "java" + ], + "message": "Semgrep found potential reverse shell behavior", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "Socket $S=new Socket(...);\n...\nInputStream $SI = $S.getInputStream();\n...\nwhile(!$S.isClosed())\n{\n ...\n while($SI.available()>0)$PO.write($SI.read());\n ...\n $SO.flush();\n ...\n}\n" + } + ] + }, + { + "pattern-inside": "Process $P=new ProcessBuilder(...).redirectErrorStream(true).start();\n...\n$P.destroy();\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.jdbc-sql-formatted-string", + "languages": [ + "java" + ], + "message": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: 'jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);'", + "metadata": { + "asvs": { + "control_id": "5.3.5 Injection", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements", + "section": "V5: Validation, Sanitization and Encoding Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC", + "subcategory": [ + "audit" + ], + "technology": [ + "jdbc" + ] + }, + "patterns": [ + { + "pattern-inside": "$JDBC = new JdbcTemplate(...);\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$JDBC.queryForObject($STR + $VAR, ...);" + }, + { + "pattern": "$JDBC.queryForObject(String.format(...), ...);" + }, + { + "pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.queryForObject($Q, ...);\n" + }, + { + "pattern": "String $Q = String.format(...);\n...\n$JDBC.queryForObject($Q, ...);\n" + }, + { + "pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.queryForObject($Q, ...);\n" + }, + { + "pattern": "$JDBC.queryForList($STR + $VAR);" + }, + { + "pattern": "$JDBC.queryForList(String.format(...));" + }, + { + "pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.queryForList($Q);\n" + }, + { + "pattern": "String $Q = String.format(...);\n...\n$JDBC.queryForList($Q);\n" + }, + { + "pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.queryForList($Q, ...);\n" + }, + { + "pattern": "$JDBC.update($STR + $VAR);" + }, + { + "pattern": "$JDBC.update(String.format(...));" + }, + { + "pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.update($Q);\n" + }, + { + "pattern": "String $Q = String.format(...);\n...\n$JDBC.update($Q);\n" + }, + { + "pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.update($Q, ...);\n" + }, + { + "pattern": "$JDBC.execute($STR + $VAR);" + }, + { + "pattern": "$JDBC.execute(String.format(...));" + }, + { + "pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.execute($Q);\n" + }, + { + "pattern": "String $Q = String.format(...);\n...\n$JDBC.execute($Q);\n" + }, + { + "pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.execute($Q, ...);\n" + }, + { + "pattern": "$JDBC.insert($STR + $VAR);" + }, + { + "pattern": "$JDBC.insert(String.format(...));" + }, + { + "pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.insert($Q);\n" + }, + { + "pattern": "String $Q = String.format(...);\n...\n$JDBC.insert($Q);\n" + }, + { + "pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.insert($Q, ...);\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.ldap-entry-poisoning", + "languages": [ + "java" + ], + "message": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.", + "metadata": { + "asvs": { + "control_id": "5.3.7 Injection", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements", + "section": "V5: Validation, Sanitization and Encoding Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf", + "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "new SearchControls($S, $CL, $TL, $AT, true, $DEREF)\n" + }, + { + "pattern": "SearchControls $VAR = new SearchControls();\n...\n$VAR.setReturningObjFlag(true);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.ldap-injection", + "languages": [ + "java" + ], + "message": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.", + "metadata": { + "asvs": { + "control_id": "5.3.7 Injection", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements", + "section": "V5: Validation, Sanitization and Encoding Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$X $METHOD(...) {\n ...\n InitialDirContext $CTX = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n DirContext $CTX = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n InitialLdapContext $CTX = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n LdapContext $CTX = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n LdapCtx $CTX = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n EventDirContext $CTX = ...;\n ...\n}\n" + } + ] + }, + { + "pattern": "$X $METHOD(...) {\n ...\n $CTX.search($Y,$INPUT,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $CTX.search($Y,\"...\",...);\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.md5-used-as-password", + "languages": [ + "java" + ], + "message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html", + "https://github.com/returntocorp/semgrep-rules/issues/1609", + "https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory", + "https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "md5" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$MODEL.$METHOD(...);" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "(?i)(.*password.*)" + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "$TYPE $MD = MessageDigest.getInstance(\"MD5\");\n...\n" + }, + { + "pattern": "$MD.digest(...);" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.object-deserialization", + "languages": [ + "java" + ], + "message": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://www.owasp.org/index.php/Deserialization_of_untrusted_data", + "https://www.oracle.com/java/technologies/javase/seccodeguide.html#8" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern": "new ObjectInputStream(...);", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.ognl-injection", + "languages": [ + "java" + ], + "message": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION", + "subcategory": [ + "audit" + ], + "technology": [ + "ognl" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.translateVariablesCollection($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.shallBeIncluded($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.commaDelimitedStringToSet($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,TextParser $P,...) {\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlTextParser $P,...) {\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.getValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.callMethod($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.compile($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,VelocityStrutsUtil $P,...) {\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.isTrue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.findString($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.findValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.getText($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.makeSelectList($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,OgnlTool $P,...) {\n ...\n $P.findValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.findString($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.findValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.setParameter($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.translateVariablesCollection($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.shallBeIncluded($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.commaDelimitedStringToSet($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n TextParser $P = ...;\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlTextParser $P = ...;\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.getValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.callMethod($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.compile($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n VelocityStrutsUtil $P = ...;\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.isTrue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.findString($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.findValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.getText($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.makeSelectList($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n OgnlTool $P = ...;\n ...\n $P.findValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.findString($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.findValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.setParameter($INPUT,...);\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.getGetMethod($T,\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.getSetMethod($T,\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.getField($T,\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.setProperties(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.setProperty(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.getValue(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.setValue(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.translateVariables(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.translateVariablesCollection(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.shallBeIncluded(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.commaDelimitedStringToSet(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.evaluate(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.callMethod(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.compile(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.isTrue(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.findString(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.findValue(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.getText(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.makeSelectList(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $P.setParameter(\"...\",...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getGetMethod($T,$S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getSetMethod($T,$S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getField($T,$S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setProperties($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setProperty($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getValue($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setValue($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.translateVariables($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.translateVariablesCollection($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.shallBeIncluded($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.commaDelimitedStringToSet($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.evaluate($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.callMethod($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.compile($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.isTrue($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.findString($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.findValue($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getText($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.makeSelectList($S,...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setParameter($S,...);\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.overly-permissive-file-permission", + "languages": [ + "java" + ], + "message": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-276: Incorrect Default Permissions" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString(\"=~/(^......r..$)|(^.......w.$)|(^........x$)/\"));" + }, + { + "pattern": "$TYPE $P = java.nio.file.attribute.PosixFilePermissions.fromString(\"=~/(^......r..$)|(^.......w.$)|(^........x$)/\");\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);\n" + }, + { + "pattern": "$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ);\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);\n" + }, + { + "pattern": "$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE);\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);\n" + }, + { + "pattern": "$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE);\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.permissive-cors", + "languages": [ + "java" + ], + "message": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.", + "metadata": { + "asvs": { + "control_id": "14.4.8 Permissive CORS", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements", + "section": "V14: Configuration Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-183: Permissive List of Allowed Inputs" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "HttpServletResponse $RES = ...;\n...\n$RES.addHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n" + }, + { + "pattern": "HttpServletResponse $RES = ...;\n...\n$RES.setHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n" + }, + { + "pattern": "ServerHttpResponse $RES = ...;\n...\n$RES.getHeaders().add(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n" + }, + { + "pattern": "HttpHeaders $HEADERS = ...;\n...\n$HEADERS.set(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n" + }, + { + "pattern": "ServerWebExchange $SWE = ...;\n...\n$SWE.getResponse().getHeaders().add(\"Access-Control-Allow-Origin\", \"*\");\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.addHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.setHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ServerHttpResponse $RES,...) {\n ...\n $RES.getHeaders().add(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,ServerWebExchange $SWE,...) {\n ...\n $SWE.getResponse().getHeaders().add(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n" + }, + { + "pattern": "ResponseEntity.$RES().header(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\")" + }, + { + "pattern": "ServerResponse.$RES().header(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\")" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.script-engine-injection", + "languages": [ + "java" + ], + "message": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "class $CLASS {\n ...\n ScriptEngine $SE;\n ...\n}\n" + }, + { + "pattern-inside": "class $CLASS {\n ...\n ScriptEngine $SE = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n ScriptEngine $SE = ...;\n ...\n}\n" + } + ] + }, + { + "pattern": "$X $METHOD(...) {\n ...\n $SE.eval(...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $SE.eval(\"...\");\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $SE.eval($S);\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.tainted-cmd-from-http-request", + "languages": [ + "java" + ], + "message": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(ProcessBuilder $PB) = ...;\n" + }, + { + "patterns": [ + { + "pattern": "(Process $P) = ...;\n" + }, + { + "pattern-not": "(Process $P) = (java.lang.Runtime $R).exec(...);\n" + } + ] + }, + { + "patterns": [ + { + "pattern": "(java.lang.Runtime $R).exec($CMD, ...);" + }, + { + "focus-metavariable": "$CMD" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder $PB) = ...;\n...\n$PB.command($ARGLIST);\n" + }, + { + "pattern-inside": "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder $PB) = ...;\n" + }, + { + "pattern-inside": "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(Process $P) = ...;\n" + } + ] + }, + { + "pattern": "$ARGLIST.add(...);\n" + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(HttpServletRequest $REQ)\n" + }, + { + "patterns": [ + { + "pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n" + }, + { + "pattern": "$COOKIE.getValue(...)\n" + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.audit.tainted-env-from-http-request", + "languages": [ + "java" + ], + "message": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-454: External Initialization of Trusted Variables or Data Stores" + ], + "cwe2021-top25": false, + "cwe2022-top25": false, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "(java.lang.Runtime $R).exec($CMD, $ENV_ARGS, ...);" + }, + { + "focus-metavariable": "$ENV_ARGS" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(HttpServletRequest $REQ)\n" + }, + { + "patterns": [ + { + "pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n" + }, + { + "pattern": "$COOKIE.getValue(...)\n" + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.audit.tainted-ldapi-from-http-request", + "languages": [ + "java" + ], + "message": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(javax.naming.directory.InitialDirContext $IDC).search(...)\n" + }, + { + "pattern": "(javax.naming.directory.DirContext $CTX).search(...)\n" + } + ] + }, + { + "pattern-not": "(javax.naming.directory.InitialDirContext $IDC).search($Y, \"...\", ...)\n" + }, + { + "pattern-not": "(javax.naming.directory.DirContext $CTX).search($Y, \"...\", ...)\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "(HttpServletRequest $REQ)" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.tainted-session-from-http-request", + "languages": [ + "java" + ], + "message": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-501: Trust Boundary Violation" + ], + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "(HttpServletRequest $REQ).getSession().$FUNC($NAME, $VALUE);" + }, + { + "metavariable-regex": { + "metavariable": "$FUNC", + "regex": "^(putValue|setAttribute)$" + } + }, + { + "focus-metavariable": "$VALUE" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "(HttpServletRequest $REQ).$FUNC(...)\n" + }, + { + "pattern-not": "(HttpServletRequest $REQ).getSession()\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n" + }, + { + "pattern": "$COOKIE.getValue(...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(... );\n...\n" + }, + { + "pattern": "$PARAM = $VALS[$INDEX];\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$HEADERS = (HttpServletRequest $REQ).getHeaders(...);\n...\n$PARAM = $HEADERS.$FUNC(...);\n...\n" + }, + { + "pattern": "java.net.URLDecoder.decode($PARAM, ...)\n" + } + ] + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.tainted-xpath-from-http-request", + "languages": [ + "java" + ], + "message": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(javax.xml.xpath.XPath $XP).evaluate(...)\n" + }, + { + "pattern": "(javax.xml.xpath.XPath $XP).compile(...).evaluate(...)\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "(HttpServletRequest $REQ).$FUNC(...)\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.unsafe-reflection", + "languages": [ + "java" + ], + "message": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern": "Class.forName($CLASS,...)\n" + }, + { + "pattern-not": "Class.forName(\"...\",...)\n" + }, + { + "pattern-not-inside": "$CLASS = \"...\";\n...\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.unvalidated-redirect", + "languages": [ + "java" + ], + "message": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.", + "metadata": { + "asvs": { + "control_id": "5.1.5 Open Redirect", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements", + "section": "V5: Validation, Sanitization and Encoding Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "LOW", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {\n ...\n $RES.sendRedirect($URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {\n ...\n $RES.sendRedirect($URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.sendRedirect($URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.sendRedirect($URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,String $URL,...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.sendRedirect($URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n $RES.sendRedirect($REQ.getParameter(...));\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n $RES.sendRedirect($REQ.getParameter(...));\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,String $URL,...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n $RES.addHeader(\"Location\",$REQ.getParameter(...));\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n $RES.addHeader(\"Location\",$REQ.getParameter(...));\n ...\n}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.url-rewriting", + "languages": [ + "java" + ], + "message": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ], + "cwe2021-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeURL(...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeUrl(...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeRedirectURL(...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeRedirectUrl(...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeURL(...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeUrl(...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeRedirectURL(...);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeRedirectUrl(...);\n ...\n}" + } + ], + "severity": "WARNING" + }, + { + "fix-regex": { + "regex": "(.*?)\\.getInstance\\(.*?\\)", + "replacement": "\\1.getInstance(\"TLSv1.2\")" + }, + "id": "vendored-rules.java.lang.security.audit.weak-ssl-context", + "languages": [ + "java" + ], + "message": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-326: Inadequate Encryption Strength" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://tools.ietf.org/html/rfc7568", + "https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html" + ], + "source_rule_url": "https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-not": "SSLContext.getInstance(\"TLSv1.3\")" + }, + { + "pattern-not": "SSLContext.getInstance(\"TLSv1.2\")" + }, + { + "pattern": "SSLContext.getInstance(\"...\")" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.xml-decoder", + "languages": [ + "java" + ], + "message": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#XML_DECODER", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern": "$X $METHOD(...) {\n ...\n new XMLDecoder(...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n new XMLDecoder(\"...\");\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $STR = \"...\";\n ...\n new XMLDecoder($STR);\n ...\n}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.xssrequestwrapper-is-insecure", + "languages": [ + "java" + ], + "message": "It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "class XSSRequestWrapper extends HttpServletRequestWrapper {\n ...\n}\n" + }, + { + "pattern": "$P = $X.compile(\"\", $X.CASE_INSENSITIVE);\n$V = $P.matcher(...).replaceAll(\"\");" + } + ], + "severity": "WARNING" + }, + { + "fix": "\"AES/GCM/NoPadding\"\n", + "id": "vendored-rules.java.lang.security.audit.crypto.des-is-deprecated", + "languages": [ + "java", + "kt" + ], + "message": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-326: Inadequate Encryption Strength" + ], + "functional-categories": [ + "crypto::search::symmetric-algorithm::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard", + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#DES_USAGE", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$CIPHER.getInstance(\"=~/DES/.*/\")" + }, + { + "pattern-inside": "$CIPHER.getInstance(\"DES\")" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "\"=~/DES/.*/\"\n" + }, + { + "pattern": "\"DES\"\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.desede-is-deprecated", + "languages": [ + "java", + "kt" + ], + "message": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-326: Inadequate Encryption Strength" + ], + "functional-categories": [ + "crypto::search::symmetric-algorithm::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$CIPHER.getInstance(\"=~/DESede.*/\")\n" + }, + { + "pattern": "$CRYPTO.KeyGenerator.getInstance(\"DES\")\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.ecb-cipher", + "languages": [ + "java" + ], + "message": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "functional-categories": [ + "crypto::search::mode::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern": "Cipher $VAR = $CIPHER.getInstance($MODE);\n" + }, + { + "metavariable-regex": { + "metavariable": "$MODE", + "regex": ".*ECB.*" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.gcm-detection", + "languages": [ + "java" + ], + "message": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-323: Reusing a Nonce, Key Pair in Encryption" + ], + "functional-categories": [ + "crypto::search::randomness::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/323.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$METHOD.getInstance(\"AES/GCM/NoPadding\",...);" + }, + { + "pattern": "new GCMParameterSpec(...);" + } + ] + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.gcm-nonce-reuse", + "languages": [ + "java" + ], + "message": "GCM IV/nonce is reused: encryption can be totally useless", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-323: Reusing a Nonce, Key Pair in Encryption" + ], + "functional-categories": [ + "crypto::search::randomness::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://www.youtube.com/watch?v=r1awgAl90wM", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new GCMParameterSpec(..., \"...\".getBytes(...), ...);" + }, + { + "pattern": "byte[] $NONCE = \"...\".getBytes(...); ... new GCMParameterSpec(..., $NONCE, ...);" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.no-null-cipher", + "languages": [ + "java" + ], + "message": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new NullCipher(...);" + }, + { + "pattern": "new javax.crypto.NullCipher(...);" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.no-static-initialization-vector", + "languages": [ + "java" + ], + "message": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-329: Generation of Predictable IV with CBC Mode" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cwe.mitre.org/data/definitions/329.html" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#STATIC_IV", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "byte[] $IV = {\n ...\n};\n...\nnew IvParameterSpec($IV, ...);\n" + }, + { + "pattern": "class $CLASS {\n byte[] $IV = {\n ...\n };\n ...\n $METHOD(...) {\n ...\n new IvParameterSpec($IV, ...);\n ...\n }\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.rsa-no-padding", + "languages": [ + "java", + "kt" + ], + "message": "Using RSA without OAEP mode weakens the encryption.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-326: Inadequate Encryption Strength" + ], + "functional-categories": [ + "crypto::search::mode::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING", + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "kotlin" + ] + }, + "pattern": "$CIPHER.getInstance(\"=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/\")", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.unencrypted-socket", + "languages": [ + "java" + ], + "message": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-319: Cleartext Transmission of Sensitive Information" + ], + "functional-categories": [ + "net::search::crypto-config::java.net" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "new ServerSocket(...)" + }, + { + "pattern": "new Socket(...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-aes-ecb", + "languages": [ + "java" + ], + "message": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "functional-categories": [ + "crypto::search::mode::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures", + "https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern": "$CIPHER.getInstance(\"=~/AES/ECB.*/\")", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-blowfish", + "languages": [ + "java" + ], + "message": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "functional-categories": [ + "crypto::search::symmetric-algorithm::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures", + "https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern": "$CIPHER.getInstance(\"Blowfish\")", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-default-aes", + "languages": [ + "java" + ], + "message": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "functional-categories": [ + "crypto::search::mode::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures", + "https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import javax;\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "javax.crypto.Cipher.getInstance(\"AES\")" + }, + { + "pattern": "(javax.crypto.Cipher $CIPHER).getInstance(\"AES\")" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import javax.*;\n...\n" + }, + { + "pattern-inside": "import javax.crypto;\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "crypto.Cipher.getInstance(\"AES\")" + }, + { + "pattern": "(crypto.Cipher $CIPHER).getInstance(\"AES\")" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import javax.crypto.*;\n...\n" + }, + { + "pattern-inside": "import javax.crypto.Cipher;\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "Cipher.getInstance(\"AES\")" + }, + { + "pattern": "(Cipher $CIPHER).getInstance(\"AES\")" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "fix": "getSha512Digest\n", + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-md5-digest-utils", + "languages": [ + "java" + ], + "message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-328: Use of Weak Hash" + ], + "functional-categories": [ + "crypto::search::hash-algorithm::org.apache.commons" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern": "$DU.$GET_ALGO().digest(...)\n" + }, + { + "metavariable-pattern": { + "metavariable": "$GET_ALGO", + "pattern": "getMd5Digest" + } + }, + { + "metavariable-pattern": { + "metavariable": "$DU", + "pattern": "DigestUtils" + } + }, + { + "focus-metavariable": "$GET_ALGO" + } + ], + "severity": "WARNING" + }, + { + "fix": "\"SHA-512\"\n", + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-md5", + "languages": [ + "java" + ], + "message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-328: Use of Weak Hash" + ], + "functional-categories": [ + "crypto::search::hash-algorithm::java.security" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern": "java.security.MessageDigest.getInstance($ALGO, ...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$ALGO", + "regex": "(.MD5.)" + } + }, + { + "focus-metavariable": "$ALGO" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-rc2", + "languages": [ + "java" + ], + "message": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "functional-categories": [ + "crypto::search::symmetric-algorithm::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures", + "https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern": "$CIPHER.getInstance(\"RC2\")", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-rc4", + "languages": [ + "java" + ], + "message": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "functional-categories": [ + "crypto::search::symmetric-algorithm::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures", + "https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern": "$CIPHER.getInstance(\"RC4\")", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-sha1", + "languages": [ + "java" + ], + "message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-328: Use of Weak Hash" + ], + "functional-categories": [ + "crypto::search::hash-algorithm::javax.crypto" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern": "java.security.MessageDigest.getInstance(\"$ALGO\", ...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$ALGO", + "regex": "(SHA1|SHA-1)" + } + } + ] + }, + { + "pattern": "$DU.getSha1Digest().digest(...)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.weak-random", + "languages": [ + "java" + ], + "message": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-330: Use of Insufficiently Random Values" + ], + "functional-categories": [ + "crypto::search::randomness::java.security" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "new java.util.Random(...).$FUNC(...)\n" + }, + { + "pattern": "java.lang.Math.random(...)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.use-of-weak-rsa-key", + "languages": [ + "java" + ], + "message": "RSA keys should be at least 2048 bits based on NIST recommendation.", + "metadata": { + "asvs": { + "control_id": "6.2.5 Insecure Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-326: Inadequate Encryption Strength" + ], + "functional-categories": [ + "crypto::search::key-length::java.security" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE", + "subcategory": [ + "vuln" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern": "KeyPairGenerator $KEY = $G.getInstance(\"RSA\");\n...\n$KEY.initialize($BITS);\n" + }, + { + "metavariable-comparison": { + "comparison": "$BITS < 2048", + "metavariable": "$BITS" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests", + "languages": [ + "java" + ], + "message": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");", + "metadata": { + "asvs": { + "control_id": "6.2.2 Insecure Custom Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms", + "section": "V6 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern": "class $CLASS extends MessageDigest {\n ...\n}", + "severity": "WARNING" + }, + { + "fix-regex": { + "regex": "DefaultHttpClient", + "replacement": "HttpClientBuilder" + }, + "id": "vendored-rules.java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated", + "languages": [ + "java" + ], + "message": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.", + "metadata": { + "asvs": { + "control_id": "9.1.3 Weak TLS", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements", + "section": "V9 Communications Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-326: Inadequate Encryption Strength" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern": "new DefaultHttpClient(...);", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.ssl.insecure-hostname-verifier", + "languages": [ + "java" + ], + "message": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.", + "metadata": { + "asvs": { + "control_id": "9.2.1 Weak TLS", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements", + "section": "V9 Communications Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-295: Improper Certificate Validation" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "pattern": "class $CLASS implements HostnameVerifier {\n ...\n public boolean verify(...) { return true; }\n}\n" + }, + { + "pattern": "new HostnameVerifier(...){\n public boolean verify(...) {\n return true;\n }\n}" + }, + { + "pattern": "import org.apache.http.conn.ssl.NoopHostnameVerifier;" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.crypto.ssl.insecure-trust-manager", + "languages": [ + "java" + ], + "message": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.", + "metadata": { + "asvs": { + "control_id": "9.2.1 Weak TLS", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements", + "section": "V9 Communications Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-295: Improper Certificate Validation" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER", + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "class $CLASS implements X509TrustManager {\n ...\n}\n" + }, + { + "pattern-inside": "new X509TrustManager() {\n ...\n}\n" + }, + { + "pattern-inside": "class $CLASS implements X509ExtendedTrustManager {\n ...\n}\n" + }, + { + "pattern-inside": "new X509ExtendedTrustManager() {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "public void checkClientTrusted(...) { $SOMETHING; }" + }, + { + "pattern-not": "public void checkServerTrusted(...) { $SOMETHING; }" + }, + { + "pattern-either": [ + { + "pattern": "public void checkClientTrusted(...) {}" + }, + { + "pattern": "public void checkServerTrusted(...) {}" + }, + { + "pattern": "public X509Certificate[] getAcceptedIssuers(...) { return null; }" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.sqli.hibernate-sqli", + "languages": [ + "java" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "asvs": { + "control_id": "5.3.5 Insecure Custom Algorithm", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements", + "section": "V5 Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE", + "subcategory": [ + "audit" + ], + "technology": [ + "hibernate" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "org.hibernate.criterion.Restrictions.sqlRestriction($SQL,...)" + } + ] + }, + { + "pattern": "org.hibernate.criterion.Restrictions.sqlRestriction(String.format(...),...)" + }, + { + "patterns": [ + { + "pattern": "org.hibernate.criterion.Restrictions.sqlRestriction($X + $Y,...)" + }, + { + "pattern-not": "org.hibernate.criterion.Restrictions.sqlRestriction(\"...\" + \"...\",...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$SESSION.$METHOD($SQL,...)" + } + ] + }, + { + "pattern": "$SESSION.$METHOD(String.format(...),...);\n" + }, + { + "pattern": "$SESSION.$METHOD($X + $Y,...);\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "org.hibernate.Session $SESSION = ...;\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,org.hibernate.Session $SESSION,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$SESSION.$METHOD(\"...\" + \"...\",...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(createQuery|createSQLQuery)$" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.sqli.jdbc-sqli", + "languages": [ + "java" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jdbc" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$S.$METHOD($SQL,...)" + } + ] + }, + { + "pattern": "$S.$METHOD(String.format(...),...);\n" + }, + { + "pattern": "$S.$METHOD($X + $Y,...);\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "java.sql.Statement $S = ...;\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,java.sql.Statement $S,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$S.$METHOD(\"...\" + \"...\",...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(executeQuery|execute|executeUpdate|executeLargeUpdate|addBatch|nativeSQL)$" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.sqli.jdo-sqli", + "languages": [ + "java" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$Q.$METHOD($SQL,...)" + } + ] + }, + { + "pattern": "$Q.$METHOD(String.format(...),...);\n" + }, + { + "pattern": "$Q.$METHOD($X + $Y,...);\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "javax.jdo.Query $Q = ...;\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,javax.jdo.Query $Q,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$Q.$METHOD(\"...\" + \"...\",...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(setFilter|setGrouping)$" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$PM.newQuery(...,$SQL,...)" + } + ] + }, + { + "pattern": "$PM.newQuery(...,String.format(...),...);\n" + }, + { + "pattern": "$PM.newQuery(...,$X + $Y,...);\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "javax.jdo.PersistenceManager $PM = ...;\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,javax.jdo.PersistenceManager $PM,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$PM.newQuery(...,\"...\" + \"...\",...);\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.sqli.jpa-sqli", + "languages": [ + "java" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jpa" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$EM.$METHOD($SQL,...)" + } + ] + }, + { + "pattern": "$EM.$METHOD(String.format(...),...);\n" + }, + { + "pattern": "$EM.$METHOD($X + $Y,...);\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "EntityManager $EM = ...;\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,EntityManager $EM,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$EM.$METHOD(\"...\" + \"...\",...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(createQuery|createNativeQuery)$" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.sqli.tainted-sql-from-http-request", + "languages": [ + "java" + ], + "message": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", + "https://owasp.org/www-community/attacks/SQL_Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "sql", + "java", + "servlets", + "spring" + ] + }, + "mode": "taint", + "options": { + "taint_assume_safe_booleans": true, + "taint_assume_safe_numbers": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(java.sql.CallableStatement $STMT) = ...; \n" + }, + { + "pattern": "(java.sql.Statement $STMT) = ...;\n...\n$OUTPUT = $STMT.$FUNC(...);\n" + }, + { + "pattern": "(java.sql.PreparedStatement $STMT) = ...;\n" + }, + { + "pattern": "$VAR = $CONN.prepareStatement(...)\n" + }, + { + "pattern": "$PATH.queryForObject(...);\n" + }, + { + "pattern": "(java.util.Map $STMT) = $PATH.queryForMap(...);\n" + }, + { + "pattern": "(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...;\n" + }, + { + "pattern": "(org.springframework.jdbc.core.JdbcTemplate $TEMPL).batchUpdate(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "(String $SQL) = \"$SQLSTR\" + ...;\n...\n" + }, + { + "pattern": "$PATH.$SQLCMD(..., $SQL, ...);" + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)" + } + }, + { + "metavariable-regex": { + "metavariable": "$SQLCMD", + "regex": "(execute|query|executeUpdate|batchUpdate)" + } + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(HttpServletRequest $REQ).$REQFUNC(...)\n" + }, + { + "pattern": "(ServletRequest $REQ).$REQFUNC(...) \n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$REQFUNC", + "regex": "(getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString)" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.sqli.turbine-sqli", + "languages": [ + "java" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "turbine" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$PEER.executeQuery($SQL,...)" + } + ] + }, + { + "pattern": "$PEER.executeQuery(String.format(...),...)\n" + }, + { + "pattern": "$PEER.executeQuery($X + $Y,...)\n" + } + ] + }, + { + "pattern-not": "$PEER.executeQuery(\"...\" + \"...\",...)\n" + }, + { + "metavariable-regex": { + "metavariable": "$PEER", + "regex": "(BasePeer|GroupPeer)" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$P.executeQuery($SQL,...)" + } + ] + }, + { + "pattern": "$P.executeQuery(String.format(...),...)\n" + }, + { + "pattern": "$P.executeQuery($X + $Y,...)\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "BasePeer $P = ...;\n...\n" + }, + { + "pattern-inside": "GroupPeer $P = ...;\n...\n" + }, + { + "pattern-inside": "$VAL $FUNC(...,GroupPeer $P,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$VAL $FUNC(...,BasePeer $P,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$P.executeQuery(\"...\" + \"...\",...)\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.sqli.vertx-sqli", + "languages": [ + "java" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "vertx" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "String $SQL = $X + $Y;\n...\n" + }, + { + "pattern-inside": "String $SQL = String.format(...);\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n" + }, + { + "pattern": "$SC.$METHOD($SQL,...)" + } + ] + }, + { + "pattern": "$SC.$METHOD(String.format(...),...);\n" + }, + { + "pattern": "$SC.$METHOD($X + $Y,...);\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "SqlClient $SC = ...;\n...\n" + }, + { + "pattern-inside": "SqlConnection $SC = ...;\n...\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,SqlClient $SC,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$TYPE $FUNC(...,SqlConnection $SC,...) {\n ...\n}\n" + } + ] + }, + { + "pattern-not": "$SC.$METHOD(\"...\" + \"...\",...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(query|preparedQuery|prepare)$" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.xss.jsf.autoescape-disabled", + "languages": [ + "regex" + ], + "message": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": "A07:2017 - Cross-Site Scripting (XSS)", + "references": [ + "https://stackoverflow.com/a/7442668" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jsf" + ] + }, + "paths": { + "include": [ + "*.html", + "*.xhtml" + ] + }, + "pattern-regex": ".*escape.*?=.*?false.*", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.xss.jsp.no-scriptlets", + "languages": [ + "regex" + ], + "message": "JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-116: Improper Encoding or Escaping of Output" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://stackoverflow.com/a/3180202", + "https://stackoverflow.com/a/4948856" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jsp" + ] + }, + "paths": { + "include": [ + "*.jsp" + ] + }, + "pattern-regex": "\\<\\%[^\\@].*", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.xss.jsp.use-escapexml", + "languages": [ + "regex" + ], + "message": "Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-116: Improper Encoding or Escaping of Output" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm", + "https://stackoverflow.com/a/4948856", + "https://stackoverflow.com/a/3180202" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jsp" + ] + }, + "paths": { + "include": [ + "*.jsp" + ] + }, + "pattern-regex": "\\$\\{(?!.*escapeXml).*\\}", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.xss.jsp.use-jstl-escaping", + "languages": [ + "regex" + ], + "message": "Detected an Expression Language segment in a tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'out' tag from the JSTL taglib to escape this expression. See https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm for more information.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-116: Improper Encoding or Escaping of Output" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm", + "https://stackoverflow.com/a/4948856", + "https://stackoverflow.com/a/3180202" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jsp" + ] + }, + "paths": { + "include": [ + "*.jsp" + ] + }, + "pattern-regex": "<(?![A-Za-z0-9]+:out).*?\\$\\{.*?\\}.*>", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false", + "languages": [ + "java" + ], + "message": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://blog.sonarsource.com/secure-xml-processor", + "https://xerces.apache.org/xerces2-j/features.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "xml" + ] + }, + "patterns": [ + { + "pattern": "$DBFACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", false);" + }, + { + "pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n}\n" + }, + { + "pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n}\n" + }, + { + "pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\");\n ...\n}\n" + }, + { + "pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\");\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n}\n" + } + ], + "severity": "ERROR" + }, + { + "fix": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n$FACTORY.newDocumentBuilder();\n", + "id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing", + "languages": [ + "java" + ], + "message": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://blog.sonarsource.com/secure-xml-processor", + "https://xerces.apache.org/xerces2-j/features.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "xml" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "by-side-effect": true, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n" + }, + { + "pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n" + }, + { + "pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n" + } + ] + }, + { + "focus-metavariable": "$FACTORY" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\",\n true);\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\",false);\n ...\n }\n ...\n}\n" + } + ] + }, + { + "pattern": "$M($X)" + }, + { + "focus-metavariable": "$X" + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$FACTORY.newDocumentBuilder();" + } + ] + } + ], + "pattern-sources": [ + { + "by-side-effect": true, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FACTORY = DocumentBuilderFactory.newInstance();\n" + }, + { + "patterns": [ + { + "pattern": "$FACTORY" + }, + { + "pattern-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n" + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "fix": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);", + "id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true", + "languages": [ + "java" + ], + "message": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://blog.sonarsource.com/secure-xml-processor" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "xml" + ] + }, + "pattern": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", true);", + "severity": "ERROR" + }, + { + "fix": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);", + "id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true", + "languages": [ + "java" + ], + "message": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://blog.sonarsource.com/secure-xml-processor" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "xml" + ] + }, + "pattern": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", true);", + "severity": "ERROR" + }, + { + "fix": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n$FACTORY.newSAXParser();\n", + "id": "vendored-rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing", + "languages": [ + "java" + ], + "message": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://blog.sonarsource.com/secure-xml-processor", + "https://xerces.apache.org/xerces2-j/features.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "xml" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "by-side-effect": true, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n" + }, + { + "pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n" + }, + { + "pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n" + } + ] + }, + { + "focus-metavariable": "$FACTORY" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\",\n true);\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\",false);\n ...\n }\n ...\n}\n" + } + ] + }, + { + "pattern": "$M($X)" + }, + { + "focus-metavariable": "$X" + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$FACTORY.newSAXParser();" + } + ] + } + ], + "pattern-sources": [ + { + "by-side-effect": true, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FACTORY = SAXParserFactory.newInstance();\n" + }, + { + "patterns": [ + { + "pattern": "$FACTORY" + }, + { + "pattern-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n" + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "fix": "$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"); $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n$FACTORY.newTransformer(...);\n", + "id": "vendored-rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled", + "languages": [ + "java" + ], + "message": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://semgrep.dev/blog/2022/xml-security-in-java", + "https://semgrep.dev/docs/cheat-sheets/java-xxe/", + "https://blog.sonarsource.com/secure-xml-processor", + "https://xerces.apache.org/xerces2-j/features.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "xml" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "by-side-effect": true, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\"); ...\n$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n" + }, + { + "pattern": "$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n...\n$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n" + }, + { + "pattern": "$FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\"); ...\n$FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n" + }, + { + "pattern": "$FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n...\n$FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n" + } + ] + }, + { + "focus-metavariable": "$FACTORY" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n }\n ...\n}\n" + }, + { + "pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n }\n ...\n}\n" + } + ] + }, + { + "pattern": "$M($X)" + }, + { + "focus-metavariable": "$X" + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$FACTORY.newTransformer(...);" + } + ] + } + ], + "pattern-sources": [ + { + "by-side-effect": true, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$FACTORY = TransformerFactory.newInstance();\n" + }, + { + "patterns": [ + { + "pattern": "$FACTORY" + }, + { + "pattern-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n }\n ...\n}\n" + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.mongodb.security.injection.audit.mongodb-nosqli", + "languages": [ + "java" + ], + "message": "Detected non-constant data passed into a NoSQL query using the 'where' evaluation operator. If this data can be controlled by an external user, this is a NoSQL injection. Ensure data passed to the NoSQL query is not user controllable, or properly sanitize the data. Ideally, avoid using the 'where' operator at all and instead use the helper methods provided by com.mongodb.client.model.Filters with comparative operators such as eq, ne, lt, gt, etc.", + "metadata": { + "asvs": { + "control_id": "5.3.4 Injection Prevention", + "control_url": "https://github.com/OWASP/ASVS/blob/master/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention", + "section": "V5: Validation, Sanitization and Encoding Verification Requirements", + "version": "5" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-943: Improper Neutralization of Special Elements in Data Query Logic" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection", + "https://www.mongodb.com/docs/manual/tutorial/query-documents/", + "https://www.mongodb.com/docs/manual/reference/operator/query/where/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "nosql", + "mongodb" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(com.mongodb.BasicDBObject $QUERY).put(\"$where\", $INPUT);" + }, + { + "pattern": "(HashMap $MAP).put(\"$where\", $INPUT);\n...\n(com.mongodb.BasicDBObject $QUERY).putAll($MAP);\n" + }, + { + "pattern": "(com.mongodb.BasicDBObject $QUERY).append(\"$where\", $INPUT);" + }, + { + "pattern": "new com.mongodb.BasicDBObject(\"$where\", $INPUT);" + }, + { + "pattern": "(HashMap $MAP).put(\"$where\", $INPUT);\n...\nnew com.mongodb.BasicDBObject($MAP);\n" + }, + { + "pattern": "(HashMap $MAP).put(\"$where\", $INPUT);\n...\nString json = new JSONObject($MAP).toString();\n...\n(com.mongodb.BasicDBObject $QUERY).parse((String $JSON));\n" + }, + { + "pattern": "com.mongodb.BasicDBObjectBuilder.start().add(\"$where\", $INPUT);" + }, + { + "pattern": "com.mongodb.BasicDBObjectBuilder.start().append(\"$where\", $INPUT);" + }, + { + "pattern": "com.mongodb.BasicDBObjectBuilder.start(\"$where\", $INPUT);" + }, + { + "pattern": "(HashMap $MAP).put(\"$where\", $INPUT);\n...\ncom.mongodb.BasicDBObjectBuilder.start($MAP);\n" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$INPUT", + "patterns": [ + { + "pattern": "...\n" + }, + { + "pattern-not": "\"...\"\n" + } + ] + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.rmi.security.server-dangerous-class-deserialization", + "languages": [ + "java" + ], + "message": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "rmi" + ] + }, + "patterns": [ + { + "pattern": "interface $INTERFACE extends Remote {\n $RETURNTYPE $METHOD($CLASS $PARAM) throws RemoteException;\n}\n" + }, + { + "metavariable-regex": { + "metavariable": "$CLASS", + "regex": "(?!int|boolean|short|long|byte|char|float|double)" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.rmi.security.server-dangerous-object-deserialization", + "languages": [ + "java" + ], + "message": "Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://frohoff.github.io/appseccali-marshalling-pickles/", + "https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi", + "https://youtu.be/t_aw1mDNhzI", + "https://github.com/qtc-de/remote-method-guesser", + "https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "rmi" + ] + }, + "patterns": [ + { + "pattern": "interface $INTERFACE extends Remote {\n $RETURNTYPE $METHOD($PARAMTYPE $PARAM) throws RemoteException;\n}\n" + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$PARAMTYPE", + "patterns": [ + { + "pattern-not": "String" + }, + { + "pattern-not": "java.lang.String" + }, + { + "pattern-not": "boolean" + }, + { + "pattern-not": "Boolean" + }, + { + "pattern-not": "java.lang.Boolean" + }, + { + "pattern-not": "byte" + }, + { + "pattern-not": "Byte" + }, + { + "pattern-not": "java.lang.Byte" + }, + { + "pattern-not": "char" + }, + { + "pattern-not": "Character" + }, + { + "pattern-not": "java.lang.Character" + }, + { + "pattern-not": "double" + }, + { + "pattern-not": "Double" + }, + { + "pattern-not": "java.lang.Double" + }, + { + "pattern-not": "float" + }, + { + "pattern-not": "Float" + }, + { + "pattern-not": "java.lang.Float" + }, + { + "pattern-not": "int" + }, + { + "pattern-not": "Integer" + }, + { + "pattern-not": "java.lang.Integer" + }, + { + "pattern-not": "long" + }, + { + "pattern-not": "Long" + }, + { + "pattern-not": "java.lang.Long" + }, + { + "pattern-not": "short" + }, + { + "pattern-not": "Short" + }, + { + "pattern-not": "java.lang.Short" + } + ] + } + } + ], + "severity": "ERROR" + }, + { + "fix": "$COOKIE = new Cookie($...ARGS);\n$COOKIE.setSecure(true);\n", + "id": "vendored-rules.java.servlets.security.cookie-issecure-false", + "languages": [ + "java" + ], + "message": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-319: Cleartext Transmission of Sensitive Information" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)", + "https://owasp.org/www-community/controls/SecureCookieAttribute" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java", + "cookie" + ], + "vulnerability": "Insecure Transport" + }, + "patterns": [ + { + "pattern": "$COOKIE = new Cookie($...ARGS);" + }, + { + "pattern-not-inside": "$COOKIE = new Cookie(...);\n...\n$COOKIE.setSecure(...);\n" + } + ], + "severity": "WARNING" + }, + { + "fix-regex": { + "regex": "setSecure\\(false\\)", + "replacement": "setSecure(true)" + }, + "id": "vendored-rules.java.servlets.security.cookie-setSecure", + "languages": [ + "java" + ], + "message": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-319: Cleartext Transmission of Sensitive Information" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)", + "https://owasp.org/www-community/controls/SecureCookieAttribute" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "java", + "cookie" + ], + "vulnerability": "Insecure Transport" + }, + "patterns": [ + { + "patterns": [ + { + "pattern-inside": "$COOKIE = new Cookie(...);\n...\n" + }, + { + "pattern": "$COOKIE.setSecure(false);\n" + } + ] + }, + { + "pattern-not-inside": "$COOKIE = new Cookie(...);\n...\n$COOKIE.setSecure(true);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.unrestricted-request-mapping", + "languages": [ + "java" + ], + "message": "Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-352: Cross-Site Request Forgery (CSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING", + "subcategory": [ + "audit" + ], + "technology": [ + "spring" + ] + }, + "patterns": [ + { + "pattern-inside": "@RequestMapping(...)\n$RETURNTYPE $METHOD(...) { ... }\n" + }, + { + "pattern-not-inside": "@RequestMapping(..., method = $X, ...)\n$RETURNTYPE $METHOD(...) { ... }\n" + }, + { + "pattern": "RequestMapping\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spel-injection", + "languages": [ + "java" + ], + "message": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION", + "subcategory": [ + "audit" + ], + "technology": [ + "spring" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "class $CLASS {\n ...\n ExpressionParser $PARSER;\n ...\n}\n" + }, + { + "pattern-inside": "class $CLASS {\n ...\n ExpressionParser $PARSER = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n ExpressionParser $PARSER = ...;\n ...\n}\n" + }, + { + "pattern-inside": "class $CLASS {\n ...\n SpelExpressionParser $PARSER;\n ...\n}\n" + }, + { + "pattern-inside": "class $CLASS {\n ...\n SpelExpressionParser $PARSER = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n SpelExpressionParser $PARSER = ...;\n ...\n}\n" + }, + { + "pattern-inside": "class $CLASS {\n ...\n TemplateAwareExpressionParser $PARSER;\n ...\n}\n" + }, + { + "pattern-inside": "class $CLASS {\n ...\n TemplateAwareExpressionParser $PARSER = ...;\n ...\n}\n" + }, + { + "pattern-inside": "$X $METHOD(...) {\n ...\n TemplateAwareExpressionParser $PARSER = ...;\n ...\n}\n" + } + ] + }, + { + "pattern": "$X $METHOD(...) {\n ...\n $PARSER.parseExpression(...);\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n $PARSER.parseExpression(\"...\");\n ...\n}\n" + }, + { + "pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $PARSER.parseExpression($S);\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-actuator-fully-enabled-yaml", + "languages": [ + "yaml" + ], + "message": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ], + "cwe2021-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints", + "https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785", + "https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "spring" + ] + }, + "patterns": [ + { + "pattern-inside": "management:\n ...\n endpoints:\n ...\n web:\n ...\n exposure:\n ...\n" + }, + { + "pattern": "include: \"*\"\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-actuator-fully-enabled", + "languages": [ + "generic" + ], + "message": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ], + "cwe2021-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints", + "https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785", + "https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "spring" + ] + }, + "paths": { + "include": [ + "*properties" + ] + }, + "pattern": "management.endpoints.web.exposure.include=*", + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled-yaml", + "languages": [ + "yaml" + ], + "message": "Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ], + "cwe2021-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints", + "https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785", + "https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "spring" + ] + }, + "patterns": [ + { + "pattern-inside": "management:\n ...\n endpoints:\n ...\n web:\n ...\n exposure:\n ...\n include:\n ...\n" + }, + { + "pattern": "include: [..., $ACTUATOR, ...]\n" + }, + { + "metavariable-comparison": { + "comparison": "not str($ACTUATOR) in [\"health\",\"*\"]", + "metavariable": "$ACTUATOR" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled", + "languages": [ + "generic" + ], + "message": "Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ], + "cwe2021-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints", + "https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785", + "https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "spring" + ] + }, + "options": { + "generic_ellipsis_max_span": 0 + }, + "patterns": [ + { + "pattern": "management.endpoints.web.exposure.include=$...ACTUATORS" + }, + { + "metavariable-comparison": { + "comparison": "not str($...ACTUATORS) in [\"health\",\"*\"]", + "metavariable": "$...ACTUATORS" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-csrf-disabled", + "languages": [ + "java" + ], + "message": "CSRF protection is disabled for this configuration. This is a security risk.", + "metadata": { + "asvs": { + "control_id": "4.2.2 CSRF", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v42-operation-level-access-control", + "section": "V4 Access Control", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-352: Cross-Site Request Forgery (CSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED", + "subcategory": [ + "audit" + ], + "technology": [ + "spring" + ] + }, + "pattern": "$OBJ.csrf(...).disable(...)", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-jsp-eval", + "languages": [ + "generic" + ], + "message": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL", + "subcategory": [ + "audit" + ], + "technology": [ + "spring" + ] + }, + "paths": { + "include": [ + "*.jsp" + ] + }, + "pattern": "\n", + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-sqli", + "languages": [ + "java" + ], + "message": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "spring" + ] + }, + "mode": "taint", + "options": { + "taint_assume_safe_booleans": true, + "taint_assume_safe_numbers": true + }, + "pattern-sanitizers": [ + { + "not_conflicting": true, + "pattern-either": [ + { + "patterns": [ + { + "focus-metavariable": "$A" + }, + { + "pattern-inside": "new $TYPE(...,$A,...);\n" + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "focus-metavariable": "$A" + }, + { + "pattern": "new PreparedStatementCreatorFactory($A,...);\n" + } + ] + }, + { + "patterns": [ + { + "focus-metavariable": "$A" + }, + { + "pattern": "(JdbcTemplate $T).$M($A,...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern": "(String $A)" + }, + { + "pattern-inside": "(JdbcTemplate $T).batchUpdate(...)\n" + } + ] + }, + { + "patterns": [ + { + "focus-metavariable": "$A" + }, + { + "pattern": "NamedParameterBatchUpdateUtils.$M($A,...)\n" + } + ] + }, + { + "patterns": [ + { + "focus-metavariable": "$A" + }, + { + "pattern": "BatchUpdateUtils.$M($A,...)\n" + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$ARG" + }, + { + "pattern-inside": "public $T $M (..., String $ARG,...){...}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.audit.spring-unvalidated-redirect", + "languages": [ + "java" + ], + "message": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT", + "subcategory": [ + "vuln" + ], + "technology": [ + "spring" + ] + }, + "pattern-either": [ + { + "pattern": "$X $METHOD(...,String $URL,...) {\n return \"redirect:\" + $URL;\n}\n" + }, + { + "pattern": "$X $METHOD(...,String $URL,...) {\n ...\n String $REDIR = \"redirect:\" + $URL;\n ...\n return $REDIR;\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,String $URL,...) {\n ...\n new ModelAndView(\"redirect:\" + $URL);\n ...\n}\n" + }, + { + "pattern": "$X $METHOD(...,String $URL,...) {\n ...\n String $REDIR = \"redirect:\" + $URL;\n ...\n new ModelAndView($REDIR);\n ...\n}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.java.spring.security.injection.tainted-file-path", + "languages": [ + "java" + ], + "message": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-23: Relative Path Traversal" + ], + "impact": "HIGH", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/www-community/attacks/Path_Traversal" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "spring" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sanitizers": [ + { + "pattern": "org.apache.commons.io.FilenameUtils.getName(...)" + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new File(...)" + }, + { + "pattern": "new java.io.File(...)" + }, + { + "pattern": "new FileReader(...)" + }, + { + "pattern": "new java.io.FileReader(...)" + }, + { + "pattern": "new FileInputStream(...)" + }, + { + "pattern": "new java.io.FileInputStream(...)" + }, + { + "pattern": "(Paths $PATHS).get(...)" + }, + { + "patterns": [ + { + "pattern": "$CLASS.$FUNC(...)\n" + }, + { + "metavariable-regex": { + "metavariable": "$FUNC", + "regex": "^(getResourceAsStream|getResource)$" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new ClassPathResource($FILE, ...)" + }, + { + "pattern": "ResourceUtils.getFile($FILE, ...)" + }, + { + "pattern": "new FileOutputStream($FILE, ...)" + }, + { + "pattern": "new java.io.FileOutputStream($FILE, ...)" + }, + { + "pattern": "new StreamSource($FILE, ...)" + }, + { + "pattern": "new javax.xml.transform.StreamSource($FILE, ...)" + }, + { + "pattern": "FileUtils.openOutputStream($FILE, ...)" + } + ] + }, + { + "focus-metavariable": "$FILE" + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$TYPE", + "regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))" + } + }, + { + "metavariable-regex": { + "metavariable": "$REQ", + "regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)" + } + }, + { + "focus-metavariable": "$SOURCE" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.spring.security.injection.tainted-html-string", + "languages": [ + "java" + ], + "message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "spring" + ] + }, + "mode": "taint", + "pattern-propagators": [ + { + "from": "$...TAINTED", + "pattern": "(StringBuilder $SB).append($...TAINTED)", + "to": "$SB" + }, + { + "from": "$...TAINTED", + "pattern": "$VAR += $...TAINTED", + "to": "$VAR" + } + ], + "pattern-sanitizers": [ + { + "pattern-either": [ + { + "pattern": "Encode.forHtml(...)" + }, + { + "pattern": "(PolicyFactory $POLICY).sanitize(...)" + }, + { + "pattern": "(AntiSamy $AS).scan(...)" + }, + { + "pattern": "JSoup.clean(...)" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new ResponseEntity<>($PAYLOAD, ...)" + }, + { + "pattern": "new ResponseEntity<$ERROR>($PAYLOAD, ...)" + }, + { + "pattern": "ResponseEntity. ... .body($PAYLOAD)" + }, + { + "patterns": [ + { + "pattern": "ResponseEntity.$RESPFUNC($PAYLOAD). ...\n" + }, + { + "metavariable-regex": { + "metavariable": "$RESPFUNC", + "regex": "^(ok|of)$" + } + } + ] + } + ] + }, + { + "focus-metavariable": "$PAYLOAD" + } + ], + "requires": "CONCAT" + } + ], + "pattern-sources": [ + { + "label": "INPUT", + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$TYPE", + "regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))" + } + }, + { + "metavariable-regex": { + "metavariable": "$REQ", + "regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)" + } + }, + { + "focus-metavariable": "$SOURCE" + } + ] + }, + { + "by-side-effect": true, + "label": "CONCAT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$HTMLSTR\" + ...\n" + }, + { + "pattern": "\"$HTMLSTR\".concat(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "StringBuilder $SB = new StringBuilder(\"$HTMLSTR\");\n...\n" + }, + { + "pattern": "$SB.append(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VAR = \"$HTMLSTR\";\n...\n" + }, + { + "pattern": "$VAR += ..." + } + ] + }, + { + "pattern": "String.format(\"$HTMLSTR\", ...)" + }, + { + "patterns": [ + { + "pattern-inside": "String $VAR = \"$HTMLSTR\";\n...\n" + }, + { + "pattern": "String.format($VAR, ...)" + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTMLSTR", + "regex": "^<\\w+" + } + } + ], + "requires": "INPUT" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.spring.security.injection.tainted-sql-string", + "languages": [ + "java" + ], + "message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "spring" + ] + }, + "mode": "taint", + "options": { + "interfile": true, + "taint_assume_safe_booleans": true, + "taint_assume_safe_numbers": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$SQLSTR\" + ...\n" + }, + { + "pattern": "\"$SQLSTR\".concat(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "StringBuilder $SB = new StringBuilder(\"$SQLSTR\");\n...\n" + }, + { + "pattern": "$SB.append(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VAR = \"$SQLSTR\";\n...\n" + }, + { + "pattern": "$VAR += ..." + } + ] + }, + { + "pattern": "String.format(\"$SQLSTR\", ...)" + }, + { + "patterns": [ + { + "pattern-inside": "String $VAR = \"$SQLSTR\";\n...\n" + }, + { + "pattern": "String.format($VAR, ...)" + } + ] + } + ] + }, + { + "pattern-not-inside": "System.out.println(...)" + }, + { + "pattern-not-inside": "$LOG.info(...)" + }, + { + "pattern-not-inside": "$LOG.warn(...)" + }, + { + "pattern-not-inside": "$LOG.warning(...)" + }, + { + "pattern-not-inside": "$LOG.debug(...)" + }, + { + "pattern-not-inside": "$LOG.debugging(...)" + }, + { + "pattern-not-inside": "$LOG.error(...)" + }, + { + "pattern-not-inside": "new Exception(...)" + }, + { + "pattern-not-inside": "throw ...;" + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b" + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$REQ", + "regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue)" + } + }, + { + "metavariable-regex": { + "metavariable": "$TYPE", + "regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))" + } + }, + { + "focus-metavariable": "$SOURCE" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.spring.security.injection.tainted-system-command", + "languages": [ + "java" + ], + "message": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://www.stackhawk.com/blog/command-injection-java/", + "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", + "https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "spring" + ] + }, + "mode": "taint", + "pattern-propagators": [ + { + "from": "$INPUT", + "label": "CONCAT", + "pattern": "(StringBuilder $STRB).append($INPUT)", + "requires": "INPUT", + "to": "$STRB" + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(Process $P) = new Process(...);\n" + }, + { + "pattern": "(ProcessBuilder $PB).command(...);\n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "(Runtime $R).$EXEC(...);\n" + }, + { + "pattern": "Runtime.getRuntime(...).$EXEC(...);\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$EXEC", + "regex": "(exec|loadLibrary|load)" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "(ProcessBuilder $PB).command(...).$ADD(...);\n" + }, + { + "metavariable-regex": { + "metavariable": "$ADD", + "regex": "(add|addAll)" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$BUILDER = new ProcessBuilder(...);\n...\n" + }, + { + "pattern": "$BUILDER.start(...)" + } + ] + }, + { + "pattern": "new ProcessBuilder(...). ... .start(...);\n" + } + ] + } + ] + } + ] + } + ], + "requires": "CONCAT" + } + ], + "pattern-sources": [ + { + "label": "INPUT", + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$TYPE", + "regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))" + } + }, + { + "metavariable-regex": { + "metavariable": "$REQ", + "regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)" + } + }, + { + "focus-metavariable": "$SOURCE" + } + ] + }, + { + "label": "CONCAT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X + $SOURCE" + }, + { + "pattern": "$SOURCE + $Y" + }, + { + "pattern": "String.format(\"...\", ..., $SOURCE, ...)" + }, + { + "pattern": "String.join(\"...\", ..., $SOURCE, ...)" + }, + { + "pattern": "(String $STR).concat($SOURCE)" + }, + { + "pattern": "$SOURCE.concat(...)" + }, + { + "pattern": "$X += $SOURCE" + }, + { + "pattern": "$SOURCE += $X" + } + ] + } + ], + "requires": "INPUT" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.java.spring.security.injection.tainted-url-host", + "languages": [ + "java" + ], + "message": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "java", + "spring" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "pattern-either": [ + { + "pattern": "new URL($ONEARG)" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$URLSTR\" + ...\n" + }, + { + "pattern": "\"$URLSTR\".concat(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "StringBuilder $SB = new StringBuilder(\"$URLSTR\");\n...\n" + }, + { + "pattern": "$SB.append(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VAR = \"$URLSTR\";\n...\n" + }, + { + "pattern": "$VAR += ..." + } + ] + }, + { + "patterns": [ + { + "pattern": "String.format(\"$URLSTR\", ...)" + }, + { + "pattern-not": "String.format(\"$URLSTR\", \"...\", ...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "String $VAR = \"$URLSTR\";\n...\n" + }, + { + "pattern": "String.format($VAR, ...)" + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$URLSTR", + "regex": "http(s?)://%(v|s|q).*" + } + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n" + }, + { + "pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$TYPE", + "regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))" + } + }, + { + "metavariable-regex": { + "metavariable": "$REQ", + "regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)" + } + }, + { + "focus-metavariable": "$SOURCE" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.ajv.security.audit.ajv-allerrors-true", + "languages": [ + "js", + "ts" + ], + "message": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-400: Uncontrolled Resource Consumption" + ], + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://ajv.js.org/options.html#allerrors" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "ajv" + ] + }, + "pattern-either": [ + { + "pattern": "new Ajv({...,allErrors: true,...},...)\n" + }, + { + "patterns": [ + { + "pattern": "new Ajv($SETTINGS,...)\n" + }, + { + "pattern-inside": "$SETTINGS = {...,allErrors: true,...}\n...\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-element-methods", + "languages": [ + "js", + "ts" + ], + "message": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/function/angular.element", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "angularjs" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$sce.getTrustedHtml(...)" + }, + { + "pattern": "$sanitize(...)" + }, + { + "pattern": "DOMPurify.sanitize(...)" + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "angular.element(...). ... .$SINK($QUERY)\n" + }, + { + "pattern-inside": "$ANGULAR = angular.element(...)\n...\n$ANGULAR. ... .$SINK($QUERY)\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SINK", + "regex": "^(after|append|html|prepend|replaceWith|wrap)$" + } + }, + { + "focus-metavariable": "$QUERY" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "function(..., $SCOPE, ...) { ... }\n" + }, + { + "focus-metavariable": "$SCOPE" + }, + { + "metavariable-regex": { + "metavariable": "$SCOPE", + "regex": "^\\$scope$" + } + } + ] + }, + { + "pattern": "$rootScope" + }, + { + "pattern": "$injector.get('$rootScope')" + }, + { + "pattern": "$injector.get('$scope')" + } + ] + } + ] + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-element-taint", + "languages": [ + "js", + "ts" + ], + "message": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/function/angular.element", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "angularjs" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$sce.getTrustedHtml(...)" + }, + { + "pattern": "$sanitize(...)" + }, + { + "pattern": "DOMPurify.sanitize(...)" + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "angular.element(...). ... .$SINK($QUERY)\n" + }, + { + "pattern-inside": "$ANGULAR = angular.element(...)\n...\n$ANGULAR. ... .$SINK($QUERY)\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SINK", + "regex": "^(after|append|html|prepend|replaceWith|wrap)$" + } + }, + { + "focus-metavariable": "$QUERY" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "window.location.search" + }, + { + "pattern": "window.document.location.search" + }, + { + "pattern": "document.location.search" + }, + { + "pattern": "location.search" + }, + { + "pattern": "$location.search(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$DECODE(<... location.hash ...>)" + }, + { + "pattern": "$DECODE(<... window.location.hash ...>)" + }, + { + "pattern": "$DECODE(<... document.location.hash ...>)" + }, + { + "pattern": "$DECODE(<... location.href ...>)" + }, + { + "pattern": "$DECODE(<... window.location.href ...>)" + }, + { + "pattern": "$DECODE(<... document.location.href ...>)" + }, + { + "pattern": "$DECODE(<... document.URL ...>)" + }, + { + "pattern": "$DECODE(<... window.document.URL ...>)" + }, + { + "pattern": "$DECODE(<... document.location.href ...>)" + }, + { + "pattern": "$DECODE(<... document.location.href ...>)" + }, + { + "pattern": "$DECODE(<... $location.absUrl() ...>)" + }, + { + "pattern": "$DECODE(<... $location.url() ...>)" + }, + { + "pattern": "$DECODE(<... $location.hash() ...>)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$DECODE", + "regex": "^(unescape|decodeURI|decodeURIComponent)$" + } + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$http.$METHOD(...).$CONTINUE(function $FUNC($RES) {...})" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|delete|head|jsonp|post|put|patch)" + } + }, + { + "pattern": "$RES.data" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-open-redirect", + "languages": [ + "js", + "ts" + ], + "message": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.", + "metadata": { + "asvs": { + "control_id": "5.5.1 Insecue Redirect", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsJs", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular" + ] + }, + "patterns": [ + { + "pattern": "$window.location.href = ...\n" + }, + { + "pattern-not": "$window.location.href = \"...\"\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-resource-loading", + "languages": [ + "js", + "ts" + ], + "message": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsJs", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular" + ] + }, + "pattern-either": [ + { + "pattern": "$sceDelegateProvider.resourceUrlWhitelist([...,'**',...]);\n" + }, + { + "patterns": [ + { + "pattern": "$sceDelegateProvider.resourceUrlWhitelist([...,$DOM,...]);\n" + }, + { + "metavariable-regex": { + "metavariable": "$DOM", + "regex": "^'.*\\*\\*.+'$" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-sce-disabled", + "languages": [ + "js", + "ts" + ], + "message": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "angular" + ] + }, + "pattern": "$sceProvider.enabled(false);\n", + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-css-method", + "languages": [ + "js", + "ts" + ], + "message": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsCss", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsCss($SOURCE);\n" + }, + { + "pattern": "$sce.trustAsCss($scope.$INPUT);\n" + } + ] + }, + { + "pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-html-method", + "languages": [ + "js", + "ts" + ], + "message": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsHtml($SOURCE);\n" + }, + { + "pattern": "$sce.trustAsHtml($scope.$INPUT);\n" + } + ] + }, + { + "pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-js-method", + "languages": [ + "js", + "ts" + ], + "message": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsJs", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsJs($SOURCE);\n" + }, + { + "pattern": "$sce.trustAsJs($scope.$INPUT);\n" + } + ] + }, + { + "pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-method", + "languages": [ + "js", + "ts" + ], + "message": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "angular" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern": "$sce.trustAs(...)" + }, + { + "pattern": "$sce.trustAsHtml(...)" + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "app.controller(..., function($scope,$sce) {\n...\n});\n" + }, + { + "pattern": "$scope.$X" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-resourceurl-method", + "languages": [ + "js", + "ts" + ], + "message": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsResourceUrl($SOURCE);\n" + }, + { + "pattern": "$sce.trustAsResourceUrl($scope.$INPUT);\n" + } + ] + }, + { + "pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-url-method", + "languages": [ + "js", + "ts" + ], + "message": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsUrl($SOURCE);\n" + }, + { + "pattern": "$sce.trustAsUrl($scope.$INPUT);\n" + } + ] + }, + { + "pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.angular.security.detect-angular-translateprovider-translations-method", + "languages": [ + "js", + "ts" + ], + "message": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl", + "https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "angular", + "typescript" + ] + }, + "patterns": [ + { + "pattern": "$translateProvider.translations(...,$SOURCE);\n" + }, + { + "pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.apollo.security.apollo-axios-ssrf", + "languages": [ + "js", + "ts" + ], + "message": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://www.cvedetails.com/cve/CVE-2020-28168/", + "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "apollo", + "axios" + ] + }, + "patterns": [ + { + "pattern": "const $RESPONSE = await axios.request($INNERARG,...)" + }, + { + "pattern-inside": "Query: {\n $METHOD(parent, args, context, info) {\n ...\n $DATA = args.$DATAVAL\n ...\n async function $INNERFUNC(...,$INNERARG,...){\n ...\n }\n ...\n return $INNERFUNC(...,$DATA,...)\n }\n }\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.argon2.security.unsafe-argon2-config", + "languages": [ + "js", + "ts" + ], + "message": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-916: Use of Password Hash With Insufficient Computational Effort" + ], + "impact": "LOW", + "likelihood": "HIGH", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html", + "https://eprint.iacr.org/2016/759.pdf", + "https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf", + "https://datatracker.ietf.org/doc/html/rfc9106#section-4" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "argon2", + "cryptography" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern": "{type: $ARGON.argon2id}\n...\n" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$Y\n" + }, + { + "pattern-inside": "$ARGON.hash(...,$Y)\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "$ARGON = require('argon2');\n...\n" + }, + { + "pattern": "{type: ...}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.audit.detect-replaceall-sanitization", + "languages": [ + "js", + "ts" + ], + "message": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://www.npmjs.com/package/dompurify", + "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "javascript", + "typescript" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$STR.$FUNC('<', '<')" + }, + { + "pattern": "$STR.$FUNC('>', '>')" + }, + { + "pattern": "$STR.$FUNC('\"', '"')" + }, + { + "pattern": "$STR.$FUNC(\"'\", ''')" + }, + { + "pattern": "$STR.$FUNC('&', '&')" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$FUNC", + "regex": "(replace|replaceAll)" + } + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.detect-child-process", + "languages": [ + "js", + "ts" + ], + "message": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript", + "aws-lambda" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$CMD" + }, + { + "pattern-either": [ + { + "pattern": "exec($CMD,...)" + }, + { + "pattern": "execSync($CMD,...)" + }, + { + "pattern": "spawn($CMD,...)" + }, + { + "pattern": "spawnSync($CMD,...)" + }, + { + "pattern": "$CP.exec($CMD,...)" + }, + { + "pattern": "$CP.execSync($CMD,...)" + }, + { + "pattern": "$CP.spawn($CMD,...)" + }, + { + "pattern": "$CP.spawnSync($CMD,...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "require('child_process')\n...\n" + }, + { + "pattern-inside": "import 'child_process'\n...\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$EVENT" + }, + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.dynamodb-request-object", + "languages": [ + "js", + "ts" + ], + "message": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-943: Improper Neutralization of Special Elements in Data Query Logic" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript", + "aws-lambda", + "dynamodb" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern": "{...}\n" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$SINK" + }, + { + "pattern": "$DC.$METHOD($SINK, ...)\n" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "(query|send|scan|delete|put|transactWrite|update|batchExecuteStatement|executeStatement|executeTransaction|transactWriteItems)" + } + }, + { + "pattern-either": [ + { + "pattern-inside": "$DC = new $AWS.DocumentClient(...);\n...\n" + }, + { + "pattern-inside": "$DC = new $AWS.DynamoDB(...);\n...\n" + }, + { + "pattern-inside": "$DC = new DynamoDBClient(...);\n...\n" + }, + { + "pattern-inside": "$DC = DynamoDBDocumentClient.from(...);\n...\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$EVENT" + }, + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.knex-sqli", + "languages": [ + "js", + "ts" + ], + "message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://knexjs.org/#Builder-fromRaw", + "https://knexjs.org/#Builder-whereRaw" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda", + "knex" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$QUERY" + }, + { + "pattern-either": [ + { + "pattern": "$KNEX.fromRaw($QUERY, ...)" + }, + { + "pattern": "$KNEX.whereRaw($QUERY, ...)" + }, + { + "pattern": "$KNEX.raw($QUERY, ...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "require('knex')\n...\n" + }, + { + "pattern-inside": "import 'knex'\n...\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + }, + { + "pattern": "$EVENT" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.mysql-sqli", + "languages": [ + "js", + "ts" + ], + "message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://www.npmjs.com/package/mysql2" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda", + "mysql", + "mysql2" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$QUERY" + }, + { + "pattern-either": [ + { + "pattern": "$POOL.query($QUERY, ...)" + }, + { + "pattern": "$POOL.execute($QUERY, ...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "require('mysql')\n...\n" + }, + { + "pattern-inside": "require('mysql2')\n...\n" + }, + { + "pattern-inside": "require('mysql2/promise')\n...\n" + }, + { + "pattern-inside": "import 'mysql'\n...\n" + }, + { + "pattern-inside": "import 'mysql2'\n...\n" + }, + { + "pattern-inside": "import 'mysql2/promise'\n...\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + }, + { + "pattern": "$EVENT" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.pg-sqli", + "languages": [ + "js", + "ts" + ], + "message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://node-postgres.com/features/queries" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda", + "postgres", + "pg" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$QUERY" + }, + { + "pattern-either": [ + { + "pattern": "$DB.query($QUERY, ...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "require('pg')\n...\n" + }, + { + "pattern-inside": "import 'pg'\n...\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + }, + { + "pattern": "$EVENT" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.sequelize-sqli", + "languages": [ + "js", + "ts" + ], + "message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://sequelize.org/master/manual/raw-queries.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda", + "sequelize" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$QUERY" + }, + { + "pattern-either": [ + { + "pattern": "$DB.query($QUERY, ...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "require('sequelize')\n...\n" + }, + { + "pattern-inside": "import 'sequelize'\n...\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + }, + { + "pattern": "$EVENT" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.tainted-eval", + "languages": [ + "js", + "ts" + ], + "message": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript", + "aws-lambda" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$CODE" + }, + { + "pattern-either": [ + { + "pattern": "eval($CODE)" + }, + { + "pattern": "Function(...,$CODE)" + }, + { + "pattern": "new Function(...,$CODE)" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$EVENT" + }, + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.tainted-html-response", + "languages": [ + "js", + "ts" + ], + "message": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$BODY" + }, + { + "pattern-inside": "{..., headers: {..., 'Content-Type': 'text/html', ...}, body: $BODY, ... }\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + }, + { + "pattern": "$EVENT" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.tainted-html-string", + "languages": [ + "js", + "ts" + ], + "message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$HTMLSTR\" + $EXPR\n" + }, + { + "pattern": "\"$HTMLSTR\".concat(...)\n" + }, + { + "pattern": "$UTIL.format($HTMLSTR, ...)" + }, + { + "pattern": "format($HTMLSTR, ...)" + } + ] + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$HTMLSTR", + "pattern": "<$TAG ..." + } + } + ] + }, + { + "patterns": [ + { + "pattern": "`...${...}...`\n" + }, + { + "pattern-regex": ".*<\\w+.*\n" + } + ] + } + ] + }, + { + "pattern-not-inside": "console.$LOG(...)\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + }, + { + "pattern": "$EVENT" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.tainted-sql-string", + "languages": [ + "js", + "ts" + ], + "message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/SQL_Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "aws-lambda" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$SQLSTR\" + $EXPR\n" + }, + { + "pattern": "\"$SQLSTR\".concat(...)\n" + }, + { + "pattern": "util.format($SQLSTR, ...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "`...${...}...`\n" + }, + { + "pattern-regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*\n" + } + ] + } + ] + }, + { + "pattern-not-inside": "console.$LOG(...)\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + }, + { + "pattern": "$EVENT" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.aws-lambda.security.vm-runincontext-injection", + "languages": [ + "js", + "ts" + ], + "message": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript", + "aws-lambda" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "require('vm');\n...\n" + }, + { + "pattern-inside": "import 'vm'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$VM.runInContext($X,...)" + }, + { + "pattern": "$VM.runInNewContext($X,...)" + }, + { + "pattern": "$VM.runInThisContext($X,...)" + }, + { + "pattern": "$VM.compileFunction($X,...)" + }, + { + "pattern": "new $VM.Script($X,...)" + }, + { + "pattern": "new $VM.SourceTextModule($X,...)" + }, + { + "pattern": "runInContext($X,...)" + }, + { + "pattern": "runInNewContext($X,...)" + }, + { + "pattern": "runInThisContext($X,...)" + }, + { + "pattern": "compileFunction($X,...)" + }, + { + "pattern": "new Script($X,...)" + }, + { + "pattern": "new SourceTextModule($X,...)" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$EVENT" + }, + { + "pattern-either": [ + { + "pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + }, + { + "pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.bluebird.security.audit.tofastproperties-code-execution", + "languages": [ + "js", + "ts" + ], + "message": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "http://bluebirdjs.com/docs/getting-started.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "bluebird" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$UTIL.toFastProperties($SINK,...)" + }, + { + "pattern": "toFastProperties($SINK,...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "$BB = require('bluebird');\n...\n" + }, + { + "pattern-inside": "import 'bluebird';\n...\n" + } + ] + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "function ... (..., $ARG,...) {...}" + }, + { + "focus-metavariable": "$ARG" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.browser.security.dom-based-xss", + "languages": [ + "js", + "ts" + ], + "message": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/DOM_Based_XSS" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "browser" + ] + }, + "pattern-either": [ + { + "pattern": "document.write(<... document.location.$W ...>)" + }, + { + "pattern": "document.write(<... location.$W ...>)" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.browser.security.eval-detected", + "languages": [ + "js", + "ts" + ], + "message": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.", + "metadata": { + "asvs": { + "control_id": "5.2.4 Dynamic Code Execution Features", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "browser" + ] + }, + "patterns": [ + { + "pattern-not": "eval(\"...\")" + }, + { + "pattern": "eval(...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.browser.security.insecure-document-method", + "languages": [ + "js", + "ts" + ], + "message": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "browser" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$EL.innerHTML = $HTML;\n" + }, + { + "pattern": "$EL.outerHTML = $HTML;\n" + }, + { + "pattern": "document.write(...)" + } + ] + }, + { + "pattern-not": "$EL.innerHTML = \"...\";\n" + }, + { + "pattern-not": "$EL.outerHTML = \"...\";\n" + }, + { + "pattern-not": "document.write(\"...\")" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.browser.security.insecure-innerhtml", + "languages": [ + "js", + "ts" + ], + "message": "User controlled data in a `$EL.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "browser" + ] + }, + "patterns": [ + { + "pattern": "$EL.innerHTML = $HTML;\n" + }, + { + "pattern-not": "$EL.innerHTML = \"...\";\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.browser.security.insufficient-postmessage-origin-validation", + "languages": [ + "js", + "ts" + ], + "message": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-345: Insufficient Verification of Data Authenticity" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "browser" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern": "window.addEventListener('message', $FUNC, ...)\n" + }, + { + "metavariable-pattern": { + "metavariable": "$FUNC", + "patterns": [ + { + "pattern": "function($OBJ) { ... }\n" + }, + { + "pattern-not": "function($OBJ) { ... if (<... $OBJ.origin ...>) { ... } ... }\n" + } + ] + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function $FNAME($OBJ) { $CONTEXT }\n...\n" + }, + { + "pattern-inside": "$FNAME = (...) => { $CONTEXT }\n...\n" + } + ] + }, + { + "pattern": "window.addEventListener('message', $FNAME,...)\n" + }, + { + "metavariable-pattern": { + "metavariable": "$CONTEXT", + "patterns": [ + { + "pattern-not": "... if (<... $OBJ.origin ...>) { ... } ...\n" + } + ] + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.browser.security.js-open-redirect-from-function", + "languages": [ + "js", + "ts" + ], + "message": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.", + "metadata": { + "asvs": { + "control_id": "5.5.1 Insecue Redirect", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "browser" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "location.href = $SINK" + }, + { + "pattern": "window.location.href = $SINK" + }, + { + "pattern": "this.window.location.href = $SINK" + }, + { + "pattern": "this.location.href = $SINK" + }, + { + "pattern": "location.replace($SINK)" + }, + { + "pattern": "window.location.replace($SINK)" + }, + { + "pattern": "this.window.location.replace($SINK)" + }, + { + "pattern": "this.location.replace($SINK)" + } + ] + }, + { + "focus-metavariable": "$SINK" + }, + { + "metavariable-pattern": { + "metavariable": "$SINK", + "patterns": [ + { + "pattern-not": "\"...\" + $VALUE\n" + }, + { + "pattern-not": "`...${$VALUE}`\n" + } + ] + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "function ... (..., $PROP, ...) { ... }\n" + }, + { + "focus-metavariable": "$PROP" + } + ] + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.javascript.browser.security.js-open-redirect", + "languages": [ + "js", + "ts" + ], + "message": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.", + "metadata": { + "asvs": { + "control_id": "5.5.1 Insecue Redirect", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "MEDIUM", + "interfile": true, + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "HIGH", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "browser" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "location.href = $SINK" + }, + { + "pattern": "$THIS. ... .location.href = $SINK" + }, + { + "pattern": "location.replace($SINK)" + }, + { + "pattern": "$THIS. ... .location.replace($SINK)" + }, + { + "pattern": "location = $SINK" + }, + { + "pattern": "$WINDOW. ... .location = $SINK" + } + ] + }, + { + "focus-metavariable": "$SINK" + }, + { + "metavariable-pattern": { + "metavariable": "$SINK", + "patterns": [ + { + "pattern-not": "\"...\" + $VALUE\n" + }, + { + "pattern-not": "`...${$VALUE}`\n" + } + ] + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.search).get('...')\n...\n" + }, + { + "pattern-inside": "$PROP = new URLSearchParams(location.search).get('...')\n...\n" + }, + { + "pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...')\n...\n" + }, + { + "pattern-inside": "$PROP = new URLSearchParams(location.hash.substring(1)).get('...')\n...\n" + } + ] + }, + { + "pattern": "$PROP" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PROPS = new URLSearchParams($WINDOW. ... .location.search)\n...\n" + }, + { + "pattern-inside": "$PROPS = new URLSearchParams(location.search)\n...\n" + }, + { + "pattern-inside": "$PROPS = new URLSearchParams($WINDOW. ... .location.hash.substring(1))\n...\n" + }, + { + "pattern-inside": "$PROPS = new URLSearchParams(location.hash.substring(1))\n...\n" + } + ] + }, + { + "pattern": "$PROPS.get('...')" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PROPS = new URL($WINDOW. ... .location.href)\n...\n" + }, + { + "pattern-inside": "$PROPS = new URL(location.href)\n...\n" + } + ] + }, + { + "pattern": "$PROPS.searchParams.get('...')" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PROPS = new URL($WINDOW. ... .location.href).searchParams.get('...')\n...\n" + }, + { + "pattern-inside": "$PROPS = new URL(location.href).searchParams.get('...')\n...\n" + } + ] + }, + { + "pattern": "$PROPS" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.browser.security.raw-html-concat", + "languages": [ + "js", + "ts" + ], + "message": "User controlled data in a HTML string may result in XSS", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/xss/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "browser" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"underscore.string\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$S.escapeHTML(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"dompurify\")\n...\n" + }, + { + "pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S(...)\n...\n" + }, + { + "pattern": "$VALUE.sanitize(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S.sanitize\n...\n" + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "pattern": "$S.sanitize(...)" + }, + { + "pattern": "$S(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'xss';\n...\n" + }, + { + "pattern-inside": "import * as $S from 'xss';\n...\n" + }, + { + "pattern-inside": "$S = require(\"xss\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'sanitize-html';\n...\n" + }, + { + "pattern-inside": "import * as $S from \"sanitize-html\";\n...\n" + }, + { + "pattern-inside": "$S = require(\"sanitize-html\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$S = new Remarkable()\n...\n" + } + ] + }, + { + "pattern": "$S.render(...)" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$STRING + $EXPR" + }, + { + "pattern-not": "$STRING + \"...\"" + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$STRING", + "patterns": [ + { + "pattern": "<$TAG ..." + }, + { + "pattern-not": "<$TAG ...>......" + } + ] + } + } + ] + }, + { + "patterns": [ + { + "pattern": "$EXPR + $STRING" + }, + { + "pattern-not": "\"...\" + $STRING" + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$STRING", + "patterns": [ + { + "pattern": "... \n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.express-data-exfiltration", + "languages": [ + "js", + "ts" + ], + "message": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://en.wikipedia.org/wiki/Mass_assignment_vulnerability", + "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern": "Object.assign(...)" + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.express-expat-xxe", + "languages": [ + "js", + "ts" + ], + "message": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://github.com/astro/node-expat" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$XML = require('node-expat')\n...\n" + }, + { + "pattern-inside": "import $XML from 'node-expat'\n...\n" + }, + { + "pattern-inside": "import * as $XML from 'node-expat'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "$PARSER = new $XML.Parser(...);\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PARSER.parse($QUERY)" + }, + { + "pattern": "$PARSER.write($QUERY)" + } + ] + }, + { + "focus-metavariable": "$QUERY" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.express-insecure-template-usage", + "languages": [ + "js", + "ts" + ], + "message": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine" + ], + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection", + "A01:2017 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html" + ], + "source_rule_url": [ + "https://github.com/github/codeql/blob/2ba2642c7ab29b9eedef33bcc2b8cd1d203d0c10/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript", + "typescript", + "express", + "pug", + "jade", + "dot", + "ejs", + "nunjucks", + "lodash", + "handlbars", + "mustache", + "hogan.js", + "eta", + "squirrelly" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-propagators": [ + { + "from": "$E", + "pattern": "$MODEL.$FIND($E).then((...,$S,...)=>{...})", + "to": "$S" + } + ], + "pattern-sinks": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PUG = require('pug')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'pug'\n...\n" + }, + { + "pattern-inside": "$PUG = require('jade')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'jade'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PUG.compile(...)" + }, + { + "pattern": "$PUG.compileClient(...)" + }, + { + "pattern": "$PUG.compileClientWithDependenciesTracked(...)" + }, + { + "pattern": "$PUG.render(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PUG = require('dot')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'dot'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PUG.template(...)" + }, + { + "pattern": "$PUG.compile(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PUG = require('ejs')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'ejs'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PUG.render(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PUG = require('nunjucks')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'nunjucks'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PUG.renderString(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PUG = require('lodash')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'lodash'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PUG.template(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PUG = require('mustache')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'mustache'\n...\n" + }, + { + "pattern-inside": "$PUG = require('eta')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'eta'\n...\n" + }, + { + "pattern-inside": "$PUG = require('squirrelly')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'squirrelly'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PUG.render(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PUG = require('hogan.js')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'hogan.js'\n...\n" + }, + { + "pattern-inside": "$PUG = require('handlebars')\n...\n" + }, + { + "pattern-inside": "import * as $PUG from 'handlebars'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PUG.compile(...)" + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.express-jwt-hardcoded-secret", + "languages": [ + "js", + "ts" + ], + "message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-798: Use of Hard-coded Credentials" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "likelihood": "HIGH", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express", + "secrets" + ] + }, + "options": { + "interfile": true + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$JWT = require('express-jwt');\n...\n" + }, + { + "pattern-inside": "import $JWT from 'express-jwt';\n...\n" + }, + { + "pattern-inside": "import * as $JWT from 'express-jwt';\n...\n" + }, + { + "pattern-inside": "import { ..., $JWT, ... } from 'express-jwt';\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$JWT({...,secret: \"$Y\",...},...)\n" + }, + { + "pattern": "$OPTS = \"$Y\";\n...\n$JWT({...,secret: $OPTS},...);\n" + } + ] + }, + { + "focus-metavariable": "$Y" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.express-phantom-injection", + "languages": [ + "js", + "ts" + ], + "message": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://phantomjs.org/page-automation.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "require('phantom');\n...\n" + }, + { + "pattern-inside": "import 'phantom';\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PAGE.open($SINK,...)" + }, + { + "pattern": "$PAGE.setContent($SINK,...)" + }, + { + "pattern": "$PAGE.openUrl($SINK,...)" + }, + { + "pattern": "$PAGE.evaluateJavaScript($SINK,...)" + }, + { + "pattern": "$PAGE.property(\"content\",$SINK,...)" + } + ] + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.express-puppeteer-injection", + "languages": [ + "js", + "ts" + ], + "message": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://pptr.dev/api/puppeteer.page" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "require('puppeteer');\n...\n" + }, + { + "pattern-inside": "import 'puppeteer';\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PAGE.goto($SINK,...)" + }, + { + "pattern": "$PAGE.setContent($SINK,...)" + }, + { + "pattern": "$PAGE.evaluate($SINK,...)" + }, + { + "pattern": "$PAGE.evaluate($CODE,$SINK,...)" + }, + { + "pattern": "$PAGE.evaluateHandle($SINK,...)" + }, + { + "pattern": "$PAGE.evaluateHandle($CODE,$SINK,...)" + }, + { + "pattern": "$PAGE.evaluateOnNewDocument($SINK,...)" + }, + { + "pattern": "$PAGE.evaluateOnNewDocument($CODE,$SINK,...)" + } + ] + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.express-sandbox-code-injection", + "languages": [ + "js", + "ts" + ], + "message": "Make sure that unverified user data can not reach `sandbox`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-inside": "$SANDBOX = require('sandbox');\n...\n" + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$S = new $SANDBOX(...);\n...\n" + }, + { + "pattern": "$S.run(...)\n" + } + ] + }, + { + "pattern": "new $SANDBOX($OPTS).run(...)\n" + }, + { + "pattern": "new $SANDBOX().run(...)" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.express-vm-injection", + "languages": [ + "js", + "ts" + ], + "message": "Make sure that unverified user data can not reach `$VM`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-inside": "$VM = require('vm');\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$VM.runInContext(...)\n" + }, + { + "pattern": "$VM.runInNewContext(...)\n" + }, + { + "pattern": "$VM.compileFunction(...)\n" + }, + { + "pattern": "$VM.runInThisContext(...)\n" + }, + { + "pattern": "new $VM.Script(...)" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.express-vm2-injection", + "languages": [ + "js", + "ts" + ], + "message": "Make sure that unverified user data can not reach `vm2`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-inside": "require('vm2')\n...\n" + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$VM = new VM(...)\n...\n" + }, + { + "pattern-inside": "$VM = new NodeVM(...)\n...\n" + } + ] + }, + { + "pattern": "$VM.run(...)\n" + } + ] + }, + { + "pattern": "new VM(...).run(...)\n" + }, + { + "pattern": "new NodeVM(...).run(...)\n" + }, + { + "pattern": "new VMScript(...)\n" + }, + { + "pattern": "new VM(...)\n" + }, + { + "pattern": "new NodeVM(...)" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.express-wkhtmltoimage-injection", + "languages": [ + "js", + "ts" + ], + "message": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://www.npmjs.com/package/wkhtmltopdf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$WK.generate($SINK,...)" + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.express-wkhtmltopdf-injection", + "languages": [ + "js", + "ts" + ], + "message": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://www.npmjs.com/package/wkhtmltopdf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-inside": "$WK = require('wkhtmltopdf');\n...\n" + }, + { + "pattern": "$WK($SINK,...)" + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.express-xml2json-xxe", + "languages": [ + "js", + "ts" + ], + "message": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities", + "metadata": { + "asvs": { + "control_id": "5.5.2 Insecue XML Deserialization", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://www.npmjs.com/package/xml2json" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "require('xml2json');\n...\n" + }, + { + "pattern-inside": "import 'xml2json';\n...\n" + } + ] + }, + { + "pattern": "$EXPAT.toJson($SINK,...)" + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + }, + { + "pattern": "$REQ.files.$ANYTHING.data.toString('utf8')" + }, + { + "pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + }, + { + "pattern": "files.$ANYTHING.data.toString('utf8')" + }, + { + "pattern": "files.$ANYTHING['data'].toString('utf8')" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.require-request", + "languages": [ + "js", + "ts" + ], + "message": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-706: Use of Incorrectly-Resolved Name or Reference" + ], + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it" + ], + "source-rule-url": "https://nodesecroadmap.fyi/chapter-1/threat-UIR.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "require($SINK)" + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.x-frame-options-misconfiguration", + "languages": [ + "js", + "ts" + ], + "message": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-451: User Interface (UI) Misrepresentation of Critical Information" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RES.set($HEADER, ...)" + }, + { + "pattern": "$RES.header($HEADER, ...)" + }, + { + "pattern": "$RES.setHeader($HEADER, ...)" + }, + { + "pattern": "$RES.set({$HEADER: ...}, ...)\n" + }, + { + "pattern": "$RES.writeHead($STATUS, {$HEADER: ...}, ...)\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HEADER", + "regex": ".*(X-Frame-Options|x-frame-options).*" + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-check-csurf-middleware-usage", + "languages": [ + "js", + "ts" + ], + "message": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-352: Cross-Site Request Forgery (CSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://www.npmjs.com/package/csurf", + "https://www.npmjs.com/package/csrf", + "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "javascript", + "typescript", + "express" + ] + }, + "patterns": [ + { + "pattern-inside": "$EXPRESS = require('express')\n...\n" + }, + { + "pattern-not-inside": "import {$CSRF} from 'csurf'\n...\n" + }, + { + "pattern-not-inside": "require('csurf')\n...\n" + }, + { + "pattern-not-inside": "import {$CSRF} from 'csrf'\n...\n" + }, + { + "pattern-not-inside": "require('csrf')\n...\n" + }, + { + "pattern": "$APP = $EXPRESS()\n" + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-check-directory-listing", + "languages": [ + "js", + "ts" + ], + "message": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-548: Exposure of Information Through Directory Listing" + ], + "impact": "MEDIUM", + "interfile": true, + "likelihood": "HIGH", + "owasp": [ + "A06:2017 - Security Misconfiguration", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://www.npmjs.com/package/serve-index", + "https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "options": { + "interfile": true + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$APP.use(require('serve-index')(...))\n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SERVEINDEX = require('serve-index')\n...\n" + }, + { + "pattern-inside": "import $SERVEINDEX from 'serve-index'\n...\n" + }, + { + "pattern-inside": "import * as $SERVEINDEX from 'serve-index'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$VALUE = $SERVEINDEX(...)\n...\n" + }, + { + "pattern": "$VALUE(...)\n" + } + ] + }, + { + "pattern": "$APP.use(..., $SERVEINDEX(...), ...)\n" + } + ] + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-cookie-session-default-name", + "languages": [ + "js", + "ts" + ], + "message": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "HIGH", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SESSION = require('cookie-session');\n...\n" + }, + { + "pattern-inside": "$SESSION = require('express-session');\n...\n" + } + ] + }, + { + "pattern": "$SESSION(...)" + }, + { + "pattern-not-inside": "$SESSION(<... {name:...} ...>,...)" + }, + { + "pattern-not-inside": "$OPTS = <... {name:...} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.name = ...;\n...\n$SESSION($OPTS,...);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-secure", + "languages": [ + "js", + "ts" + ], + "message": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "HIGH", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SESSION = require('cookie-session');\n...\n" + }, + { + "pattern-inside": "$SESSION = require('express-session');\n...\n" + } + ] + }, + { + "pattern": "$SESSION(...)" + }, + { + "pattern-not-inside": "$SESSION(<... {cookie:{secure:true}} ...>,...)" + }, + { + "pattern-not-inside": "$OPTS = <... {cookie:{secure:true}} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {secure:true} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {secure:true} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.secure = true;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.secure = true;\n...\n$SESSION($OPTS,...);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-httponly", + "languages": [ + "js", + "ts" + ], + "message": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "HIGH", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SESSION = require('cookie-session');\n...\n" + }, + { + "pattern-inside": "$SESSION = require('express-session');\n...\n" + } + ] + }, + { + "pattern": "$SESSION(...)" + }, + { + "pattern-not-inside": "$SESSION(<... {cookie:{httpOnly:true}} ...>,...)" + }, + { + "pattern-not-inside": "$OPTS = <... {cookie:{httpOnly:true}} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {httpOnly:true} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {httpOnly:true} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.httpOnly = true;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.httpOnly = true;\n...\n$SESSION($OPTS,...);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-domain", + "languages": [ + "js", + "ts" + ], + "message": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "HIGH", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SESSION = require('cookie-session');\n...\n" + }, + { + "pattern-inside": "$SESSION = require('express-session');\n...\n" + } + ] + }, + { + "pattern": "$SESSION(...)" + }, + { + "pattern-not-inside": "$SESSION(<... {cookie:{domain:...}} ...>,...)" + }, + { + "pattern-not-inside": "$OPTS = <... {cookie:{domain:...}} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {domain:...} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {domain:...} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.domain = ...;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.domain = ...;\n...\n$SESSION($OPTS,...);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-path", + "languages": [ + "js", + "ts" + ], + "message": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "HIGH", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SESSION = require('cookie-session');\n...\n" + }, + { + "pattern-inside": "$SESSION = require('express-session');\n...\n" + } + ] + }, + { + "pattern": "$SESSION(...)" + }, + { + "pattern-not-inside": "$SESSION(<... {cookie:{path:...}} ...>,...)" + }, + { + "pattern-not-inside": "$OPTS = <... {cookie:{path:...}} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {path:...} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {path:...} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.path = ...;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.path = ...;\n...\n$SESSION($OPTS,...);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-expires", + "languages": [ + "js", + "ts" + ], + "message": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "HIGH", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SESSION = require('cookie-session');\n...\n" + }, + { + "pattern-inside": "$SESSION = require('express-session');\n...\n" + } + ] + }, + { + "pattern": "$SESSION(...)" + }, + { + "pattern-not-inside": "$SESSION(<... {cookie:{expires:...}} ...>,...)" + }, + { + "pattern-not-inside": "$OPTS = <... {cookie:{expires:...}} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {expires:...} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {expires:...} ...>;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.expires = ...;\n...\n$SESSION($OPTS,...);\n" + }, + { + "pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.expires = ...;\n...\n$SESSION($OPTS,...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-detect-notevil-usage", + "languages": [ + "js", + "ts" + ], + "message": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-1104: Use of Unmaintained Third Party Components" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A06:2021 - Vulnerable and Outdated Components" + ], + "references": [ + "https://github.com/mmckegg/notevil" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "javascript", + "typescript" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $EVAL from 'notevil'\n...\n" + }, + { + "pattern-inside": "import {$EVAL} from 'notevil'\n...\n" + }, + { + "pattern-inside": "$EVAL = require('notevil')\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$EVAL(...)" + }, + { + "pattern-not": "$EVAL('...')" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$VM.runInContext(\"$CMD\", ...)" + }, + { + "pattern": "$VM.runInNewContext(\"$CMD\", ...)" + }, + { + "pattern": "$VM.runInThisContext(\"$CMD\", ...)" + }, + { + "pattern": "$VM.compileFunction(\"$CMD\", ...)" + } + ] + }, + { + "metavariable-pattern": { + "language": "typescript", + "metavariable": "$CMD", + "patterns": [ + { + "pattern": "$EVAL(...)" + }, + { + "pattern-not": "$EVAL('...')" + } + ] + } + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-jwt-not-revoked", + "languages": [ + "js", + "ts" + ], + "message": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.", + "metadata": { + "asvs": { + "control_id": "3.5.3 Insecue Stateless Session Tokens", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/security/expirejwt.md", + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-inside": "$JWT = require('express-jwt');\n...\n" + }, + { + "pattern": "$JWT(...)" + }, + { + "pattern-not-inside": "$JWT(<... {isRevoked:...} ...>,...)" + }, + { + "pattern-not-inside": "$OPTS = <... {isRevoked:...} ...>;\n...\n$JWT($OPTS,...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-libxml-noent", + "languages": [ + "js", + "ts" + ], + "message": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "interfile": true, + "likelihood": "HIGH", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$XML = require('$IMPORT')\n...\n" + }, + { + "pattern-inside": "import $XML from '$IMPORT'\n ...\n" + }, + { + "pattern-inside": "import * as $XML from '$IMPORT'\n...\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$IMPORT", + "regex": "^(libxmljs|libxmljs2)$" + } + }, + { + "pattern-inside": "$XML.$FUNC($QUERY, {...,noent:true,...})" + }, + { + "metavariable-regex": { + "metavariable": "$FUNC", + "regex": "^(parseXmlString|parseXml)$" + } + }, + { + "focus-metavariable": "$QUERY" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + }, + { + "pattern": "$REQ.files.$ANYTHING.data.toString('utf8')" + }, + { + "pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + }, + { + "pattern": "files.$ANYTHING.data.toString('utf8')" + }, + { + "pattern": "files.$ANYTHING['data'].toString('utf8')" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-libxml-vm-noent", + "languages": [ + "js", + "ts" + ], + "message": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$VM.runInContext(\"$CMD\", ...)" + }, + { + "pattern": "$VM.runInNewContext(\"$CMD\", ...)" + }, + { + "pattern": "$VM.runInThisContext(\"$CMD\", ...)" + }, + { + "pattern": "$VM.compileFunction(\"$CMD\", ...)" + } + ] + }, + { + "metavariable-pattern": { + "language": "typescript", + "metavariable": "$CMD", + "pattern-either": [ + { + "pattern": "$LIBXML.parseXml($DATA, {..., noent: true, ...}, ...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "$OPTS = {..., noent: true, ...}\n...\n" + }, + { + "pattern": "$LIBXML.parseXml( $DATA, $OPTS )" + } + ] + } + ] + } + } + ] + }, + { + "pattern": "$LIBXML.parseXml($DATA, {..., noent: true, ...}, ...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "$OPTS = {..., noent: true, ...}\n...\n" + }, + { + "pattern": "$LIBXML.parseXml( $DATA, $OPTS )" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-open-redirect", + "languages": [ + "js", + "ts" + ], + "message": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "HIGH", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "options": { + "symbolic_propagation": true, + "taint_unify_mvars": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RES.redirect(\"$HTTP\"+$REQ. ... .$VALUE)" + }, + { + "pattern": "$RES.redirect(\"$HTTP\"+$REQ. ... .$VALUE + $...A)" + }, + { + "pattern": "$RES.redirect(`$HTTP${$REQ. ... .$VALUE}...`)" + }, + { + "pattern": "$RES.redirect(\"$HTTP\"+$REQ.$VALUE[...])" + }, + { + "pattern": "$RES.redirect(\"$HTTP\"+$REQ.$VALUE[...] + $...A)" + }, + { + "pattern": "$RES.redirect(`$HTTP${$REQ.$VALUE[...]}...`)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTTP", + "regex": "^https?:\\/\\/$" + } + }, + { + "pattern-either": [ + { + "pattern": "$REQ. ... .$VALUE" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RES.redirect($REQ. ... .$VALUE)" + }, + { + "pattern": "$RES.redirect($REQ. ... .$VALUE + $...A)" + }, + { + "pattern": "$RES.redirect(`${$REQ. ... .$VALUE}...`)" + } + ] + }, + { + "pattern": "$REQ. ... .$VALUE" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RES.redirect($REQ.$VALUE['...'])" + }, + { + "pattern": "$RES.redirect($REQ.$VALUE['...'] + $...A)" + }, + { + "pattern": "$RES.redirect(`${$REQ.$VALUE['...']}...`)" + } + ] + }, + { + "pattern": "$REQ.$VALUE" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$ASSIGN = $REQ. ... .$VALUE\n...\n" + }, + { + "pattern-inside": "$ASSIGN = $REQ.$VALUE['...']\n...\n" + }, + { + "pattern-inside": "$ASSIGN = $REQ. ... .$VALUE + $...A\n...\n" + }, + { + "pattern-inside": "$ASSIGN = $REQ.$VALUE['...'] + $...A\n... \n" + }, + { + "pattern-inside": "$ASSIGN = `${$REQ. ... .$VALUE}...`\n...\n" + }, + { + "pattern-inside": "$ASSIGN = `${$REQ.$VALUE['...']}...`\n... \n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$RES.redirect($ASSIGN)" + }, + { + "pattern": "$RES.redirect($ASSIGN + $...FOO)" + }, + { + "pattern": "$RES.redirect(`${$ASSIGN}...`)" + } + ] + }, + { + "focus-metavariable": "$ASSIGN" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-path-join-resolve-traversal", + "languages": [ + "js", + "ts" + ], + "message": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/www-community/attacks/Path_Traversal" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express", + "node.js" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "pattern": "$Y.replace(...)" + }, + { + "pattern": "$Y.indexOf(...)" + }, + { + "pattern": "function ... (...) {\n ...\n <... $Y.indexOf(...) ...>\n ...\n}\n" + }, + { + "patterns": [ + { + "pattern": "$FUNC(...)" + }, + { + "metavariable-regex": { + "metavariable": "$FUNC", + "regex": "sanitize" + } + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$SINK" + }, + { + "pattern-either": [ + { + "pattern-inside": "$PATH = require('path');\n...\n" + }, + { + "pattern-inside": "import $PATH from 'path';\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$PATH.join(...,$SINK,...)" + }, + { + "pattern": "$PATH.resolve(...,$SINK,...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "focus-metavariable": "$SINK" + }, + { + "pattern-inside": "import 'path';\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "path.join(...,$SINK,...)" + }, + { + "pattern": "path.resolve(...,$SINK,...)" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-res-sendfile", + "languages": [ + "js", + "ts" + ], + "message": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-73: External Control of File Name or Path" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RES.$METH($QUERY,...)" + } + ] + }, + { + "pattern-not-inside": "$RES.$METH($QUERY,$OPTIONS)" + }, + { + "metavariable-regex": { + "metavariable": "$METH", + "regex": "^(sendfile|sendFile)$" + } + }, + { + "focus-metavariable": "$QUERY" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... (...,$REQ: $TYPE, ...) {...}\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$TYPE", + "regex": "^(string|String)" + } + } + ] + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-session-hardcoded-secret", + "languages": [ + "js", + "ts" + ], + "message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-798: Use of Hard-coded Credentials" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "interfile": true, + "likelihood": "HIGH", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express", + "secrets" + ] + }, + "options": { + "interfile": true + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SESSION = require('express-session');\n...\n" + }, + { + "pattern-inside": "import $SESSION from 'express-session'\n...\n" + }, + { + "pattern-inside": "import {..., $SESSION, ...} from 'express-session'\n...\n" + }, + { + "pattern-inside": "import * as $SESSION from 'express-session'\n...\n" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.use($SESSION({...}))" + }, + { + "pattern": "$SECRET = $VALUE\n...\n$APP.use($SESSION($SECRET))\n" + } + ] + }, + { + "pattern": "secret: '$Y'\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-ssrf", + "languages": [ + "js", + "ts" + ], + "message": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. ", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "options": { + "taint_unify_mvars": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$REQUEST = require('request')\n...\n" + }, + { + "pattern-inside": "import * as $REQUEST from 'request'\n...\n" + }, + { + "pattern-inside": "import $REQUEST from 'request'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ. ... .$VALUE)" + }, + { + "pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ. ... .$VALUE + $...A)" + }, + { + "pattern": "$REQUEST.$METHOD(`$HTTP${$REQ. ... .$VALUE}...`)" + }, + { + "pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ.$VALUE[...])" + }, + { + "pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ.$VALUE[...] + $...A)" + }, + { + "pattern": "$REQUEST.$METHOD(`$HTTP${$REQ.$VALUE[...]}...`)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|patch|del|head|delete)$" + } + }, + { + "metavariable-regex": { + "metavariable": "$HTTP", + "regex": "^(https?:\\/\\/|//)$" + } + }, + { + "pattern-either": [ + { + "pattern": "$REQ. ... .$VALUE" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$REQUEST = require('request')\n...\n" + }, + { + "pattern-inside": "import * as $REQUEST from 'request'\n...\n" + }, + { + "pattern-inside": "import $REQUEST from 'request'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQUEST.$METHOD($REQ. ... .$VALUE,...)" + }, + { + "pattern": "$REQUEST.$METHOD($REQ. ... .$VALUE + $...A,...)" + }, + { + "pattern": "$REQUEST.$METHOD(`${$REQ. ... .$VALUE}...`,...)" + } + ] + }, + { + "pattern": "$REQ. ... .$VALUE" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|patch|del|head|delete)$" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$REQUEST = require('request')\n...\n" + }, + { + "pattern-inside": "import * as $REQUEST from 'request'\n...\n" + }, + { + "pattern-inside": "import $REQUEST from 'request'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQUEST.$METHOD($REQ.$VALUE['...'],...)" + }, + { + "pattern": "$REQUEST.$METHOD($REQ.$VALUE['...'] + $...A,...)" + }, + { + "pattern": "$REQUEST.$METHOD(`${$REQ.$VALUE['...']}...`,...)" + } + ] + }, + { + "pattern": "$REQ.$VALUE" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|patch|del|head|delete)$" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$REQUEST = require('request')\n...\n" + }, + { + "pattern-inside": "import * as $REQUEST from 'request'\n...\n" + }, + { + "pattern-inside": "import $REQUEST from 'request'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "$ASSIGN = $REQ. ... .$VALUE\n...\n" + }, + { + "pattern-inside": "$ASSIGN = $REQ. ... .$VALUE['...']\n...\n" + }, + { + "pattern-inside": "$ASSIGN = $REQ. ... .$VALUE + $...A\n...\n" + }, + { + "pattern-inside": "$ASSIGN = $REQ. ... .$VALUE['...'] + $...A\n... \n" + }, + { + "pattern-inside": "$ASSIGN = `${$REQ. ... .$VALUE}...`\n...\n" + }, + { + "pattern-inside": "$ASSIGN = `${$REQ. ... .$VALUE['...']}...`\n... \n" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$ASSIGN = \"$HTTP\"+ $REQ. ... .$VALUE\n...\n" + }, + { + "pattern-inside": "$ASSIGN = \"$HTTP\"+$REQ. ... .$VALUE + $...A\n...\n" + }, + { + "pattern-inside": "$ASSIGN = \"$HTTP\"+$REQ.$VALUE[...]\n...\n" + }, + { + "pattern-inside": "$ASSIGN = \"$HTTP\"+$REQ.$VALUE[...] + $...A\n...\n" + }, + { + "pattern-inside": "$ASSIGN = `$HTTP${$REQ.$VALUE[...]}...`\n...\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTTP", + "regex": "^(https?:\\/\\/|//)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQUEST.$METHOD($ASSIGN,...)" + }, + { + "pattern": "$REQUEST.$METHOD($ASSIGN + $...FOO,...)" + }, + { + "pattern": "$REQUEST.$METHOD(`${$ASSIGN}...`,...)" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$REQUEST.$METHOD(\"$HTTP\"+$ASSIGN,...)" + }, + { + "pattern": "$REQUEST.$METHOD(\"$HTTP\"+$ASSIGN + $...A,...)" + }, + { + "pattern": "$REQUEST.$METHOD(`$HTTP${$ASSIGN}...`,...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTTP", + "regex": "^(https?:\\/\\/|//)$" + } + } + ] + } + ] + }, + { + "pattern": "$ASSIGN" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|patch|del|head|delete)$" + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, ...) {...}" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,...) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: $EXPRESS.Request,...) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-third-party-object-deserialization", + "languages": [ + "js", + "ts" + ], + "message": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "interfile": true, + "likelihood": "HIGH", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html" + ], + "source_rule_url": [ + "https://github.com/ajinabraham/njsscan/blob/75bfbeb9c8d72999e4d527dfa2548f7f0f3cc48a/njsscan/rules/semantic_grep/eval/eval_deserialize.yaml" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$SER = require('$IMPORT')\n...\n" + }, + { + "pattern-inside": "import $SER from '$IMPORT'\n ...\n" + }, + { + "pattern-inside": "import * as $SER from '$IMPORT'\n...\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$IMPORT", + "regex": "^(node-serialize|serialize-to-js)$" + } + }, + { + "pattern": "$SER.$FUNC(...)" + }, + { + "metavariable-regex": { + "metavariable": "$FUNC", + "regex": "^(unserialize|deserialize)$" + } + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + }, + { + "pattern": "$REQ.files.$ANYTHING.data.toString('utf8')" + }, + { + "pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + }, + { + "pattern": "files.$ANYTHING.data.toString('utf8')" + }, + { + "pattern": "files.$ANYTHING['data'].toString('utf8')" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.express-xml2json-xxe-event", + "languages": [ + "js", + "ts" + ], + "message": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://www.npmjs.com/package/xml2json" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "require('xml2json');\n...\n" + }, + { + "pattern-inside": "import 'xml2json';\n...\n" + } + ] + }, + { + "pattern": "$REQ.on('...', function(...) { ... $EXPAT.toJson($INPUT,...); ... })" + }, + { + "focus-metavariable": "$INPUT" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.unknown-value-in-redirect", + "languages": [ + "js", + "ts" + ], + "message": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.", + "metadata": { + "asvs": { + "control_id": "5.5.1 Insecue Redirect", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation", + "section": "V5 Validation, Sanitization and Encoding", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$UNK = query.$B;\n...\n" + }, + { + "pattern-inside": "$UNK = $A.query.$B;\n...\n" + }, + { + "pattern-inside": "$UNK = req.$SOMETHING;\n...\n" + } + ] + }, + { + "pattern": "$RES.redirect(..., <... $UNK ...>, ...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.remote-property-injection", + "languages": [ + "js", + "ts" + ], + "message": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern": "var $X = ..." + }, + { + "pattern-not": "var $X = $REQ.$ANY" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-inside": "$OBJ[...] = ..." + }, + { + "pattern-not-inside": "$OBJ[\"...\"] = ..." + }, + { + "pattern-not-inside": "$OBJ[...] = \"...\"" + }, + { + "pattern": "$INDEX" + }, + { + "pattern-not": "\"...\" + $INDEX\n" + }, + { + "pattern-not": "$INDEX + \"...\"\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.express.security.audit.res-render-injection", + "languages": [ + "js", + "ts" + ], + "message": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-706: Use of Incorrectly-Resolved Name or Reference" + ], + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "http://expressjs.com/en/4x/api.html#res.render" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$RES.render($SINK, ...)" + } + ] + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.xss.direct-response-write", + "languages": [ + "js", + "ts" + ], + "message": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ], + "vulnerability_class": [ + "Cross-Site-Scripting (XSS)" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"underscore.string\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$S.escapeHTML(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"dompurify\")\n...\n" + }, + { + "pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S(...)\n...\n" + }, + { + "pattern": "$VALUE.sanitize(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S.sanitize\n...\n" + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "pattern": "$S.sanitize(...)" + }, + { + "pattern": "$S(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'xss';\n...\n" + }, + { + "pattern-inside": "import * as $S from 'xss';\n...\n" + }, + { + "pattern-inside": "$S = require(\"xss\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'sanitize-html';\n...\n" + }, + { + "pattern-inside": "import * as $S from \"sanitize-html\";\n...\n" + }, + { + "pattern-inside": "$S = require(\"sanitize-html\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$S = new Remarkable()\n...\n" + } + ] + }, + { + "pattern": "$S.render(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'express-xss-sanitizer';\n...\n" + }, + { + "pattern-inside": "import * as $S from \"express-xss-sanitizer\";\n...\n" + }, + { + "pattern-inside": "const { ..., $S, ... } = require('express-xss-sanitizer');\n...\n" + }, + { + "pattern-inside": "var { ..., $S, ... } = require('express-xss-sanitizer');\n...\n" + }, + { + "pattern-inside": "let { ...,$S,... } = require('express-xss-sanitizer');\n...\n" + }, + { + "pattern-inside": "$S = require(\"express-xss-sanitizer\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern": "$RES. ... .type('$F'). ... .send(...)" + }, + { + "metavariable-regex": { + "metavariable": "$F", + "regex": "(?!.*text/html)" + } + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$X = [...];\n...\n" + }, + { + "pattern": "if(<... !$X.includes($SOURCE)...>) {\n ...\n return ...\n}\n...\n" + }, + { + "pattern": "$SOURCE" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-inside": "function ... (..., $RES,...) {...}" + }, + { + "pattern-either": [ + { + "pattern": "$RES.write($ARG)" + }, + { + "pattern": "$RES.send($ARG)" + } + ] + }, + { + "pattern-not": "$RES. ... .set('...'). ... .send($ARG)" + }, + { + "pattern-not": "$RES. ... .type('...'). ... .send($ARG)" + }, + { + "pattern-not-inside": "$RES.$METHOD({ ... })" + }, + { + "focus-metavariable": "$ARG" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)" + } + } + ] + } + ] + }, + { + "pattern-not-inside": "function ... ($REQ, $RES) {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n" + }, + { + "pattern-not-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n})\n" + }, + { + "pattern-not-inside": "function ... ($REQ, $RES, $NEXT) {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n" + }, + { + "pattern-not-inside": "function ... ($REQ, $RES) {\n ...\n $RES.set('$TYPE')\n}\n" + }, + { + "pattern-not-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {\n ...\n $RES.set('$TYPE')\n})\n" + }, + { + "pattern-not-inside": "function ... ($REQ, $RES, $NEXT) {\n ...\n $RES.set('$TYPE')\n}\n" + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "pattern-not-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n" + }, + { + "pattern-not-inside": "({ $REQ }: Request,$RES: Response) => {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n" + }, + { + "pattern-not-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{\n ...\n $RES.set('$TYPE')\n}\n" + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "fix-regex": { + "regex": "<%-(.*?)%>", + "replacement": "<%=\\1%>" + }, + "id": "vendored-rules.javascript.express.security.audit.xss.ejs.template-explicit-unescape", + "languages": [ + "regex" + ], + "message": "Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "paths": { + "include": [ + "*.ejs", + "*.html" + ] + }, + "pattern-regex": "<%-((?!include).)*?%>", + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.xss.ejs.var-in-href", + "languages": [ + "regex" + ], + "message": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link %>'. You may also consider setting the Content Security Policy (CSP) header.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI", + "https://github.com/pugjs/pug/issues/2952" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "paths": { + "include": [ + "*.ejs", + "*.html" + ] + }, + "pattern-regex": "]*?[^\\/&=]<%.*?%>.*?>", + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.xss.ejs.var-in-script-src", + "languages": [ + "generic" + ], + "message": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough", + "https://github.com/ESAPI/owasp-esapi-js" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "paths": { + "include": [ + "*.ejs", + "*.html" + ] + }, + "patterns": [ + { + "pattern-inside": "" + }, + { + "pattern-not-inside": "" + }, + { + "pattern": "{{ ... }}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.xss.pug.template-and-attributes", + "languages": [ + "regex" + ], + "message": "Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://pugjs.org/language/attributes.html#attributes" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "paths": { + "include": [ + "*.pug" + ] + }, + "pattern-regex": ".*&attributes.*", + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.xss.pug.template-explicit-unescape", + "languages": [ + "regex" + ], + "message": "Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://pugjs.org/language/code.html#unescaped-buffered-code", + "https://pugjs.org/language/attributes.html#unescaped-attributes" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "paths": { + "include": [ + "*.pug" + ] + }, + "pattern-either": [ + { + "pattern-regex": "\\w.*(!=)[^=].*" + }, + { + "pattern-regex": "!{.*?}" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.xss.pug.var-in-href", + "languages": [ + "regex" + ], + "message": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href='/'+url). You may also consider setting the Content Security Policy (CSP) header.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://github.com/pugjs/pug/issues/2952", + "https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "paths": { + "include": [ + "*.pug" + ] + }, + "pattern-regex": "a\\(.*href=[^'\"].*\\)", + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.audit.xss.pug.var-in-script-tag", + "languages": [ + "regex" + ], + "message": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough", + "https://github.com/ESAPI/owasp-esapi-js" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "express" + ] + }, + "paths": { + "include": [ + "*.pug" + ] + }, + "pattern-either": [ + { + "pattern-regex": "script\\s*=[A-Za-z0-9]+" + }, + { + "pattern-regex": "script\\s*=.*[\"']\\s*\\+.*" + }, + { + "pattern-regex": "script\\s*=[^'\"]+\\+.*" + }, + { + "pattern-regex": "script\\(.*?\\)\\s*=\\s*[A-Za-z0-9]+" + }, + { + "pattern-regex": "script\\(.*?\\)\\s*=\\s*.*[\"']\\s*\\+.*" + }, + { + "pattern-regex": "script\\(.*?\\)\\s*=\\s*[^'\"]+\\+.*" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.injection.raw-html-format", + "languages": [ + "js", + "ts" + ], + "message": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$HTMLSTR\" + $EXPR" + }, + { + "pattern": "\"$HTMLSTR\".concat(...)" + }, + { + "pattern": "util.format($HTMLSTR, ...)" + } + ] + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$HTMLSTR", + "pattern": "<$TAG ..." + } + } + ] + }, + { + "patterns": [ + { + "pattern": "`...`\n" + }, + { + "pattern-regex": ".*<\\w+.*\n" + } + ] + } + ] + } + ], + "requires": "(EXPRESS and not CLEAN) or (EXPRESSTS and not CLEAN)" + } + ], + "pattern-sources": [ + { + "label": "EXPRESS", + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "label": "EXPRESSTS", + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n" + }, + { + "pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + }, + { + "by-side-effect": true, + "label": "CLEAN", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$A($SOURCE)" + }, + { + "pattern": "$SANITIZE. ... .$A($SOURCE)" + }, + { + "pattern": "$A. ... .$SANITIZE($SOURCE)" + } + ] + }, + { + "focus-metavariable": "$SOURCE" + }, + { + "metavariable-regex": { + "metavariable": "$A", + "regex": "(?i)(.*valid|.*sanitiz)" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.express.security.injection.tainted-sql-string", + "languages": [ + "js", + "ts" + ], + "message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/SQL_Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "express" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "\"$SQLSTR\" + $EXPR\n" + }, + { + "pattern-inside": "\"$SQLSTR\".concat($EXPR)\n" + }, + { + "pattern": "util.format($SQLSTR, $EXPR)" + }, + { + "pattern": "`$SQLSTR${$EXPR}...`\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": ".*\\b(?i)(select|delete|insert|create|update\\s+.+\\sset|alter|drop)\\b.*" + } + } + ] + } + ] + }, + { + "focus-metavariable": "$EXPR" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... (...,$REQ, ...) {...}" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "(...,{ $REQ }: Request,...) => {...}\n" + }, + { + "pattern-inside": "(...,{ $REQ }: $EXPRESS.Request,...) => {...}\n" + } + ] + }, + { + "focus-metavariable": "$REQ" + }, + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "query" + }, + { + "pattern": "cookies" + }, + { + "pattern": "headers" + }, + { + "pattern": "body" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.fbjs.security.audit.insecure-createnodesfrommarkup", + "languages": [ + "js", + "ts" + ], + "message": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "fbjs" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "createNodesFromMarkup(...)" + }, + { + "pattern": "$X.createNodesFromMarkup(...)" + } + ] + }, + { + "pattern-not": "createNodesFromMarkup(\"...\",...)" + }, + { + "pattern-not": "$X.createNodesFromMarkup(\"...\",...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.grpc.security.grpc-nodejs-insecure-connection", + "languages": [ + "js", + "ts" + ], + "message": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-502: Deserialization of Untrusted Data" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2017 - Insecure Deserialization", + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "grpc" + ] + }, + "pattern-either": [ + { + "pattern": "require('grpc');\n...\n$GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...);\n" + }, + { + "pattern": "require('grpc');\n...\nnew $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...);\n" + }, + { + "pattern": "require('grpc');\n...\n$CREDS = <... $CREDENTIALS.createInsecure() ...>;\n...\n$GRPC($ADDR,...,$CREDS,...);" + }, + { + "pattern": "require('grpc');\n...\n$CREDS = <... $CREDENTIALS.createInsecure() ...>;\n...\nnew $GRPC($ADDR,...,$CREDS,...);" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash", + "languages": [ + "js", + "ts" + ], + "message": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-287: Improper Authentication" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "intercom" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "window.intercomSettings = {..., email: $EMAIL, ...};\n" + }, + { + "pattern": "window.intercomSettings = {..., user_id: $USER_ID, ...};\n" + }, + { + "pattern": "Intercom('boot', {..., email: $EMAIL, ...});\n" + }, + { + "pattern": "Intercom('boot', {..., user_id: $USER_ID, ...});\n" + }, + { + "pattern": "$VAR = {..., email: $EMAIL, ...};\n...\nIntercom('boot', $VAR);\n" + }, + { + "pattern": "$VAR = {..., user_id: $EMAIL, ...};\n...\nIntercom('boot', $VAR);\n" + } + ] + }, + { + "pattern-not": "window.intercomSettings = {..., user_hash: $USER_HASH, ...};\n" + }, + { + "pattern-not": "Intercom('boot', {..., user_hash: $USER_HASH, ...});\n" + }, + { + "pattern-not": "$VAR = {..., user_hash: $USER_HASH, ...};\n...\nIntercom('boot', $VAR);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jose.security.hardcoded-jwt-secret", + "languages": [ + "js", + "ts" + ], + "message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).", + "metadata": { + "asvs": { + "control_id": "3.5.2 Static API keys or secret", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-798: Use of Hard-coded Credentials" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "interfile": true, + "likelihood": "HIGH", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "jose", + "jwt", + "secrets" + ] + }, + "options": { + "interfile": true, + "symbolic_propagation": true + }, + "patterns": [ + { + "pattern-inside": "$JOSE = require(\"jose\");\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "var {JWT} = $JOSE;\n...\n" + }, + { + "pattern-inside": "var {JWK, JWT} = $JOSE;\n...\n" + }, + { + "pattern-inside": "const {JWT} = $JOSE;\n...\n" + }, + { + "pattern-inside": "const {JWK, JWT} = $JOSE;\n...\n" + }, + { + "pattern-inside": "let {JWT} = $JOSE;\n...\n" + }, + { + "pattern-inside": "let {JWK, JWT} = $JOSE;\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "JWT.verify($P, \"...\", ...);\n" + }, + { + "pattern": "JWT.sign($P, \"...\", ...);\n" + }, + { + "pattern": "JWT.verify($P, JWK.asKey(\"...\"), ...); \n" + }, + { + "pattern": "$JWT.sign($P, JWK.asKey(\"...\"), ...);\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jose.security.jwt-none-alg", + "languages": [ + "js", + "ts" + ], + "message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.", + "metadata": { + "asvs": { + "control_id": "3.5.3 Insecue Stateless Session Tokens", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "vuln" + ], + "technology": [ + "jose", + "jwt" + ] + }, + "pattern-either": [ + { + "pattern": "var $JOSE = require(\"jose\");\n...\nvar { JWK, JWT } = $JOSE;\n...\nvar $T = JWT.verify($P, JWK.None,...);\n" + }, + { + "pattern": "var $JOSE = require(\"jose\");\n...\nvar { JWK, JWT } = $JOSE;\n...\n$T = JWT.verify($P, JWK.None,...);\n" + }, + { + "pattern": "var $JOSE = require(\"jose\");\n...\nvar { JWK, JWT } = $JOSE;\n...\nJWT.verify($P, JWK.None,...);\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.jose.security.audit.jose-exposed-data", + "languages": [ + "js", + "ts" + ], + "message": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.", + "metadata": { + "asvs": { + "control_id": "3.5.2 Static API keys or secret", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "audit" + ], + "technology": [ + "jose", + "jwt" + ] + }, + "patterns": [ + { + "pattern-inside": "require('jose');\n...\n" + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "function (...,$INPUT,...) {...}" + }, + { + "pattern-either": [ + { + "pattern": "$JOSE.JWT.sign($INPUT,...)" + }, + { + "pattern": "$JWT.sign($INPUT,...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "function $F(...,$INPUT,...) {...}" + }, + { + "pattern-either": [ + { + "pattern": "$JOSE.JWT.sign($INPUT,...)" + }, + { + "pattern": "$JWT.sign($INPUT,...)" + } + ] + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jquery.security.audit.jquery-insecure-method", + "languages": [ + "js", + "ts" + ], + "message": "User controlled data in a jQuery's `.$METHOD(...)` is an anti-pattern that can lead to XSS vulnerabilities", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/xss/", + "https://bugs.jquery.com/ticket/9521" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jquery" + ] + }, + "options": { + "symbolic_propagation": true + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$.$METHOD($VAR,...)" + }, + { + "pattern": "$(...).$METHOD($VAR,...)" + }, + { + "pattern": "jQuery.$METHOD($VAR,...)" + }, + { + "pattern": "jQuery(...).$METHOD($VAR,...)" + } + ] + }, + { + "pattern-not": "$.$METHOD(\"...\",...)" + }, + { + "pattern-not": "$(...).$METHOD(\"...\",...)" + }, + { + "pattern-not": "jQuery.$METHOD(\"...\",...)" + }, + { + "pattern-not": "jQuery(...).$METHOD(\"...\",...)" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(html|append|prepend|wrap|wrapInner|wrapAll|before|after|globalEval|getScript)$" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$(...).$METHOD($VAR,...)" + }, + { + "pattern": "jQuery(...).$METHOD($VAR,...)" + } + ] + }, + { + "pattern-not": "$(\"...\",...).$METHOD(...)" + }, + { + "pattern-not": "jQuery(\"...\",...).$METHOD(...)" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(appendTo|insertAfter|insertBefore|prependTo)$" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jquery.security.audit.jquery-insecure-selector", + "languages": [ + "js", + "ts" + ], + "message": "User controlled data in a `$(...)` is an anti-pattern that can lead to XSS vulnerabilities", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/xss/", + "https://bugs.jquery.com/ticket/9521" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "jquery" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$(<... window ...>)\n" + }, + { + "pattern": "$(<... location ...>)\n" + }, + { + "patterns": [ + { + "pattern": "$X = <... window ...>;\n...\n$(<... $X ...>);\n" + }, + { + "focus-metavariable": "$X" + } + ] + }, + { + "patterns": [ + { + "pattern": "$X = <... location ...>;\n...\n$(<... $X ...>);\n" + }, + { + "focus-metavariable": "$X" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function $FUNC(..., $Y, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function (..., $Y, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "function $FUNC(...,$Z,...) {\n ...\n $Y = <... $Z ...>;\n ...\n}\n" + }, + { + "pattern-inside": "function (...,$Z,...) {\n ...\n $Y = <... $Z ...>;\n ...\n}\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$(<... $Y ...>)\n" + }, + { + "pattern": "$(\"...\" + (<... $Y ...>))\n" + }, + { + "pattern": "$((<... $Y ...>) + \"...\")\n" + } + ] + }, + { + "pattern-not-inside": "$JQUERY.each(function($INDEX, $Y) {\n ...\n})\n" + }, + { + "focus-metavariable": "$Y" + } + ] + } + ] + }, + { + "pattern-not": "$(window)\n" + }, + { + "pattern-not": "$(document)\n" + }, + { + "pattern-not": "$(this)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jquery.security.audit.prohibit-jquery-html", + "languages": [ + "js", + "ts" + ], + "message": "JQuery's `html` function is susceptible to Cross Site Scripting (XSS) attacks. If you're just passing text, consider `text` instead. Otherwise, use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "help": "## Remediation\nAvoid using JQuery's html() function. If the string is plain text, use the text() function instead.\nOtherwise, use a function that escapes html such as edx's HtmlUtils.setHtml().\n", + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "precision": "high", + "references": [ + "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss.html#javascript-concat-html", + "https://stackoverflow.com/questions/8318581/html-vs-innerhtml-jquery-javascript-xss-attacks", + "https://api.jquery.com/text/#text-text" + ], + "shortDesription": "Use of JQuery's unsafe html() function.", + "subcategory": [ + "audit" + ], + "tags": [ + "security" + ], + "technology": [ + "jquery" + ] + }, + "patterns": [ + { + "pattern": "$X.html(...)\n" + }, + { + "pattern-not": "$X.html(\"...\",...)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jsonwebtoken.security.hardcoded-jwt-secret", + "languages": [ + "js", + "ts" + ], + "message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).", + "metadata": { + "asvs": { + "control_id": "3.5.2 Static API keys or secret", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-798: Use of Hard-coded Credentials" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "jwt", + "javascript", + "secrets" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$JWT = require(\"jsonwebtoken\")\n...\n" + }, + { + "pattern-inside": "import $JWT from \"jsonwebtoken\"\n...\n" + }, + { + "pattern-inside": "import * as $JWT from \"jsonwebtoken\"\n...\n" + }, + { + "pattern-inside": "import {...,$JWT,...} from \"jsonwebtoken\"\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "$JWT.sign($DATA,$VALUE,...);\n" + }, + { + "pattern-inside": "$JWT.verify($DATA,$VALUE,...);\n" + } + ] + }, + { + "focus-metavariable": "$VALUE" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$X = '...' \n" + }, + { + "pattern": "$X = '$Y' \n" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$JWT.sign($DATA,\"...\",...);\n" + }, + { + "pattern-inside": "$JWT.verify($DATA,\"...\",...);\n" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jsonwebtoken.security.jwt-none-alg", + "languages": [ + "js", + "ts" + ], + "message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.", + "metadata": { + "asvs": { + "control_id": "3.5.3 Insecue Stateless Session Tokens", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "vuln" + ], + "technology": [ + "jwt" + ] + }, + "patterns": [ + { + "pattern-inside": "$JWT = require(\"jsonwebtoken\");\n...\n" + }, + { + "pattern": "$JWT.verify($P, $X, {algorithms:[...,'none',...]},...)" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.jsonwebtoken.security.audit.jwt-decode-without-verify", + "languages": [ + "js", + "ts" + ], + "message": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.", + "metadata": { + "asvs": { + "control_id": "3.5.3 Insecue Stateless Session Tokens", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-345: Insufficient Verification of Data Authenticity" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "audit" + ], + "technology": [ + "jwt" + ] + }, + "patterns": [ + { + "pattern-inside": "$JWT = require('jsonwebtoken');\n...\n" + }, + { + "pattern-not-inside": "...\n$JWT.verify($TOKEN, ...)\n...\n" + }, + { + "pattern-not-inside": "...\nif (<... $JWT.verify($TOKEN, ...) ...>) { ... }\n...\n" + }, + { + "pattern": "$JWT.decode($TOKEN, ...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jsonwebtoken.security.audit.jwt-exposed-data", + "languages": [ + "js", + "ts" + ], + "message": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.", + "metadata": { + "asvs": { + "control_id": "3.5.3 Insecue Stateless Session Tokens", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management", + "section": "V3: Session Management Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "audit" + ], + "technology": [ + "jwt" + ] + }, + "patterns": [ + { + "pattern-inside": "$JWT = require('jsonwebtoken');\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "function (...,$INPUT,...) {...}" + }, + { + "pattern-inside": "function $F(...,$INPUT,...) {...}" + } + ] + }, + { + "pattern": "$JWT.sign($INPUT,...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.jwt-simple.security.jwt-simple-noverify", + "languages": [ + "js", + "ts" + ], + "message": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set 'verify' to `true` before using the token.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-287: Improper Authentication", + "CWE-345: Insufficient Verification of Data Authenticity", + "CWE-347: Improper Verification of Cryptographic Signature" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2021 - Security Misconfiguration", + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://www.npmjs.com/package/jwt-simple", + "https://cwe.mitre.org/data/definitions/287", + "https://cwe.mitre.org/data/definitions/345", + "https://cwe.mitre.org/data/definitions/347" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "jwt-simple", + "jwt" + ] + }, + "patterns": [ + { + "pattern-inside": "$JWT = require('jwt-simple');\n...\n" + }, + { + "pattern": "$JWT.decode($TOKEN, $SECRET, $NOVERIFY, ...)" + }, + { + "metavariable-pattern": { + "metavariable": "$NOVERIFY", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "true\n" + }, + { + "pattern": "\"...\"\n" + } + ] + } + ] + } + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.lang.security.detect-buffer-noassert", + "languages": [ + "js", + "ts" + ], + "message": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://cwe.mitre.org/data/definitions/119.html" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js", + "subcategory": [ + "audit" + ], + "technology": [ + "javascript" + ] + }, + "patterns": [ + { + "pattern": "$OBJ.$API(..., true)" + }, + { + "metavariable-regex": { + "metavariable": "$API", + "regex": "(read|write)(U?Int8|(U?Int(16|32)|Float|Double)(LE|BE))" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.detect-child-process", + "languages": [ + "js", + "ts" + ], + "message": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. ", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js", + "subcategory": [ + "audit" + ], + "technology": [ + "javascript" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$CP = require('child_process')\n...\n" + }, + { + "pattern-inside": "import * as $CP from 'child_process'\n...\n" + }, + { + "pattern-inside": "import $CP from 'child_process'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$CP.exec($CMD,...)" + }, + { + "pattern": "$CP.execSync($CMD,...)" + }, + { + "pattern": "$CP.spawn($CMD,...)" + }, + { + "pattern": "$CP.spawnSync($CMD,...)" + } + ] + }, + { + "pattern-not-inside": "$CP.$EXEC(\"...\",...)" + }, + { + "pattern-not-inside": "$CP.$EXEC([\"...\",...],...)" + }, + { + "pattern-not-inside": "$CMD = \"...\"\n...\n" + }, + { + "pattern-not-inside": "$CMD = [\"...\",...]\n...\n" + }, + { + "focus-metavariable": "$CMD" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "child_process.exec($CMD,...)" + }, + { + "pattern": "child_process.execSync($CMD,...)" + }, + { + "pattern": "child_process.spawn($CMD,...)" + }, + { + "pattern": "child_process.spawnSync($CMD,...)" + } + ] + }, + { + "pattern-not-inside": "child_process.$EXEC(\"...\",...)" + }, + { + "pattern-not-inside": "child_process.$EXEC([\"...\",...],...)" + }, + { + "pattern-not-inside": "$CMD = \"...\"\n...\n" + }, + { + "pattern-not-inside": "$CMD = [\"...\",...]\n...\n" + }, + { + "focus-metavariable": "$CMD" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "function ... (...,$FUNC,...) {\n ...\n}\n" + }, + { + "focus-metavariable": "$FUNC" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.lang.security.detect-disable-mustache-escape", + "languages": [ + "js", + "ts" + ], + "message": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-116: Improper Encoding or Escaping of Output" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js", + "subcategory": [ + "audit" + ], + "technology": [ + "mustache" + ] + }, + "pattern": "$OBJ.escapeMarkup = false", + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.detect-eval-with-expression", + "languages": [ + "js", + "ts" + ], + "message": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js", + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "location.href = $FUNC(...)" + }, + { + "pattern": "location.hash = $FUNC(...)" + }, + { + "pattern": "location.search = $FUNC(...)" + }, + { + "pattern": "$WINDOW. ... .location.href = $FUNC(...)" + }, + { + "pattern": "$WINDOW. ... .location.hash = $FUNC(...)" + }, + { + "pattern": "$WINDOW. ... .location.search = $FUNC(...)" + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "eval(<... $SINK ...>)" + }, + { + "pattern": "window.eval(<... $SINK ...>)" + }, + { + "pattern": "new Function(<... $SINK ...>)" + }, + { + "pattern": "new Function(<... $SINK ...>)(...)" + }, + { + "pattern": "setTimeout(<... $SINK ...>,...)" + }, + { + "pattern": "setInterval(<... $SINK ...>,...)" + } + ] + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.search).get('...')\n ...\n" + }, + { + "pattern-inside": "$PROP = new URLSearchParams(location.search).get('...')\n ...\n" + }, + { + "pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...')\n ...\n" + }, + { + "pattern-inside": "$PROP = new URLSearchParams(location.hash.substring(1)).get('...')\n ...\n" + } + ] + }, + { + "focus-metavariable": "$PROP" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$PROPS = new URLSearchParams($WINDOW. ... .location.search)\n ...\n" + }, + { + "pattern-inside": "$PROPS = new URLSearchParams(location.search)\n ...\n" + }, + { + "pattern-inside": "$PROPS = new\nURLSearchParams($WINDOW. ... .location.hash.substring(1))\n ...\n" + }, + { + "pattern-inside": "$PROPS = new URLSearchParams(location.hash.substring(1))\n...\n" + } + ] + }, + { + "pattern": "$PROPS.get('...')" + }, + { + "focus-metavariable": "$PROPS" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "location.href" + }, + { + "pattern": "location.hash" + }, + { + "pattern": "location.search" + }, + { + "pattern": "$WINDOW. ... .location.href" + }, + { + "pattern": "$WINDOW. ... .location.hash" + }, + { + "pattern": "$WINDOW. ... .location.search" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.detect-insecure-websocket", + "languages": [ + "regex" + ], + "message": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.", + "metadata": { + "asvs": { + "control_id": "13.5.1 Insecure WebSocket", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v135-websocket-security-requirements", + "section": "V13: API and Web Service Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-319: Cleartext Transmission of Sensitive Information" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "regex" + ] + }, + "patterns": [ + { + "pattern-regex": "\\bws:\\/\\/" + }, + { + "pattern-not-inside": "\\bws:\\/\\/localhost.*" + }, + { + "pattern-not-inside": "\\bws:\\/\\/127.0.0.1.*" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.lang.security.detect-no-csrf-before-method-override", + "languages": [ + "js", + "ts" + ], + "message": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-352: Cross-Site Request Forgery (CSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control", + "A05:2017 - Broken Access Control" + ], + "references": [ + "https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-no-csrf-before-method-override.js", + "subcategory": [ + "audit" + ], + "technology": [ + "javascript" + ] + }, + "pattern": "express.csrf();\n...\nexpress.methodOverride();\n", + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.detect-pseudoRandomBytes", + "languages": [ + "js", + "ts" + ], + "message": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.", + "metadata": { + "asvs": { + "control_id": "6.3.1 Insecure Randomness", + "control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values", + "section": "V6: Stored Cryptography Verification Requirements", + "version": "4" + }, + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js", + "subcategory": [ + "audit" + ], + "technology": [ + "javascript" + ] + }, + "pattern": "crypto.pseudoRandomBytes", + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.html-in-template-string", + "languages": [ + "js", + "ts" + ], + "message": "This template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-116: Improper Encoding or Escaping of Output" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "javascript" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "`$HTML${$VAR}...`\n" + }, + { + "pattern": "`...${$VAR}$HTML`\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTML", + "regex": ".*&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "git" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "spawn('git', ['clone',...,$F])" + }, + { + "pattern": "$X.spawn('git', ['clone',...,$F])" + }, + { + "pattern": "spawn('git', ['clone',...,$P,$F])" + }, + { + "pattern": "$X.spawn('git', ['clone',...,$P,$F])" + } + ] + }, + { + "pattern-not": "spawn('git', ['clone',...,\"...\"])" + }, + { + "pattern-not": "$X.spawn('git', ['clone',...,\"...\"])" + }, + { + "pattern-not": "spawn('git', ['clone',...,\"...\",\"...\"])" + }, + { + "pattern-not": "$X.spawn('git', ['clone',...,\"...\",\"...\"])" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.code-string-concat", + "languages": [ + "js", + "ts" + ], + "message": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "MEDIUM", + "interfile": true, + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval", + "https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback", + "https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/", + "https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "node.js", + "Express", + "Next.js" + ] + }, + "mode": "taint", + "options": { + "interfile": true + }, + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "eval(...)\n" + } + ] + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ... ($REQ, $RES) {...}" + }, + { + "pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})" + }, + { + "pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "^(get|post|put|head|delete|options)$" + } + } + ] + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$REQ.query" + }, + { + "pattern": "$REQ.body" + }, + { + "pattern": "$REQ.params" + }, + { + "pattern": "$REQ.cookies" + }, + { + "pattern": "$REQ.headers" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import { ...,$IMPORT,... } from 'next/router'\n...\n" + }, + { + "pattern-inside": "import $IMPORT from 'next/router';\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$ROUTER = $IMPORT()\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "const { ...,$PROPS,... } = $ROUTER.query\n...\n" + }, + { + "pattern-inside": "var { ...,$PROPS,... } = $ROUTER.query\n...\n" + }, + { + "pattern-inside": "let { ...,$PROPS,... } = $ROUTER.query\n...\n" + } + ] + }, + { + "focus-metavariable": "$PROPS" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$ROUTER = $IMPORT()\n...\n" + }, + { + "pattern": "$ROUTER.query.$VALUE \n" + } + ] + }, + { + "patterns": [ + { + "pattern": "$IMPORT().query.$VALUE" + } + ] + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.dangerous-spawn-shell", + "languages": [ + "js", + "ts" + ], + "message": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js", + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "require('child_process')\n...\n" + }, + { + "pattern-inside": "import 'child_process'\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "spawn(...)" + }, + { + "pattern": "spawnSync(...)" + }, + { + "pattern": "$CP.spawn(...)" + }, + { + "pattern": "$CP.spawnSync(...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$EXEC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",[\"-c\", $ARG, ...],...)\n" + }, + { + "patterns": [ + { + "pattern": "$EXEC($CMD,[\"-c\", $ARG, ...],...)" + }, + { + "pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\"\n...\n" + } + ] + }, + { + "pattern": "$EXEC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",[$ARG, ...],...)\n" + }, + { + "patterns": [ + { + "pattern": "$EXEC($CMD,[$ARG, ...],...)" + }, + { + "pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\"\n...\n" + } + ] + } + ] + }, + { + "focus-metavariable": "$ARG" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "function ... (...,$FUNC,...) {\n ...\n}\n" + }, + { + "focus-metavariable": "$FUNC" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.detect-non-literal-fs-filename", + "languages": [ + "js", + "ts" + ], + "message": "Detected that function argument `$ARG` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "HIGH", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/www-community/attacks/Path_Traversal" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-fs-filename.js", + "subcategory": [ + "vuln" + ], + "technology": [ + "typescript" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$FS = require('fs')\n...\n" + }, + { + "pattern-inside": "$FS = require('fs/promises')\n...\n" + }, + { + "pattern-inside": "import * as $FS from 'fs'\n...\n" + }, + { + "pattern-inside": "import $FS from 'fs'\n...\n" + }, + { + "pattern-inside": "import * as $FS from 'fs/promises'\n...\n" + }, + { + "pattern-inside": "import $FS from 'fs/promises'\n...\n" + } + ] + }, + { + "pattern-not": "$FS. ... .$METHOD(\"...\", ...)" + }, + { + "pattern-either": [ + { + "pattern": "$FS. ... .access($FILE,...)" + }, + { + "pattern": "$FS. ... .appendFile($FILE,...)" + }, + { + "pattern": "$FS. ... .chmod($FILE,...)" + }, + { + "pattern": "$FS. ... .chown($FILE,...)" + }, + { + "pattern": "$FS. ... .close($FILE,...)" + }, + { + "pattern": "$FS. ... .copyFile($FILE,...)" + }, + { + "pattern": "$FS. ... .copyFile($SMTH, $FILE,...)" + }, + { + "pattern": "$FS. ... .cp($FILE, ...)" + }, + { + "pattern": "$FS. ... .cp($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .createReadStream($FILE,...)" + }, + { + "pattern": "$FS. ... .createWriteStream($FILE,...)" + }, + { + "pattern": "$FS. ... .exists($FILE, ...)" + }, + { + "pattern": "$FS. ... .fchmod($FILE, ...)" + }, + { + "pattern": "$FS. ... .fchown($FILE, ...)" + }, + { + "pattern": "$FS. ... .fdatasync($FILE, ...)" + }, + { + "pattern": "$FS. ... .fstat($FILE, ...)" + }, + { + "pattern": "$FS. ... .fsync($FILE, ...)" + }, + { + "pattern": "$FS. ... .ftruncate($FILE, ...)" + }, + { + "pattern": "$FS. ... .futimes($FILE, ...)" + }, + { + "pattern": "$FS. ... .lchmod($FILE, ...)" + }, + { + "pattern": "$FS. ... .lchown($FILE, ...)" + }, + { + "pattern": "$FS. ... .lutimes($FILE, ...)" + }, + { + "pattern": "$FS. ... .link($FILE, ...)" + }, + { + "pattern": "$FS. ... .link($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .lstat($FILE, ...)" + }, + { + "pattern": "$FS. ... .mkdir($FILE, ...)" + }, + { + "pattern": "$FS. ... .mkdtemp($FILE, ...)" + }, + { + "pattern": "$FS. ... .open($FILE, ...)" + }, + { + "pattern": "$FS. ... .opendir($FILE, ...)" + }, + { + "pattern": "$FS. ... .read($FILE, ...)" + }, + { + "pattern": "$FS. ... .read($FILE, ...)" + }, + { + "pattern": "$FS. ... .readdir($FILE, ...)" + }, + { + "pattern": "$FS. ... .readFile($FILE, ...)" + }, + { + "pattern": "$FS. ... .readlink($FILE, ...)" + }, + { + "pattern": "$FS. ... .readv($FILE, ...)" + }, + { + "pattern": "$FS. ... .realpath($FILE, ...)" + }, + { + "pattern": "$FS. ... .realpath.native($FILE, ...)" + }, + { + "pattern": "$FS. ... .rename($FILE, ...)" + }, + { + "pattern": "$FS. ... .rename($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .rmdir($FILE, ...)" + }, + { + "pattern": "$FS. ... .rm($FILE, ...)" + }, + { + "pattern": "$FS. ... .stat($FILE, ...)" + }, + { + "pattern": "$FS. ... .symlink($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .symlink($FILE, ...)" + }, + { + "pattern": "$FS. ... .truncate($FILE, ...)" + }, + { + "pattern": "$FS. ... .unlink($FILE, ...)" + }, + { + "pattern": "$FS. ... .unwatchFile($FILE, ...)" + }, + { + "pattern": "$FS. ... .utimes($FILE, ...)" + }, + { + "pattern": "$FS. ... .watch($FILE, ...)" + }, + { + "pattern": "$FS. ... .watchFile($FILE, ...)" + }, + { + "pattern": "$FS. ... .write($FILE, ...)" + }, + { + "pattern": "$FS. ... .writeFile($FILE, ...)" + }, + { + "pattern": "$FS. ... .writev($FILE, ...)" + }, + { + "pattern": "$FS. ... .accessSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .appendFileSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .chmodSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .chownSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .closeSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .copyFileSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .copyFileSync($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .cpSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .cpSync($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .existsSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .fchmodSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .fchownSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .fdatasyncSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .fstatSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .fsyncSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .ftruncateSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .futimesSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .lchmodSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .lchownSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .lutimesSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .linkSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .linkSync($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .lstatSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .mkdirSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .mkdtempSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .opendirSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .openSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .readdirSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .readFileSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .readlinkSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .readSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .readSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .readvSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .realpathync($FILE, ...)" + }, + { + "pattern": "$FS. ... .realpathSync.native($FILE, ...)" + }, + { + "pattern": "$FS. ... .renameSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .renameSync($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .rmdirSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .rmSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .statSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .symlinkSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .symlinkSync($SMTH, $FILE, ...)" + }, + { + "pattern": "$FS. ... .truncateSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .unlinkSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .utimesSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .writeFileSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .writeSync($FILE, ...)" + }, + { + "pattern": "$FS. ... .writevSync($FILE, ...)" + } + ] + }, + { + "focus-metavariable": "$FILE" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import 'fs'\n...\n" + }, + { + "pattern-inside": "import 'fs/promises'\n...\n" + } + ] + }, + { + "pattern-not": "$METHOD(\"...\", ...)" + }, + { + "pattern-either": [ + { + "pattern": "access($FILE,...)" + }, + { + "pattern": "appendFile($FILE,...)" + }, + { + "pattern": "chmod($FILE,...)" + }, + { + "pattern": "chown($FILE,...)" + }, + { + "pattern": "close($FILE,...)" + }, + { + "pattern": "copyFile($FILE,...)" + }, + { + "pattern": "copyFile($SMTH, $FILE,...)" + }, + { + "pattern": "cp($FILE, ...)" + }, + { + "pattern": "cp($SMTH, $FILE, ...)" + }, + { + "pattern": "createReadStream($FILE,...)" + }, + { + "pattern": "createWriteStream($FILE,...)" + }, + { + "pattern": "exists($FILE, ...)" + }, + { + "pattern": "fchmod($FILE, ...)" + }, + { + "pattern": "fchown($FILE, ...)" + }, + { + "pattern": "fdatasync($FILE, ...)" + }, + { + "pattern": "fstat($FILE, ...)" + }, + { + "pattern": "fsync($FILE, ...)" + }, + { + "pattern": "ftruncate($FILE, ...)" + }, + { + "pattern": "futimes($FILE, ...)" + }, + { + "pattern": "lchmod($FILE, ...)" + }, + { + "pattern": "lchown($FILE, ...)" + }, + { + "pattern": "lutimes($FILE, ...)" + }, + { + "pattern": "link($FILE, ...)" + }, + { + "pattern": "link($SMTH, $FILE, ...)" + }, + { + "pattern": "lstat($FILE, ...)" + }, + { + "pattern": "mkdir($FILE, ...)" + }, + { + "pattern": "mkdtemp($FILE, ...)" + }, + { + "pattern": "open($FILE, ...)" + }, + { + "pattern": "opendir($FILE, ...)" + }, + { + "pattern": "read($FILE, ...)" + }, + { + "pattern": "read($FILE, ...)" + }, + { + "pattern": "readdir($FILE, ...)" + }, + { + "pattern": "readFile($FILE, ...)" + }, + { + "pattern": "readlink($FILE, ...)" + }, + { + "pattern": "readv($FILE, ...)" + }, + { + "pattern": "realpath($FILE, ...)" + }, + { + "pattern": "realpath.native($FILE, ...)" + }, + { + "pattern": "rename($FILE, ...)" + }, + { + "pattern": "rename($SMTH, $FILE, ...)" + }, + { + "pattern": "rmdir($FILE, ...)" + }, + { + "pattern": "rm($FILE, ...)" + }, + { + "pattern": "stat($FILE, ...)" + }, + { + "pattern": "symlink($SMTH, $FILE, ...)" + }, + { + "pattern": "symlink($FILE, ...)" + }, + { + "pattern": "truncate($FILE, ...)" + }, + { + "pattern": "unlink($FILE, ...)" + }, + { + "pattern": "unwatchFile($FILE, ...)" + }, + { + "pattern": "utimes($FILE, ...)" + }, + { + "pattern": "watch($FILE, ...)" + }, + { + "pattern": "watchFile($FILE, ...)" + }, + { + "pattern": "write($FILE, ...)" + }, + { + "pattern": "writeFile($FILE, ...)" + }, + { + "pattern": "writev($FILE, ...)" + }, + { + "pattern": "accessSync($FILE, ...)" + }, + { + "pattern": "appendFileSync($FILE, ...)" + }, + { + "pattern": "chmodSync($FILE, ...)" + }, + { + "pattern": "chownSync($FILE, ...)" + }, + { + "pattern": "closeSync($FILE, ...)" + }, + { + "pattern": "copyFileSync($FILE, ...)" + }, + { + "pattern": "copyFileSync($SMTH, $FILE, ...)" + }, + { + "pattern": "cpSync($FILE, ...)" + }, + { + "pattern": "cpSync($SMTH, $FILE, ...)" + }, + { + "pattern": "existsSync($FILE, ...)" + }, + { + "pattern": "fchmodSync($FILE, ...)" + }, + { + "pattern": "fchownSync($FILE, ...)" + }, + { + "pattern": "fdatasyncSync($FILE, ...)" + }, + { + "pattern": "fstatSync($FILE, ...)" + }, + { + "pattern": "fsyncSync($FILE, ...)" + }, + { + "pattern": "ftruncateSync($FILE, ...)" + }, + { + "pattern": "futimesSync($FILE, ...)" + }, + { + "pattern": "lchmodSync($FILE, ...)" + }, + { + "pattern": "lchownSync($FILE, ...)" + }, + { + "pattern": "lutimesSync($FILE, ...)" + }, + { + "pattern": "linkSync($FILE, ...)" + }, + { + "pattern": "linkSync($SMTH, $FILE, ...)" + }, + { + "pattern": "lstatSync($FILE, ...)" + }, + { + "pattern": "mkdirSync($FILE, ...)" + }, + { + "pattern": "mkdtempSync($FILE, ...)" + }, + { + "pattern": "opendirSync($FILE, ...)" + }, + { + "pattern": "openSync($FILE, ...)" + }, + { + "pattern": "readdirSync($FILE, ...)" + }, + { + "pattern": "readFileSync($FILE, ...)" + }, + { + "pattern": "readlinkSync($FILE, ...)" + }, + { + "pattern": "readSync($FILE, ...)" + }, + { + "pattern": "readSync($FILE, ...)" + }, + { + "pattern": "readvSync($FILE, ...)" + }, + { + "pattern": "realpathync($FILE, ...)" + }, + { + "pattern": "realpathSync.native($FILE, ...)" + }, + { + "pattern": "renameSync($FILE, ...)" + }, + { + "pattern": "renameSync($SMTH, $FILE, ...)" + }, + { + "pattern": "rmdirSync($FILE, ...)" + }, + { + "pattern": "rmSync($FILE, ...)" + }, + { + "pattern": "statSync($FILE, ...)" + }, + { + "pattern": "symlinkSync($FILE, ...)" + }, + { + "pattern": "symlinkSync($SMTH, $FILE, ...)" + }, + { + "pattern": "truncateSync($FILE, ...)" + }, + { + "pattern": "unlinkSync($FILE, ...)" + }, + { + "pattern": "utimesSync($FILE, ...)" + }, + { + "pattern": "writeFileSync($FILE, ...)" + }, + { + "pattern": "writeSync($FILE, ...)" + }, + { + "pattern": "writevSync($FILE, ...)" + } + ] + }, + { + "focus-metavariable": "$FILE" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "function ... (..., $ARG,...) {...}" + }, + { + "focus-metavariable": "$ARG" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.detect-non-literal-regexp", + "languages": [ + "js", + "ts" + ], + "message": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-1333: Inefficient Regular Expression Complexity" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2021 - Security Misconfiguration", + "A06:2017 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js", + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new RegExp($ARG, ...)" + }, + { + "pattern": "RegExp($ARG, ...)" + } + ] + }, + { + "pattern-not": "RegExp(\"...\", ...)" + }, + { + "pattern-not": "new RegExp(\"...\", ...)" + }, + { + "pattern-not": "RegExp(/.../, ...)" + }, + { + "pattern-not": "new RegExp(/.../, ...)" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "function ... (...,$ARG,...) {...}\n" + }, + { + "focus-metavariable": "$ARG" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.detect-non-literal-require", + "languages": [ + "js", + "ts" + ], + "message": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load and run arbitrary code, or access arbitrary files.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js" + ], + "source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js", + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern": "require(...)" + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-inside": "function ... (..., $ARG,...) {...}" + }, + { + "focus-metavariable": "$ARG" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.detect-redos", + "languages": [ + "js", + "ts" + ], + "message": "Detected the use of a regular expression `$REDOS` which appears to be vulnerable to a Regular expression Denial-of-Service (ReDoS). For this reason, it is recommended to review the regex and ensure it is not vulnerable to catastrophic backtracking, and if possible use a library which offers default safety against ReDoS vulnerabilities.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-1333: Inefficient Regular Expression Complexity" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2021 - Security Misconfiguration", + "A06:2017 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", + "https://www.regular-expressions.info/redos.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "javascript" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "new RegExp(/$REDOS/,...)\n" + }, + { + "pattern": "new RegExp(\"$REDOS\",...)\n" + }, + { + "pattern": "/$REDOS/.test(...)\n" + }, + { + "pattern": "\"$REDOS\".test(...)\n" + }, + { + "pattern": "$X.match(/$REDOS/)\n" + }, + { + "pattern": "$X.match(\"$REDOS\")\n" + } + ] + }, + { + "metavariable-analysis": { + "analyzer": "redos", + "metavariable": "$REDOS" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.hardcoded-hmac-key", + "languages": [ + "js", + "ts" + ], + "message": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-798: Use of Hard-coded Credentials" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "interfile": true, + "likelihood": "LOW", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://rules.sonarsource.com/javascript/RSPEC-2068", + "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "crypto", + "hmac" + ] + }, + "options": { + "interfile": true + }, + "pattern-either": [ + { + "pattern": "$CRYPTO.createHmac($ALGO, '...')" + }, + { + "patterns": [ + { + "pattern-inside": "const $SECRET = '...'\n...\n" + }, + { + "pattern": "$CRYPTO.createHmac($ALGO, $SECRET)" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.incomplete-sanitization", + "languages": [ + "js", + "ts" + ], + "message": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-116: Improper Encoding or Escaping of Output" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "javascript" + ] + }, + "patterns": [ + { + "pattern": "$STR.replace(($CHAR: string), ...)\n" + }, + { + "metavariable-regex": { + "metavariable": "$CHAR", + "regex": "^[\\\"\\']([\\'\\\"\\<\\>\\*\\|\\{\\}\\[\\]\\%\\$]{1}|\\\\n|\\\\r|\\\\t|\\\\&)[\\\"\\']$" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.md5-used-as-password", + "languages": [ + "js", + "ts" + ], + "message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html", + "https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords", + "https://github.com/returntocorp/semgrep-rules/issues/1609", + "https://www.npmjs.com/package/bcrypt" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "crypto", + "md5" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$FUNCTION(...);" + }, + { + "metavariable-regex": { + "metavariable": "$FUNCTION", + "regex": "(?i)(.*password.*)" + } + } + ] + } + ], + "pattern-sources": [ + { + "pattern": "$CRYPTO.createHash(\"md5\")" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.spawn-shell-true", + "languages": [ + "js", + "ts" + ], + "message": "Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "javascript" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "spawn(...,{shell: $SHELL})\n" + }, + { + "pattern": "spawnSync(...,{shell: $SHELL})\n" + }, + { + "pattern": "$CP.spawn(...,{shell: $SHELL})\n" + }, + { + "pattern": "$CP.spawnSync(...,{shell: $SHELL})\n" + } + ] + }, + { + "pattern-not": "spawn(...,{shell: false})\n" + }, + { + "pattern-not": "spawnSync(...,{shell: false})\n" + }, + { + "pattern-not": "$CP.spawn(...,{shell: false})\n" + }, + { + "pattern-not": "$CP.spawnSync(...,{shell: false})\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.javascript.lang.security.audit.unknown-value-with-script-tag", + "languages": [ + "js", + "ts" + ], + "message": "Cannot determine what '$UNK' is and it is used with a '" + }, + { + "pattern-not": "<%= j ... >" + }, + { + "pattern-not": "<%= escape_javascript ... >" + }, + { + "pattern": "<%= ... >" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.audit.xxe.libxml-backend", + "languages": [ + "ruby" + ], + "message": "This application is using LibXML as the XML backend. LibXML can be vulnerable to XML External Entities (XXE) vulnerabilities. Use the built-in Rails XML parser, REXML, instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/", + "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "rails", + "libxml" + ] + }, + "pattern": "ActiveSupport::XmlMini.backend = \"LibXML\"", + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.audit.xxe.xml-external-entities-enabled", + "languages": [ + "ruby" + ], + "message": "This application is explicitly enabling external entities enabling an attacker to inject malicious XML to exploit an XML External Entities (XXE) vulnerability. This could let the attacker cause a denial-of-service by forcing the parser to parse large files, or at worst, let the attacker download sensitive files or user data. Use the built-in Rails XML parser, REXML, instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/", + "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "rails", + "libxml" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "LibXML::XML.class_eval do\n ...\nend\n" + }, + { + "pattern-inside": "XML.class_eval do\n ...\nend\n" + } + ] + }, + { + "pattern": "XML.default_substitute_entities = true" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-before-filter", + "languages": [ + "ruby" + ], + "message": "Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-284: Improper Access Control" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_skip_before_filter.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "search", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "skip_filter ..., :except => $ARGS\n" + }, + { + "pattern": "skip_before_filter ..., :except => $ARGS\n" + }, + { + "pattern": "skip_before_action ..., :except => $ARGS\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-cookie-store-session-security-attributes", + "languages": [ + "ruby" + ], + "message": "Found a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb", + "subcategory": [ + "audit" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": ":$KEY => false\n" + }, + { + "pattern-inside": "ActionController::Base.session = {...}\n" + } + ] + }, + { + "pattern": "$MODULE::Application.config.session_store :cookie_store, ..., :$KEY => false, ...\n" + }, + { + "pattern": "$CLASS.application.config.session_store :cookie_store, ..., $KEY: false, ...\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$KEY", + "regex": "^(session_)?(http_?only|secure)$" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-dynamic-render-local-file-include", + "languages": [ + "generic" + ], + "message": "Found request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion", + "https://github.com/presidentbeef/brakeman/blob/f74cb53ead47f0af821d98b5b41e16d63100c240/test/apps/rails2/app/views/home/test_render.html.erb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "search", + "paths": { + "include": [ + "*.erb" + ] + }, + "patterns": [ + { + "pattern": "params[...]\n" + }, + { + "pattern-inside": "render :file => ...\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-http-verb-confusion", + "languages": [ + "ruby" + ], + "message": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-650: Trusting HTTP Permission Methods on the Server Side" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/accounts_controller.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_verb_confusion.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "search", + "patterns": [ + { + "pattern": "if request.get?\n ...\nelse\n ...\nend\n" + }, + { + "pattern-not-inside": "if ...\nelsif ...\n ...\nend\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-permit-attributes-high", + "languages": [ + "ruby" + ], + "message": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb", + "subcategory": [ + "audit" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "patterns": [ + { + "pattern": "$P.permit($ATTRIBUTE)" + }, + { + "metavariable-regex": { + "metavariable": "$ATTRIBUTE", + "regex": ".*(admin|account_id).*" + } + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-permit-attributes-medium", + "languages": [ + "ruby" + ], + "message": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A08:2021 - Software and Data Integrity Failures" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb", + "subcategory": [ + "audit" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "patterns": [ + { + "pattern": "$P.permit($ATTRIBUTE)" + }, + { + "metavariable-regex": { + "metavariable": "$ATTRIBUTE", + "regex": ".*(role|banned).*" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-rails-secret-yaml", + "languages": [ + "yaml" + ], + "message": "$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-540: Inclusion of Sensitive Information in Source Code" + ], + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4/config/secrets.yml" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb", + "subcategory": [ + "audit" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "paths": { + "include": [ + "*secrets.*.yml", + "*secrets.*.yaml" + ] + }, + "patterns": [ + { + "pattern": "secret_key_base: $VALUE\n" + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$VALUE", + "patterns": [ + { + "pattern-not": "<%= ... %>\n" + } + ] + } + }, + { + "pattern-inside": "production:\n ...\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-rails-session-secret-handling", + "languages": [ + "ruby" + ], + "message": "Found a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-540: Inclusion of Sensitive Information in Source Code" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes", + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4_with_engines/config/initializers/secret_token.rb", + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3/config/initializers/secret_token.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": ":$KEY => \"$LITERAL\"\n" + }, + { + "pattern-inside": "ActionController::Base.session = {...}\n" + } + ] + }, + { + "pattern": "$RAILS::Application.config.$KEY = \"$LITERAL\"\n" + }, + { + "pattern": "Rails.application.config.$KEY = \"$LITERAL\"\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$KEY", + "regex": "^secret(_(token|key_base))?$" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-redirect-to", + "languages": [ + "ruby" + ], + "message": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_redirect.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$F(...)\n" + }, + { + "metavariable-pattern": { + "metavariable": "$F", + "patterns": [ + { + "pattern-not-regex": "(params|url_for|cookies|request.env|permit|redirect_to)" + } + ] + } + } + ] + }, + { + "pattern": "params.merge! :only_path => true\n...\n" + }, + { + "pattern": "params.slice(...)\n...\n" + }, + { + "pattern": "redirect_to [...]\n" + }, + { + "patterns": [ + { + "pattern": "$MODEL. ... .$M(...)\n...\n" + }, + { + "metavariable-regex": { + "metavariable": "$MODEL", + "regex": "[A-Z]\\w+" + } + }, + { + "metavariable-regex": { + "metavariable": "$M", + "regex": "(all|create|find|find_by|find_by_sql|first|last|new|from|group|having|joins|lock|order|reorder|select|where|take)" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "params.$UNSAFE_HASH.merge(...,:only_path => true,...)\n...\n" + }, + { + "metavariable-regex": { + "metavariable": "$UNSAFE_HASH", + "regex": "to_unsafe_h(ash)?" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "params.permit(...,$X,...)" + }, + { + "metavariable-pattern": { + "metavariable": "$X", + "patterns": [ + { + "pattern-not-regex": "(host|port|(sub)?domain)" + } + ] + } + } + ] + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$X" + }, + { + "pattern-inside": "redirect_to $X, ...\n" + }, + { + "pattern-not-regex": "params\\.\\w+(? false,...)" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-regex-dos", + "languages": [ + "ruby" + ], + "message": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-1333: Inefficient Regular Expression Complexity" + ], + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A03:2017 - Sensitive Data Exposure" + ], + "references": [ + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_regex_dos.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$Y" + }, + { + "pattern-inside": "/...#{...}.../\n" + } + ] + }, + { + "patterns": [ + { + "pattern": "$Y" + }, + { + "pattern-inside": "Regexp.new(...)\n" + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "cookies[...]\n" + }, + { + "patterns": [ + { + "pattern": "cookies. ... .$PROPERTY[...]\n" + }, + { + "metavariable-regex": { + "metavariable": "$PROPERTY", + "regex": "(?!signed|encrypted)" + } + } + ] + }, + { + "pattern": "params[...]\n" + }, + { + "pattern": "request.env[...]\n" + }, + { + "patterns": [ + { + "pattern": "$Y" + }, + { + "pattern-either": [ + { + "pattern-inside": "$RECORD.read_attribute($Y)\n" + }, + { + "pattern-inside": "$RECORD[$Y]\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$RECORD", + "regex": "[A-Z][a-z]+" + } + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-render-local-file-include", + "languages": [ + "ruby" + ], + "message": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion", + "https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ], + "vulnerability_class": [ + "Path Traversal" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern": "$MAP[...]" + }, + { + "metavariable-pattern": { + "metavariable": "$MAP", + "patterns": [ + { + "pattern-not-regex": "params" + } + ] + } + } + ] + }, + { + "pattern": "File.basename(...)" + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "render ..., file: $X\n" + }, + { + "pattern": "render ..., inline: $X\n" + }, + { + "pattern": "render ..., template: $X\n" + }, + { + "pattern": "render ..., action: $X\n" + }, + { + "pattern": "render $X, ...\n" + } + ] + }, + { + "focus-metavariable": "$X" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "params[...]" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-reverse-tabnabbing", + "languages": [ + "generic" + ], + "message": "Setting an anchor target of `_blank` without the `noopener` or `noreferrer` attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-1022: Use of Web Link to Untrusted Target with window.opener Access" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "references": [ + "https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility", + "https://github.com/presidentbeef/brakeman/blob/3f5d5d5/test/apps/rails5/app/views/users/show.html.erb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_reverse_tabnabbing.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "search", + "paths": { + "include": [ + "*.erb" + ] + }, + "patterns": [ + { + "pattern": "_blank\n" + }, + { + "pattern-inside": "target: ...\n" + }, + { + "pattern-not-inside": "<%= ... rel: 'noopener noreferrer' ...%>\n" + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "<%= $...INLINERUBYDO do -%>\n...\n<% end %>\n" + }, + { + "metavariable-pattern": { + "language": "ruby", + "metavariable": "$...INLINERUBYDO", + "patterns": [ + { + "pattern": "link_to ...\n" + }, + { + "pattern-not": "link_to \"...\", \"...\", ...\n" + } + ] + } + } + ] + }, + { + "patterns": [ + { + "pattern-not-inside": "<%= ... do - %>\n" + }, + { + "pattern-inside": "<%= $...INLINERUBY %>\n" + }, + { + "metavariable-pattern": { + "language": "ruby", + "metavariable": "$...INLINERUBY", + "patterns": [ + { + "pattern": "link_to ...\n" + }, + { + "pattern-not": "link_to '...', '...', ...\n" + }, + { + "pattern-not": "link_to '...', target: ...\n" + } + ] + } + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-secrets", + "languages": [ + "ruby" + ], + "message": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ], + "cwe2021-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html", + "https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_secrets.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "patterns": [ + { + "pattern": "$VAR = \"$VALUE\"" + }, + { + "metavariable-regex": { + "metavariable": "$VAR", + "regex": "(?i)password|secret|(rest_auth_site|api)_key$" + } + }, + { + "metavariable-regex": { + "metavariable": "$VALUE", + "regex": ".+" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-send-file", + "languages": [ + "ruby" + ], + "message": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-73: External Control of File Name or Path" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/www-community/attacks/Path_Traversal", + "https://owasp.org/Top10/A01_2021-Broken_Access_Control/" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send_file.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "send_file ...\n" + } + ] + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "pattern": "cookies[...]\n" + }, + { + "patterns": [ + { + "pattern": "cookies. ... .$PROPERTY[...]\n" + }, + { + "metavariable-regex": { + "metavariable": "$PROPERTY", + "regex": "(?!signed|encrypted)" + } + } + ] + }, + { + "pattern": "params[...]\n" + }, + { + "pattern": "request.env[...]\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-sql", + "languages": [ + "ruby" + ], + "message": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/www-community/attacks/SQL_Injection", + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_sql.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$X" + }, + { + "pattern-either": [ + { + "pattern-inside": ":$KEY => $X\n" + }, + { + "pattern-inside": "[\"...\",$X,...]\n" + } + ] + } + ] + }, + { + "pattern": "params[...].to_i\n" + }, + { + "pattern": "params[...].to_f\n" + }, + { + "patterns": [ + { + "pattern": "params[...] ? $A : $B\n" + }, + { + "metavariable-pattern": { + "metavariable": "$A", + "patterns": [ + { + "pattern-not": "params[...]\n" + } + ] + } + }, + { + "metavariable-pattern": { + "metavariable": "$B", + "patterns": [ + { + "pattern-not": "params[...]\n" + } + ] + } + } + ] + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$X" + }, + { + "pattern-not-inside": "$P.where(\"...\",...)\n" + }, + { + "pattern-not-inside": "$P.where(:$KEY => $VAL,...)\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "$P.$M(...)\n" + }, + { + "pattern-inside": "$P.$M(\"...\",...)\n" + } + ] + }, + { + "pattern-inside": "class $P < ActiveRecord::Base\n ...\nend\n" + }, + { + "metavariable-regex": { + "metavariable": "$M", + "regex": "(where|find|first|last|select|minimum|maximum|calculate|sum|average)" + } + } + ] + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "pattern": "cookies[...]\n" + }, + { + "patterns": [ + { + "pattern": "cookies. ... .$PROPERTY[...]\n" + }, + { + "metavariable-regex": { + "metavariable": "$PROPERTY", + "regex": "(?!signed|encrypted)" + } + } + ] + }, + { + "pattern": "params[...]\n" + }, + { + "pattern": "request.env[...]\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-unsafe-reflection-methods", + "languages": [ + "ruby" + ], + "message": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection_methods.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$X" + }, + { + "pattern-either": [ + { + "pattern-inside": "$X. ... .to_proc\n" + }, + { + "patterns": [ + { + "pattern-inside": "$Y.method($Z)\n" + }, + { + "focus-metavariable": "$Z" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$Y.tap($Z)\n" + }, + { + "focus-metavariable": "$Z" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$Y.tap{ |$ANY| $Z }\n" + }, + { + "focus-metavariable": "$Z" + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "pattern": "cookies[...]\n" + }, + { + "patterns": [ + { + "pattern": "cookies. ... .$PROPERTY[...]\n" + }, + { + "metavariable-regex": { + "metavariable": "$PROPERTY", + "regex": "(?!signed|encrypted)" + } + } + ] + }, + { + "pattern": "params[...]\n" + }, + { + "pattern": "request.env[...]\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-unsafe-reflection", + "languages": [ + "ruby" + ], + "message": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$X" + }, + { + "pattern-either": [ + { + "pattern-inside": "$X.constantize\n" + }, + { + "pattern-inside": "$X. ... .safe_constantize\n" + }, + { + "pattern-inside": "const_get(...)\n" + }, + { + "pattern-inside": "qualified_const_get(...)\n" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "pattern": "cookies[...]\n" + }, + { + "patterns": [ + { + "pattern": "cookies. ... .$PROPERTY[...]\n" + }, + { + "metavariable-regex": { + "metavariable": "$PROPERTY", + "regex": "(?!signed|encrypted)" + } + } + ] + }, + { + "pattern": "params[...]\n" + }, + { + "pattern": "request.env[...]\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-unscoped-find", + "languages": [ + "ruby" + ], + "message": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-639: Authorization Bypass Through User-Controlled Key" + ], + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://brakemanscanner.org/docs/warning_types/unscoped_find/", + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unscoped_find.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$MODEL.find(...)" + }, + { + "pattern": "$MODEL.find_by_id(...)" + }, + { + "pattern": "$MODEL.find_by_id!(...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$MODEL", + "regex": "[A-Z]\\S+" + } + } + ] + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "pattern": "cookies[...]\n" + }, + { + "patterns": [ + { + "pattern": "cookies. ... .$PROPERTY[...]\n" + }, + { + "metavariable-regex": { + "metavariable": "$PROPERTY", + "regex": "(?!signed|encrypted)" + } + } + ] + }, + { + "pattern": "params[...]\n" + }, + { + "pattern": "request.env[...]\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.ruby.rails.security.brakeman.check-validation-regex", + "languages": [ + "ruby" + ], + "message": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-185: Incorrect Regular Expression" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://brakemanscanner.org/docs/warning_types/format_validation/", + "https://github.com/presidentbeef/brakeman/blob/aef6253a8b7bcb97116f2af1ed2a561a6ae35bd5/test/apps/rails3/app/models/account.rb", + "https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/account.rb" + ], + "source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_validation_regex.rb", + "subcategory": [ + "vuln" + ], + "technology": [ + "ruby", + "rails" + ] + }, + "mode": "search", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "validates ..., :format => <... $V ...>,...\n" + }, + { + "pattern": "validates_format_of ..., :with => <... $V ...>,...\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$V", + "regex": "/(.{2}(? $X,...)\n" + } + ] + }, + { + "focus-metavariable": "$X" + } + ] + }, + { + "patterns": [ + { + "pattern": "\"$SQLVERB#{$EXPR}...\"\n" + }, + { + "pattern-not-inside": "$FUNC(\"...\", \"...#{$EXPR}...\",...)\n" + }, + { + "focus-metavariable": "$SQLVERB" + }, + { + "pattern-regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "Kernel::sprintf(\"$SQLSTR\", $EXPR)" + }, + { + "pattern": "\"$SQLSTR\" + $EXPR\n" + }, + { + "pattern": "\"$SQLSTR\" % $EXPR\n" + } + ] + }, + { + "pattern-not-inside": "$FUNC(\"...\", \"...#{$EXPR}...\",...)\n" + }, + { + "focus-metavariable": "$EXPR" + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b" + } + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "request" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.ruby.rails.security.injection.tainted-url-host", + "languages": [ + "ruby" + ], + "message": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", + "https://github.com/arkadiyt/ssrf_filter" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "rails" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "pattern": "SsrfFilter" + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$URLSTR\n" + }, + { + "pattern-regex": "\\w+:\\/\\/#{.*}" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "Kernel::sprintf(\"$URLSTR\", ...)" + }, + { + "pattern": "\"$URLSTR\" + $EXPR\n" + }, + { + "pattern": "\"$URLSTR\" % $EXPR\n" + } + ] + }, + { + "metavariable-pattern": { + "language": "generic", + "metavariable": "$URLSTR", + "pattern": "$SCHEME:// ..." + } + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "params" + }, + { + "pattern": "request" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.rust.lang.security.args-os", + "languages": [ + "rust" + ], + "message": "args_os should not be used for security operations. From the docs: \"The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes.\"", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://doc.rust-lang.org/stable/std/env/fn.args_os.html" + ], + "subcategory": "audit", + "technology": [ + "rust" + ] + }, + "pattern": "std::env::args_os()", + "severity": "INFO" + }, + { + "id": "vendored-rules.rust.lang.security.args", + "languages": [ + "rust" + ], + "message": "args should not be used for security operations. From the docs: \"The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes.\"", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://doc.rust-lang.org/stable/std/env/fn.args.html" + ], + "subcategory": "audit", + "technology": [ + "rust" + ] + }, + "pattern": "std::env::args()", + "severity": "INFO" + }, + { + "id": "vendored-rules.rust.lang.security.current-exe", + "languages": [ + "rust" + ], + "message": "current_exe should not be used for security operations. From the docs: \"The output of this function should not be trusted for anything that might have security implications. Basically, if users can run the executable, they can change the output arbitrarily.\"", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://doc.rust-lang.org/stable/std/env/fn.current_exe.html#security" + ], + "subcategory": "audit", + "technology": [ + "rust" + ] + }, + "pattern": "std::env::current_exe()", + "severity": "INFO" + }, + { + "id": "vendored-rules.rust.lang.security.insecure-hashes", + "languages": [ + "rust" + ], + "message": "Detected cryptographically insecure hashing function", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-328: Use of Weak Hash", + "impact": "MEDIUM", + "likelihood": "LOW", + "references": [ + "https://github.com/RustCrypto/hashes", + "https://docs.rs/md2/latest/md2/", + "https://docs.rs/md4/latest/md4/", + "https://docs.rs/md5/latest/md5/", + "https://docs.rs/sha-1/latest/sha1/" + ], + "subcategory": "audit", + "technology": [ + "rust" + ] + }, + "pattern-either": [ + { + "pattern": "md2::Md2::new(...)" + }, + { + "pattern": "md4::Md4::new(...)" + }, + { + "pattern": "md5::Md5::new(...)" + }, + { + "pattern": "sha1::Sha1::new(...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.rust.lang.security.reqwest-accept-invalid", + "languages": [ + "rust" + ], + "message": "Dangerously accepting invalid TLS information", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-295: Improper Certificate Validation", + "impact": "MEDIUM", + "likelihood": "LOW", + "references": [ + "https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames", + "https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs" + ], + "subcategory": "vuln", + "technology": [ + "reqwest" + ] + }, + "pattern-either": [ + { + "pattern": "reqwest::Client::builder(). ... .danger_accept_invalid_hostnames(true)" + }, + { + "pattern": "reqwest::Client::builder(). ... .danger_accept_invalid_certs(true)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.rust.lang.security.reqwest-set-sensitive", + "languages": [ + "rust" + ], + "message": "Set sensitive flag on security headers with 'set_sensitive' to treat data with special care", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": "CWE-921: Storage of Sensitive Data in a Mechanism without Access Control", + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://docs.rs/reqwest/latest/reqwest/header/struct.HeaderValue.html#method.set_sensitive" + ], + "subcategory": "audit", + "technology": [ + "reqwest" + ] + }, + "patterns": [ + { + "pattern": "let mut $HEADERS = header::HeaderMap::new();\n...\nlet $HEADER_VALUE = <... header::HeaderValue::$FROM_FUNC(...) ...>;\n...\n$HEADERS.insert($HEADER, $HEADER_VALUE);\n" + }, + { + "pattern-not": "let mut $HEADERS = header::HeaderMap::new();\n...\nlet $HEADER_VALUE = <... header::HeaderValue::$FROM_FUNC(...) ...>;\n...\n$HEADER_VALUE.set_sensitive(true);\n...\n$HEADERS.insert($HEADER, $HEADER_VALUE);\n" + }, + { + "metavariable-pattern": { + "metavariable": "$FROM_FUNC", + "pattern-either": [ + { + "pattern": "from_static" + }, + { + "pattern": "from_str" + }, + { + "pattern": "from_name" + }, + { + "pattern": "from_bytes" + }, + { + "pattern": "from_maybe_shared" + } + ] + } + }, + { + "metavariable-pattern": { + "metavariable": "$HEADER", + "pattern-either": [ + { + "pattern": "header::AUTHORIZATION" + }, + { + "pattern": "\"Authorization\"" + } + ] + } + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.rust.lang.security.rustls-dangerous", + "languages": [ + "rust" + ], + "message": "Dangerous client config used, ensure SSL verification", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-295: Improper Certificate Validation", + "impact": "MEDIUM", + "likelihood": "LOW", + "references": [ + "https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html", + "https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous" + ], + "subcategory": "vuln", + "technology": [ + "rustls" + ] + }, + "pattern-either": [ + { + "pattern": "rustls::client::DangerousClientConfig" + }, + { + "pattern": "$CLIENT.dangerous().set_certificate_verifier(...)" + }, + { + "pattern": "let $CLIENT = rustls::client::ClientConfig::dangerous(...);\n...\n$CLIENT.set_certificate_verifier(...);\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.rust.lang.security.ssl-verify-none", + "languages": [ + "rust" + ], + "message": "SSL verification disabled, this allows for MitM attacks", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-295: Improper Certificate Validation", + "impact": "MEDIUM", + "likelihood": "LOW", + "references": [ + "https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify" + ], + "subcategory": "vuln", + "technology": [ + "openssl" + ] + }, + "pattern": "$BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE)", + "severity": "WARNING" + }, + { + "id": "vendored-rules.rust.lang.security.temp-dir", + "languages": [ + "rust" + ], + "message": "temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in \u201cinsecure temporary file\u201d security vulnerabilities.'", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://doc.rust-lang.org/stable/std/env/fn.temp_dir.html" + ], + "subcategory": "audit", + "technology": [ + "rust" + ] + }, + "pattern": "std::env::temp_dir()", + "severity": "INFO" + }, + { + "id": "vendored-rules.rust.lang.security.unsafe-usage", + "languages": [ + "rust" + ], + "message": "Detected 'unsafe' usage, please audit for secure usage", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-242: Use of Inherently Dangerous Function", + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://doc.rust-lang.org/std/keyword.unsafe.html" + ], + "subcategory": "audit", + "technology": [ + "rust" + ] + }, + "pattern": "unsafe { ... }", + "severity": "INFO" + }, + { + "id": "vendored-rules.scala.jwt-scala.security.jwt-scala-hardcode", + "languages": [ + "scala" + ], + "message": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://jwt-scala.github.io/jwt-scala/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern-inside": "import pdi.jwt.$DEPS\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$JWT.encode($X, \"...\", ...)" + }, + { + "pattern": "$JWT.decode($X, \"...\", ...)" + }, + { + "pattern": "$JWT.decodeRawAll($X, \"...\", ...)" + }, + { + "pattern": "$JWT.decodeRaw($X, \"...\", ...)" + }, + { + "pattern": "$JWT.decodeAll($X, \"...\", ...)" + }, + { + "pattern": "$JWT.validate($X, \"...\", ...)" + }, + { + "pattern": "$JWT.isValid($X, \"...\", ...)" + }, + { + "pattern": "$JWT.decodeJson($X, \"...\", ...)" + }, + { + "pattern": "$JWT.decodeJsonAll($X, \"...\", ...)" + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$JWT.encode($X, $KEY, ...)" + }, + { + "pattern": "$JWT.decode($X, $KEY, ...)" + }, + { + "pattern": "$JWT.decodeRawAll($X, $KEY, ...)" + }, + { + "pattern": "$JWT.decodeRaw($X, $KEY, ...)" + }, + { + "pattern": "$JWT.decodeAll($X, $KEY, ...)" + }, + { + "pattern": "$JWT.validate($X, $KEY, ...)" + }, + { + "pattern": "$JWT.isValid($X, $KEY, ...)" + }, + { + "pattern": "$JWT.decodeJson($X, $KEY, ...)" + }, + { + "pattern": "$JWT.decodeJsonAll($X, $KEY, ...)" + }, + { + "pattern": "$JWT.encode($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.decode($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.decodeRawAll($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.decodeRaw($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.decodeAll($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.validate($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.isValid($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.decodeJson($X, this.$KEY, ...)" + }, + { + "pattern": "$JWT.decodeJsonAll($X, this.$KEY, ...)" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "class $CL {\n ...\n $KEY = \"...\"\n ...\n}\n" + }, + { + "pattern-inside": "object $CL {\n ...\n $KEY = \"...\"\n ...\n}\n" + } + ] + } + ] + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$JWT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "Jwt" + }, + { + "pattern": "JwtArgonaut" + }, + { + "pattern": "JwtCirce" + }, + { + "pattern": "JwtJson4s" + }, + { + "pattern": "JwtJson" + }, + { + "pattern": "JwtUpickle" + } + ] + } + ] + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.dangerous-seq-run", + "languages": [ + "scala" + ], + "message": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern": "Seq($CMD, ...)" + }, + { + "pattern-not": "Seq(\"...\", ...)" + }, + { + "pattern-inside": "import sys.process\n...\n" + }, + { + "pattern-not-inside": "$CMD = \"...\"\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "Seq(...).!" + }, + { + "pattern-inside": "Seq(...).!!" + }, + { + "pattern-inside": "Seq(...).lazyLines" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.lang.security.audit.dangerous-shell-run", + "languages": [ + "scala" + ], + "message": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern": "Seq($SH, \"-c\", $CMD, ...)" + }, + { + "pattern-not": "Seq($SH, \"-c\", \"...\", ...)" + }, + { + "pattern-inside": "import sys.process\n...\n" + }, + { + "pattern-not-inside": "$CMD = \"...\"\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "Seq(...).!" + }, + { + "pattern-inside": "Seq(...).!!" + }, + { + "pattern-inside": "Seq(...).lazyLines" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SH", + "regex": "\"(sh|bash|ksh|csh|tcsh|zsh)\"" + } + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.lang.security.audit.dispatch-ssrf", + "languages": [ + "scala" + ], + "message": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", + "https://dispatchhttp.org/Dispatch.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "dispatch" + ] + }, + "patterns": [ + { + "pattern": "url($URL)" + }, + { + "pattern-inside": "import dispatch._\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n" + }, + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.documentbuilder-dtd-enabled", + "languages": [ + "scala" + ], + "message": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/Top10/A05_2021-Security_Misconfiguration" + ], + "source-rule-url": "https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", + "subcategory": [ + "vuln" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$DF = DocumentBuilderFactory.newInstance(...)\n...\n$DB = $DF.newDocumentBuilder(...)\n" + }, + { + "patterns": [ + { + "pattern": "$DB = DocumentBuilderFactory.newInstance(...)" + }, + { + "pattern-not-inside": "...\n$X = $DB.newDocumentBuilder(...)\n" + } + ] + }, + { + "pattern": "$DB = DocumentBuilderFactory.newInstance(...).newDocumentBuilder(...)" + } + ] + }, + { + "pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n" + }, + { + "pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n" + }, + { + "pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n" + }, + { + "pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.insecure-random", + "languages": [ + "scala" + ], + "message": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-330: Use of Insufficiently Random Values" + ], + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "resources": [ + "https://find-sec-bugs.github.io/bugs.htm" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "cryptography" + ] + }, + "patterns": [ + { + "pattern": "import scala.util.Random\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.io-source-ssrf", + "languages": [ + "scala" + ], + "message": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", + "https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "Source.fromURL($URL,...)" + }, + { + "pattern": "Source.fromURI($URL,...)" + } + ] + }, + { + "pattern-inside": "import scala.io.$SOURCE\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n" + }, + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.path-traversal-fromfile", + "languages": [ + "scala" + ], + "message": "Flags cases of possible path traversal. If an unfiltered parameter is passed into 'fromFile', file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A05:2017 - Broken Access Control", + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://owasp.org/Top10/A01_2021-Broken_Access_Control" + ], + "resources": [ + "https://find-sec-bugs.github.io/bugs.htm" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$FILENAME = \"...\" + $VAR\n...\n" + }, + { + "pattern-inside": "$FILENAME = $VAR + \"...\"\n...\n" + }, + { + "pattern-inside": "$FILENAME = $STR.concat($VAR)\n...\n" + }, + { + "pattern-inside": "$FILENAME = \"...\".format(..., $VAR, ...)\n...\n" + } + ] + }, + { + "pattern": "Source.fromFile($FILENAME, ...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "Source.fromFile(\"...\" + $VAR, ...)" + }, + { + "pattern": "Source.fromFile($VAR + \"...\", ...)" + }, + { + "pattern": "Source.fromFile($STR.concat($VAR), ...)" + }, + { + "pattern": "Source.fromFile(\"...\".format(..., $VAR, ...), ...)" + } + ] + } + ] + } + ] + }, + { + "pattern-inside": "def $FUNC(..., $VAR: $TYPE, ...) = Action {\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.rsa-padding-set", + "languages": [ + "scala" + ], + "message": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-780: Use of RSA Algorithm without OAEP" + ], + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + ], + "resources": [ + "https://blog.codacy.com/9-scala-security-issues/" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "cryptography" + ] + }, + "patterns": [ + { + "pattern": "$VAR = $CIPHER.getInstance($MODE)\n" + }, + { + "metavariable-regex": { + "metavariable": "$MODE", + "regex": ".*RSA/.*/NoPadding.*" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.sax-dtd-enabled", + "languages": [ + "scala" + ], + "message": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/Top10/A05_2021-Security_Misconfiguration" + ], + "source-rule-url": "https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", + "subcategory": [ + "audit" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$SR = new SAXReader(...)" + }, + { + "pattern": "$SF = SAXParserFactory.newInstance(...)\n...\n$SR = $SF.newSAXParser(...)\n" + }, + { + "patterns": [ + { + "pattern": "$SR = SAXParserFactory.newInstance(...)" + }, + { + "pattern-not-inside": "...\n$X = $SR.newSAXParser(...)\n" + } + ] + }, + { + "pattern": "$SR = SAXParserFactory.newInstance(...).newSAXParser(...)" + }, + { + "pattern": "$SR = new SAXBuilder(...)" + } + ] + }, + { + "pattern-not-inside": "...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n" + }, + { + "pattern-not-inside": "...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n" + }, + { + "pattern-not-inside": "...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n" + }, + { + "pattern-not-inside": "...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.scala-dangerous-process-run", + "languages": [ + "scala" + ], + "message": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X.!" + }, + { + "pattern": "$X.!!" + }, + { + "pattern": "$X.lazyLines" + } + ] + }, + { + "pattern-inside": "import sys.process\n...\n" + }, + { + "pattern-not": "\"...\".!\n" + }, + { + "pattern-not": "\"...\".!!\n" + }, + { + "pattern-not": "\"...\".lazyLines\n" + }, + { + "pattern-not": "Seq(...).!\n" + }, + { + "pattern-not": "Seq(...).!!\n" + }, + { + "pattern-not": "Seq(...).lazyLines\n" + }, + { + "pattern-not-inside": "val $X = \"...\"\n...\n" + }, + { + "pattern-not-inside": "val $X = Seq(...)\n...\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.lang.security.audit.scalac-debug", + "languages": [ + "generic" + ], + "message": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-489: Active Debug Code" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": "A05:2021 - Security Misconfiguration", + "references": [ + "https://docs.scala-lang.org/overviews/compiler-options/index.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "sbt" + ] + }, + "paths": { + "include": [ + "*.sbt*" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "scalacOptions ... \"-Vdebug\"" + }, + { + "pattern": "scalacOptions ... \"-Ydebug\"" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.scalaj-http-ssrf", + "languages": [ + "scala" + ], + "message": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", + "https://github.com/scalaj/scalaj-http#simplified-http" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "scalaj-http" + ] + }, + "patterns": [ + { + "pattern": "Http($URL)" + }, + { + "pattern-inside": "import scalaj.http.$HTTP\n...\n" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n" + }, + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.scalajs-eval", + "languages": [ + "scala" + ], + "message": "`eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Do not use eval(). Alternatively: Ensure evaluated content is not definable by external sources. If it\u2019s not possible, strip everything except alphanumeric characters from an input provided for the command string and arguments.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')" + ], + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A03:2021 - Injection" + ], + "references": [ + "https://www.scala-js.org/doc/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "scala", + "scala-js" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern": "$JS.eval(...)" + }, + { + "pattern-inside": "import scala.scalajs.$X\n...\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$PARAM" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) {\n ...\n}\n" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.lang.security.audit.tainted-sql-string", + "languages": [ + "scala" + ], + "message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "scala" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$LOGGER.$METHOD(...)" + }, + { + "pattern": "$LOGGER(...)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$LOGGER", + "regex": "(i?)log.*" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "$LOGGER.$METHOD(...)" + }, + { + "metavariable-regex": { + "metavariable": "$METHOD", + "regex": "(i?)(trace|info|warn|warning|warnToError|error|debug)" + } + } + ] + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$SQLSTR\" + ...\n" + }, + { + "pattern": "\"$SQLSTR\".format(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "$SB = new StringBuilder(\"$SQLSTR\");\n...\n" + }, + { + "pattern": "$SB.append(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VAR = \"$SQLSTR\"\n...\n" + }, + { + "pattern": "$VAR += ..." + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b" + } + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "s\"...\"" + }, + { + "pattern": "f\"...\"" + } + ] + }, + { + "pattern-regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*\n" + } + ] + } + ] + }, + { + "pattern-not-inside": "println(...)" + }, + { + "pattern-not-inside": "throw new $EXCEPTION(...)" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern": "$PARAM" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) {\n ...\n}\n" + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.lang.security.audit.xmlinputfactory-dtd-enabled", + "languages": [ + "scala" + ], + "message": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-611: Improper Restriction of XML External Entity Reference" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A04:2017 - XML External Entities (XXE)", + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://owasp.org/Top10/A05_2021-Security_Misconfiguration" + ], + "source-rule-url": "https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", + "subcategory": [ + "audit" + ], + "technology": [ + "scala" + ] + }, + "patterns": [ + { + "pattern-not-inside": "...\n$XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", false)\n" + }, + { + "pattern-either": [ + { + "pattern": "$XMLFACTORY = XMLInputFactory.newFactory(...)" + }, + { + "pattern": "$XMLFACTORY = XMLInputFactory.newInstance(...)" + }, + { + "pattern": "$XMLFACTORY = new XMLInputFactory(...)" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.play.security.conf-csrf-headers-bypass", + "languages": [ + "generic" + ], + "message": "Possibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they\u2019re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-352: Cross-Site Request Forgery (CSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://www.playframework.com/documentation/2.8.x/Migration25#CSRF-changes", + "https://owasp.org/www-community/attacks/csrf" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "scala", + "play" + ] + }, + "paths": { + "include": [ + "*.conf" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "X-Requested-With = \"*\"" + }, + { + "pattern": "Csrf-Token = \"...\"" + } + ] + }, + { + "pattern-inside": "bypassHeaders {...\n...\n...}\n" + }, + { + "pattern-not-inside": "{...\n ...\n ...blackList = [...\"application/x-www-form-urlencoded\"...\"multipart/form-data\"...\"text/plain\"...]\n ...\n...}\n" + }, + { + "pattern-not-inside": "{...\n ...\n ...blackList = [...\"application/x-www-form-urlencoded\"...\"text/plain\"...\"multipart/form-data\"...]\n ...\n...}\n" + }, + { + "pattern-not-inside": "{...\n ...\n ...blackList = [...\"multipart/form-data\"...\"application/x-www-form-urlencoded\"...\"text/plain\"...]\n ...\n...}\n" + }, + { + "pattern-not-inside": "{...\n ...\n ...blackList = [...\"multipart/form-data\"...\"text/plain\"...\"application/x-www-form-urlencoded\"...]\n ...\n...}\n" + }, + { + "pattern-not-inside": "{...\n ...\n ...blackList = [...\"text/plain\"...\"application/x-www-form-urlencoded\"...\"multipart/form-data\"...]\n ...\n...}\n" + }, + { + "pattern-not-inside": "{...\n ...\n ...blackList = [...\"text/plain\"...\"multipart/form-data\"...\"application/x-www-form-urlencoded\"...]\n ...\n...}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.play.security.conf-insecure-cookie-settings", + "languages": [ + "generic" + ], + "message": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A05:2021 - Security Misconfiguration" + ], + "references": [ + "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security", + "https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "play", + "scala" + ] + }, + "paths": { + "include": [ + "*.conf" + ] + }, + "patterns": [ + { + "pattern": "secure = false" + }, + { + "pattern-inside": "session = {\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.play.security.tainted-html-response", + "languages": [ + "scala" + ], + "message": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "scala", + "play" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "pattern-either": [ + { + "pattern": "org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(...)" + }, + { + "pattern": "org.owasp.encoder.Encode.forHtml(...)" + } + ] + } + ], + "pattern-sinks": [ + { + "pattern-either": [ + { + "pattern": "Html.apply(...)" + }, + { + "pattern": "Ok(...).as(HTML)" + }, + { + "pattern": "Ok(...).as(ContentTypes.HTML)" + }, + { + "patterns": [ + { + "pattern": "Ok(...).as($CTYPE)" + }, + { + "metavariable-regex": { + "metavariable": "$CTYPE", + "regex": "\"[tT][eE][xX][tT]/[hH][tT][mM][lL]\"" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "Ok(...).as($CTYPE)" + }, + { + "pattern-not": "Ok(...).as(\"...\")" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n" + }, + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n" + } + ] + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$REQ" + }, + { + "pattern-either": [ + { + "pattern-inside": "Action {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern": "$PARAM" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) {\n ...\n}\n" + } + ] + } + ] + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.play.security.tainted-slick-sqli", + "languages": [ + "scala" + ], + "message": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values", + "https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "scala", + "slick", + "play" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$MODEL.overrideSql(...)" + }, + { + "pattern": "sql\"...\"" + } + ] + }, + { + "pattern-inside": "import slick.$DEPS\n...\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$REQ" + }, + { + "pattern-either": [ + { + "pattern-inside": "Action {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern": "$PARAM" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) {\n ...\n}\n" + } + ] + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.play.security.tainted-sql-from-http-request", + "languages": [ + "scala" + ], + "message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "HIGH", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "scala", + "play" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "\"$SQLSTR\" + ...\n" + }, + { + "pattern": "\"$SQLSTR\".format(...)\n" + }, + { + "patterns": [ + { + "pattern-inside": "$SB = new StringBuilder(\"$SQLSTR\");\n...\n" + }, + { + "pattern": "$SB.append(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VAR = \"$SQLSTR\"\n...\n" + }, + { + "pattern": "$VAR += ..." + } + ] + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$SQLSTR", + "regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b" + } + } + ] + }, + { + "patterns": [ + { + "pattern": "s\"...\"" + }, + { + "pattern-regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*\n" + } + ] + } + ] + }, + { + "pattern-not-inside": "println(...)" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "patterns": [ + { + "pattern": "$REQ" + }, + { + "pattern-either": [ + { + "pattern-inside": "Action {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" + }, + { + "pattern-inside": "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern": "$PARAM" + }, + { + "pattern-either": [ + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async {\n ...\n}\n" + }, + { + "pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) {\n ...\n}\n" + } + ] + } + ] + } + ] + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.play.security.twirl-html-var", + "languages": [ + "generic" + ], + "message": "Raw html content controlled by a variable detected. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Try to avoid using `Html()` or consider properly sanitizing input data.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://www.playframework.com/documentation/2.8.x/ScalaTemplates#Escaping" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "play", + "twirl" + ] + }, + "paths": { + "include": [ + "*.html" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "@Html($VAL)\n" + }, + { + "pattern": "@Html(...$VAL + ...)\n" + }, + { + "pattern": "@Html(... + $VAL...)\n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$VAL", + "regex": "\\w*" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.play.security.webservice-ssrf", + "languages": [ + "scala" + ], + "message": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-918: Server-Side Request Forgery (SSRF)" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A10:2021 - Server-Side Request Forgery (SSRF)" + ], + "references": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", + "https://www.playframework.com/documentation/2.8.x/ScalaWS" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "play" + ] + }, + "patterns": [ + { + "pattern": "$WS.url($URL)" + }, + { + "pattern-either": [ + { + "pattern-inside": "class $CLASS (..., $WS: WSClient, ...) {\n ...\n}\n" + }, + { + "pattern-inside": "def $FUNC(..., $WS: WSClient, ...) = {\n ...\n}\n" + }, + { + "pattern-inside": "$WS = AhcWSClient(...)\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n" + }, + { + "pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.scala.scala-jwt.security.scala-jwt-hardcoded-secret", + "languages": [ + "scala" + ], + "message": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": [ + "CWE-522: Insufficiently Protected Credentials" + ], + "cwe2021-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A02:2017 - Broken Authentication", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/", + "subcategory": [ + "audit" + ], + "technology": [ + "jwt" + ] + }, + "pattern-either": [ + { + "pattern": "com.auth0.jwt.algorithms.Algorithm.HMAC256(\"...\");\n" + }, + { + "pattern": "$SECRET = \"...\";\n...\ncom.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET);\n" + }, + { + "pattern": "class $CLASS {\n ...\n $DECL $SECRET = \"...\";\n ...\n def $FUNC (...): $RETURNTYPE = {\n ...\n com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET);\n ...\n }\n ...\n}\n" + }, + { + "pattern": "com.auth0.jwt.algorithms.Algorithm.HMAC384(\"...\");\n" + }, + { + "pattern": "$SECRET = \"...\";\n...\ncom.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET);\n" + }, + { + "pattern": "class $CLASS {\n ...\n $DECL $SECRET = \"...\";\n ...\n def $FUNC (...): $RETURNTYPE = {\n ...\n com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET);\n ...\n }\n ...\n}\n" + }, + { + "pattern": "com.auth0.jwt.algorithms.Algorithm.HMAC512(\"...\");\n" + }, + { + "pattern": "$SECRET = \"...\";\n...\ncom.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET);\n" + }, + { + "pattern": "class $CLASS {\n ...\n $DECL $SECRET = \"...\";\n ...\n def $FUNC (...): $RETURNTYPE = {\n ...\n com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET);\n ...\n }\n ...\n}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.slick.security.scala-slick-overrideSql-literal", + "languages": [ + "scala" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://owasp.org/Top10/A03_2021-Injection" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "slick" + ] + }, + "patterns": [ + { + "pattern": "$MODEL.overrideSql($QUERY,...)" + }, + { + "pattern-not": "$MODEL.overrideSql(\"...\",...)" + }, + { + "pattern-not-inside": "$QUERY = \"...\"\n...\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.scala.slick.security.scala-slick-sql-non-literal", + "languages": [ + "scala" + ], + "message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2017 - Injection", + "A03:2021 - Injection" + ], + "references": [ + "https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values" + ], + "source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SCALA_SQL_INJECTION_SLICK", + "subcategory": [ + "audit" + ], + "technology": [ + "scala", + "slick" + ] + }, + "patterns": [ + { + "pattern": "sql\"...\"" + }, + { + "pattern-regex": "\\#\\$" + }, + { + "pattern-inside": "import slick.$DEPS\n...\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.accessible-selfdestruct", + "languages": [ + "solidity" + ], + "message": "Contract can be destructed by anyone in $FUNC", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://www.parity.io/blog/a-postmortem-on-the-parity-multi-sig-library-self-destruct/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern-either": [ + { + "pattern": "selfdestruct(...);" + }, + { + "pattern": "suicide(...);" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "focus-metavariable": [ + "$ADDR" + ] + }, + { + "pattern-either": [ + { + "pattern": "function $FUNC(..., address $ADDR, ...) external { ... }" + }, + { + "pattern": "function $FUNC(..., address $ADDR, ...) public { ... }" + } + ] + }, + { + "pattern-not": "function $FUNC(...) $MODIFIER { ... }" + }, + { + "pattern-not": "function $FUNC(...) $MODIFIER(...) { ... }" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n require(<... msg.sender ...>, ...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n assert(<... msg.sender ...>, ...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n require(<... _msgSender ...>, ...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n assert(<... _msgSender ...>, ...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n if (<... msg.sender ...>) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n if (<... _msgSender ...>) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n onlyOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n requireOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n _requireOwnership(...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n $C._enforceIsContractOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n $C._enforceOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function $FUNC(...) {\n ...\n $C.enforceIsContractOwner(...);\n ...\n}\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.arbitrary-low-level-call", + "languages": [ + "solidity" + ], + "message": "An attacker may perform call() to an arbitrary address with controlled calldata", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-20: Improper Input Validation", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://twitter.com/CertiKAlert/status/1512198846343954445", + "https://twitter.com/SlowMist_Team/status/1508787862791069700", + "https://twitter.com/Beosin_com/status/1509099103401127942", + "https://blocksecteam.medium.com/li-fi-attack-a-cross-chain-bridge-vulnerability-no-its-due-to-unchecked-external-call-c31e7dadf60f", + "https://etherscan.io/address/0xe7597f774fd0a15a617894dc39d45a28b97afa4f", + "https://etherscan.io/address/0x73a499e043b03fc047189ab1ba72eb595ff1fc8e" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) external { ... }\n" + }, + { + "pattern-inside": "function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) public { ... }\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$ADDR.call($DATA);" + }, + { + "pattern": "$ADDR.call{$VALUE:...}($DATA);" + }, + { + "pattern": "$ADDR.call{$VALUE:..., $GAS:...}($DATA);" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.arbitrary-send-erc20", + "languages": [ + "solidity" + ], + "message": "msg.sender is not being used when calling erc20.transferFrom. Example - Alice approves this contract to spend her ERC20 tokens. Bob can call function 'a' and specify Alice's address as the from parameter in transferFrom, allowing him to transfer Alice's tokens to himself.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-285: Improper Authorization" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://github.com/crytic/slither/wiki/Detector-Documentation#arbitrary-from-in-transferfrom", + "https://cwe.mitre.org/data/definitions/285.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "$FUNC.transferFrom(...)" + }, + { + "pattern-not": "$FUNC.transferFrom(..., msg.sender, ...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.balancer-readonly-reentrancy-getpooltokens", + "languages": [ + "solidity" + ], + "message": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-841: Improper Enforcement of Behavioral Workflow", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376", + "https://hackmd.io/@sentimentxyz/SJCySo1z2" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "function $F(...) {\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n}\n" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$RETURN", + "pattern-regex": ".*uint256\\[].*" + } + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $F(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n}\n" + }, + { + "pattern-not": "function $F(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n}\n" + }, + { + "pattern-not-inside": "contract LinearPool {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract ComposableStablePool {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract BalancerQueries {\n ...\n} \n" + }, + { + "pattern-not-inside": "contract ManagedPool {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract BaseWeightedPool {\n ...\n} \n" + }, + { + "pattern-not-inside": "contract ComposableStablePoolStorage {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract RecoveryModeHelper {\n ...\n}\n" + }, + { + "focus-metavariable": [ + "$VAULT" + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.balancer-readonly-reentrancy-getrate", + "languages": [ + "solidity" + ], + "message": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-841: Improper Enforcement of Behavioral Workflow", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "function $F(...) {\n ...\n $VAR.getRate();\n ...\n}\n" + }, + { + "pattern-not-inside": "function $F(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n}\n" + }, + { + "pattern-not-inside": "function $F(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n}\n" + }, + { + "pattern-not-inside": "function _updateTokenRateCache(...) {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract PoolRecoveryHelper {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract ComposableStablePoolRates {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract WeightedPoolProtocolFees {\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $VAR.getRate();\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $VAR.getRate();\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $VAR.getRate();\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $VAR.getRate();\n ...\n }\n ...\n}\n" + }, + { + "focus-metavariable": "$VAR" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.basic-arithmetic-underflow", + "languages": [ + "solidity" + ], + "message": "Possible arithmetic underflow", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-191: Integer Underflow (Wrap or Wraparound)", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://medium.com/@Knownsec_Blockchain_Lab/knownsec-blockchain-lab-umbnetwork-attack-event-analysis-9bae1141e58", + "https://twitter.com/danielvf/status/1497194778278174724", + "https://etherscan.io/address/0xbbc3a290c7d2755b48681c87f25f9d7f480ad42f" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "pattern": "$Y - $X" + } + ], + "pattern-sources": [ + { + "pattern-either": [ + { + "pattern-inside": "function $F(..., $X, ...) external { ... }\n" + }, + { + "pattern-inside": "function $F(..., $X, ...) public { ... }\n" + } + ] + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.solidity.security.basic-oracle-manipulation", + "languages": [ + "solidity" + ], + "message": "Price oracle can be manipulated via flashloan", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-682: Incorrect Calculation", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://medium.com/oneringfinance/onering-finance-exploit-post-mortem-after-oshare-hack-602a529db99b", + "https://twitter.com/peckshield/status/1506090607059431427", + "https://pwned-no-more.notion.site/The-Deus-Hack-Explained-647bf97afa2b4e4e9e8b882e68a75c0b", + "https://twitter.com/peckshield/status/1519530463337250817", + "https://ftmscan.com/address/0xc06826f52f29b34c5d8b2c61abf844cebcf78abf", + "https://ftmscan.com/address/0x5CEB2b0308a7f21CcC0915DB29fa5095bEAdb48D", + "https://ftmscan.com/address/0x8129026c585bcfa530445a6267f9389057761a00" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-inside": "function $F(...) {\n ...\n}\n" + }, + { + "pattern-either": [ + { + "pattern": "$X.div($Y)" + }, + { + "pattern": "$X / $Y" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$F", + "regex": "(?i)get([a-z0-9_])*price" + } + }, + { + "metavariable-pattern": { + "metavariable": "$X", + "pattern-either": [ + { + "pattern": "underlying" + }, + { + "pattern": "underlyingUnit" + }, + { + "pattern": "pair" + }, + { + "pattern": "reserve" + }, + { + "pattern": "reserve0" + }, + { + "pattern": "reserve1" + } + ] + } + }, + { + "metavariable-regex": { + "metavariable": "$Y", + "regex": ".*totalSupply.*" + } + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.solidity.security.compound-borrowfresh-reentrancy", + "languages": [ + "solidity" + ], + "message": "Function borrowFresh() in Compound performs state update after doTransferOut()", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-841: Improper Enforcement of Behavioral Workflow", + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://twitter.com/peckshield/status/1509431646818234369", + "https://twitter.com/blocksecteam/status/1509466576848064512", + "https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4", + "https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-inside": "function borrowFresh(...) {\n ...\n}\n" + }, + { + "pattern-not-inside": "accountBorrows[borrower].interestIndex = borrowIndex;\n...\n" + }, + { + "pattern": "doTransferOut(...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.compound-sweeptoken-not-restricted", + "languages": [ + "solidity" + ], + "message": "Function sweepToken is allowed to be called by anyone", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2", + "https://chainsecurity.com/security-audit/compound-ctoken/", + "https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/", + "https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-inside": "function sweepToken(...) {\n...\n}\n" + }, + { + "pattern-not-inside": "function sweepToken(...) $M {\n...\n}\n" + }, + { + "pattern": "token.transfer(...);" + }, + { + "pattern-not-inside": "require(msg.sender == admin, \"...\");\n...\n" + }, + { + "pattern-not-inside": "require(_msgSender() == admin, \"...\");\n...\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.curve-readonly-reentrancy", + "languages": [ + "solidity" + ], + "message": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-841: Improper Enforcement of Behavioral Workflow", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://chainsecurity.com/heartbreaks-curve-lp-oracles/", + "https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "$POOL.get_virtual_price()\n" + }, + { + "pattern-not-inside": "function $F(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n}\n" + }, + { + "pattern-not-inside": "function $F(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $POOL.get_virtual_price();\n ...\n }\n ...\n}\n" + }, + { + "pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $POOL.get_virtual_price();\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.delegatecall-to-arbitrary-address", + "languages": [ + "solidity" + ], + "message": "An attacker may perform delegatecall() to an arbitrary address.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-20: Improper Input Validation", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-delegatecall" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-not-inside": "require(<... msg.sender ...>, ...);\n...\n" + }, + { + "pattern-not-inside": "require(<... _msgSender() ...>, ...);\n...\n" + }, + { + "pattern-not-inside": "if(<... msg.sender ...>) revert(...);\n...\n" + }, + { + "pattern-not-inside": "if(<... _msgSender() ...>) revert(...);\n...\n" + }, + { + "pattern-not": "address(this).delegatecall(...);" + }, + { + "pattern-either": [ + { + "pattern": "$CONTRACT.delegatecall(...);" + }, + { + "pattern": "$CONTRACT.delegatecall{gas:$GAS}(...);" + } + ] + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "function $ANY(..., address $CONTRACT, ...) public {...}" + }, + { + "pattern": "function $ANY(..., address $CONTRACT, ...) external {...}" + }, + { + "pattern": "function $ANY(..., address payable $CONTRACT, ...) public {...}" + }, + { + "pattern": "function $ANY(..., address payable $CONTRACT, ...) external {...}" + } + ] + }, + { + "pattern-not": "constructor(...) { ... }" + }, + { + "pattern-not": "function $ANY(...) $M { ... }" + }, + { + "pattern-not": "function $ANY(...) $M(...) { ... }" + }, + { + "focus-metavariable": "$CONTRACT" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.encode-packed-collision", + "languages": [ + "solidity" + ], + "message": "abi.encodePacked hash collision with variable length arguments in $F()", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-20: Improper Input Validation", + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "references": [ + "https://swcregistry.io/docs/SWC-133" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function $F(..., bytes $A, ..., bytes $B, ...) public {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., string $A, ..., string $B, ...) public {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., bytes $A, ..., string $B, ...) public {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., string $A, ..., bytes $B, ...) public {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., address[] $A, ..., address[] $B, ...) public {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., uint256[] $A, ..., uint256[] $B, ...) public {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., bytes $A, ..., bytes $B, ...) external {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., string $A, ..., string $B, ...) external {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., bytes $A, ..., string $B, ...) external {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., string $A, ..., bytes $B, ...) external {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., address[] $A, ..., address[] $B, ...) external {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(..., uint256[] $A, ..., uint256[] $B, ...) external {\n ...\n}\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "keccak256(abi.encodePacked(..., $A, $B, ...))\n" + }, + { + "pattern": "$X = abi.encodePacked(..., $A, $B, ...);\n...\nkeccak256($X);\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.erc20-public-burn", + "languages": [ + "solidity" + ], + "message": "Anyone can burn tokens of other accounts", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://twitter.com/danielvf/status/1511013322015051797", + "https://etherscan.io/address/0xf15ead6acb8ab52a1e335671a48f3a99e991614c" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "function burn(...) public { \n _burn($ACCOUNT, $AMOUNT);\n }\n" + }, + { + "pattern": "function burn(...) external { \n _burn($ACCOUNT, $AMOUNT);\n }\n" + } + ] + }, + { + "pattern-not": "function burn(...) $M { ... }" + }, + { + "pattern-not": "function burn(...) $M(...) { ... }" + }, + { + "pattern-not": "function burn(...) {\n _burn(msg.sender, ...);\n}\n" + }, + { + "pattern-not": "function burn(...) {\n _burn(_msgSender(), ...);\n}\n" + }, + { + "pattern-not": "function burn(...) {\n _burn(tokenId, ...);\n}\n" + }, + { + "pattern-not": "function burn(...) {\n _burn(_tokenId, ...);\n}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.erc20-public-transfer", + "languages": [ + "solidity" + ], + "message": "Custom ERC20 implementation exposes _transfer() as public", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://medium.com/@Knownsec_Blockchain_Lab/creat-future-was-tragically-transferred-coins-at-will-who-is-the-mastermind-behind-the-scenes-8ad42a7af814", + "https://bscscan.com/address/0x8B7218CF6Ac641382D7C723dE8aA173e98a80196" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "function _transfer(...) public { ... }\n" + }, + { + "pattern": "function _transfer(...) external { ... }\n" + } + ] + }, + { + "pattern-not": "function _transfer(...) $M { ... }\n" + }, + { + "pattern-not": "function _transfer(...) $M(...) { ... }\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.erc677-reentrancy", + "languages": [ + "solidity" + ], + "message": "ERC677 callAfterTransfer() reentrancy", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-841: Improper Enforcement of Behavioral Workflow", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://twitter.com/peckshield/status/1509431646818234369", + "https://twitter.com/blocksecteam/status/1509466576848064512", + "https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611", + "https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-inside": "function transfer(...) {\n ...\n}\n" + }, + { + "pattern": "callAfterTransfer(...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.erc721-arbitrary-transferfrom", + "languages": [ + "solidity" + ], + "message": "Custom ERC721 implementation lacks access control checks in _transfer()", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://twitter.com/BlockSecAlert/status/1516289618605654024", + "https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-inside": "function _transfer(...) {\n...\n}\n" + }, + { + "pattern-inside": "require(prevOwnership.addr == $FROM, ...);\n...\n" + }, + { + "pattern-not-inside": "(<... _msgSender() == $FROM ...>);\n...\n" + }, + { + "pattern-not-inside": "(<... _msgSender() == $PREV.$ADDR ...>);\n...\n" + }, + { + "pattern-not-inside": "(<... msg.sender == $FROM ...>);\n...\n" + }, + { + "pattern-not-inside": "require(_isApprovedOrOwner(...), ...);\n...\n" + }, + { + "pattern": "_approve(...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.erc721-reentrancy", + "languages": [ + "solidity" + ], + "message": "ERC721 onERC721Received() reentrancy", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-841: Improper Enforcement of Behavioral Workflow", + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a", + "https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "_checkOnERC721Received(...)" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.erc777-reentrancy", + "languages": [ + "solidity" + ], + "message": "ERC777 tokensReceived() reentrancy", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-841: Improper Enforcement of Behavioral Workflow", + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0", + "https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "$X.tokensReceived(...);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.gearbox-tokens-path-confusion", + "languages": [ + "solidity" + ], + "message": "UniswapV3 adapter implemented incorrect extraction of path parameters", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input", + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://medium.com/@nnez/different-parsers-different-results-acecf84dfb0c", + "https://etherscan.io/address/0xbA7B57D7E4d4A7516FC1CbfF1CA5182eBC0c1491" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "$PATH.toAddress($PATH.length - $ADDR_SIZE);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.incorrect-use-of-blockhash", + "languages": [ + "solidity" + ], + "message": "blockhash(block.number) and blockhash(block.number + N) always returns 0.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-341: Predictable from Observable State", + "impact": "MEDIUM", + "likelihood": "LOW", + "references": [ + "https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "blockhash(block.number)" + }, + { + "pattern": "blockhash(block.number + $N)" + }, + { + "pattern": "blockhash(block.number * $N)" + }, + { + "pattern": "block.blockhash(block.number)" + }, + { + "pattern": "block.blockhash(block.number + $N)" + }, + { + "pattern": "block.blockhash(block.number * $N)" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.keeper-network-oracle-manipulation", + "languages": [ + "solidity" + ], + "message": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-682: Incorrect Calculation", + "impact": "HIGH", + "likelihood": "LOW", + "references": [ + "https://twitter.com/peckshield/status/1510232640338608131", + "https://twitter.com/FrankResearcher/status/1510239094777032713", + "https://twitter.com/larry0x/status/1510263618180464644", + "https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9", + "https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "$KEEPER.current($TOKENIN, $AMOUNTIN, $TOKENOUT);" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.missing-self-transfer-check-ercx", + "languages": [ + "solidity" + ], + "message": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers.", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-682: Incorrect Calculation", + "impact": "HIGH", + "likelihood": "HIGH", + "owasp": [ + "A7:2021 Identification and Authentication Failures" + ], + "references": [ + "https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities", + "https://x.com/shoucccc/status/1757777764646859121" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "blockchain", + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "_balances[$FROM] = $FROM_BALANCE - value;\n" + }, + { + "pattern": "_balances[$TO] = $TO_BALANCE + value;\n" + } + ] + }, + { + "pattern-not-inside": "if ($FROM != $TO) {\n ...\n _balances[$FROM] = $FROM_BALANCE - value;\n ...\n _balances[$TO] = $TO_BALANCE + value;\n ...\n}\n" + }, + { + "pattern-inside": "function _update(address $FROM, address $TO, uint256 value, bool mint) internal virtual {\n ...\n}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.msg-value-multicall", + "languages": [ + "solidity" + ], + "message": "$F with constant msg.value can be called multiple times", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-837: Improper Enforcement of a Single, Unique Action", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://github.com/Uniswap/v3-periphery/issues/52", + "https://www.paradigm.xyz/2021/08/two-rights-might-make-a-wrong" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "contract $C is ..., BoringBatchable, ... {\n ...\n}\n" + }, + { + "pattern-inside": "contract $C is ..., Multicall, ... {\n ...\n}\n" + } + ] + }, + { + "pattern-inside": "function $F(...) {\n ...\n}\n" + }, + { + "pattern": "msg.value" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.no-bidi-characters", + "languages": [ + "solidity" + ], + "message": "The code must not contain any of Unicode Direction Control Characters", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-837: Improper Enforcement of a Single, Unique Action", + "impact": "LOW", + "likelihood": "LOW", + "references": [ + "https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-regex": "\u202a" + }, + { + "pattern-regex": "\u202b" + }, + { + "pattern-regex": "\u202d" + }, + { + "pattern-regex": "\u202e" + }, + { + "pattern-regex": "\u2066" + }, + { + "pattern-regex": "\u2067" + }, + { + "pattern-regex": "\u2068" + }, + { + "pattern-regex": "\u202c" + }, + { + "pattern-regex": "\u2069" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.no-slippage-check", + "languages": [ + "solidity" + ], + "message": "No slippage check in a Uniswap v2/v3 trade", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": "CWE-682: Incorrect Calculation", + "impact": "MEDIUM", + "likelihood": "HIGH", + "references": [ + "https://uniswapv3book.com/docs/milestone_3/slippage-protection/" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X.swapExactTokensForTokens($A, $LIMIT, $B, $C, $D)" + }, + { + "pattern": "$X.swapExactTokensForTokensSupportingFeeOnTransferTokens($A, $LIMIT, $B, $C, $D)" + }, + { + "pattern": "$X.swapExactTokensForETH($A, $LIMIT, $B, $C, $D)" + }, + { + "pattern": "$X.swapExactTokensForETHSupportingFeeOnTransferTokens($A, $LIMIT, $B, $C, $D)" + }, + { + "pattern": "$X.swapExactETHForTokens{$VALUE:...}($LIMIT, $A, $B, $C)" + }, + { + "pattern": "$X.swapExactETHForTokensSupportingFeeOnTransferTokens{$VALUE:...}($LIMIT, $A, $B, $C)" + }, + { + "pattern": "$X.swapTokensForExactTokens($A, $LIMIT, $B, $C, $D)" + }, + { + "pattern": "$X.swapTokensForExactETH($A, $LIMIT, $B, $C, $D)" + }, + { + "pattern": "function $FUNC(...) {\n ...\n $Y = $SWAPROUTER.ExactInputSingleParams({\n tokenIn: $A, \n tokenOut: $B, \n fee: $C, \n recipient: $D, \n deadline: $E, \n amountIn: $F, \n amountOutMinimum: $LIMIT, \n sqrtPriceLimitX96: 0\n });\n ...\n $X.exactInputSingle($Y);\n ...\n}\n" + }, + { + "pattern": "$X.exactInputSingle($SWAPROUTER.ExactInputSingleParams({\n tokenIn: $A,\n tokenOut: $B,\n fee: $C,\n recipient: $D,\n deadline: $E,\n amountIn: $F,\n amountOutMinimum: $LIMIT,\n sqrtPriceLimitX96: 0\n}));\n" + }, + { + "pattern": "function $FUNC(...) {\n ...\n $Y = $SWAPROUTER.ExactOutputSingleParams({\n tokenIn: $A,\n tokenOut: $B,\n fee: $C,\n recipient: $D,\n deadline: $E,\n amountOut: $F,\n amountInMaximum: $LIMIT,\n sqrtPriceLimitX96: 0\n });\n ...\n $X.exactOutputSingle($Y);\n ...\n}\n" + }, + { + "pattern": "$X.exactOutputSingle($SWAPROUTER.ExactOutputSingleParams({\n tokenIn: $A,\n tokenOut: $B,\n fee: $C,\n recipient: $D,\n deadline: $E,\n amountOut: $F,\n amountInMaximum: $LIMIT,\n sqrtPriceLimitX96: 0\n}));\n" + }, + { + "pattern": "$X.swap($RECIPIENT, $ZEROFORONE, $AMOUNTIN, $LIMIT, $DATA)" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$LIMIT", + "regex": "^(0)|(0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)|(type\\(uint(256)?\\)\\.max)|(uint(256)?\\(-1)|(115792089237316195423570985008687907853269984665640564039457584007913129639935)|(2\\s?\\*\\*\\s?256\\s?-\\s?1)$" + } + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.openzeppelin-ecdsa-recover-malleable", + "languages": [ + "solidity" + ], + "message": "Potential signature malleability in $F", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-347: Improper Verification of Cryptographic Signature", + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "references": [ + "https://github.com/advisories/GHSA-4h98-2769-gh6h" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "pattern-either": [ + { + "pattern": "function $F(..., bytes $Y, ...) {\n ...\n $Z = ECDSA.recover(..., $Y);\n ...\n $A[$Y] = ...;\n ...\n}\n" + }, + { + "pattern": "function $F(..., bytes $Y, ...) {\n ...\n $Z = ECDSA.recover(..., $Y);\n ...\n $A[$B][$Y] = ...;\n ...\n}\n" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.oracle-price-update-not-restricted", + "languages": [ + "solidity" + ], + "message": "Oracle price data can be submitted by anyone", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://twitter.com/BlockSecTeam/status/1514815673800663045", + "https://twitter.com/CertiKAlert/status/1514831117169405953", + "https://medium.com/@hacxyk/aave-v3s-price-oracle-manipulation-vulnerability-168e44e9e374", + "https://bscscan.com/address/0xd55f01b4b51b7f48912cd8ca3cdd8070a1a9dba5", + "https://polygonscan.com/address/0xaA5890362f36FeaAe91aF248e84e287cE6eCD1A9" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "function $F(...) public {...}" + }, + { + "pattern": "function $F(...) external {...}" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$F", + "pattern-either": [ + { + "pattern": "setOracleData" + }, + { + "pattern": "setAssetPrice" + } + ] + } + }, + { + "pattern-not": "function $F(...) onlyOwner { ... }" + }, + { + "pattern-not": "function $F(...) onlySybil { ... }" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.proxy-storage-collision", + "languages": [ + "solidity" + ], + "message": "Proxy declares a state var that may override a storage slot of the implementation", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-787: Out-of-bounds Write", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "contract $CONTRACT is ..., $PROXY, ... {\n ...\n $TYPE $VAR;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n" + }, + { + "pattern": "contract $CONTRACT is ..., $PROXY, ... {\n ...\n $TYPE $VAR = ...;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n" + } + ] + }, + { + "pattern-not": "contract $CONTRACT is ..., $PROXY, ... {\n $TYPE immutable $VAR;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "contract $CONTRACT is ..., $PROXY, ... {\n $TYPE immutable $VAR = ...;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "contract $CONTRACT is ..., $PROXY, ... {\n $TYPE constant $VAR = ...;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n" + }, + { + "metavariable-regex": { + "metavariable": "$CONTRACT", + "regex": "^(?!AdminUpgradeabilityProxy|OwnedUpgrade*abilityProxy).*$" + } + }, + { + "metavariable-regex": { + "metavariable": "$PROXY", + "regex": "(UpgradeabilityProxy|AdminUpgradeabilityProxy|OwnedUpgrade*abilityProxy|TransparentUpgradeableProxy|ERC1967Proxy)" + } + }, + { + "focus-metavariable": "$PROXY" + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.redacted-cartel-custom-approval-bug", + "languages": [ + "solidity" + ], + "message": "transferFrom() can steal allowance of other accounts", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-688: Function Call With Incorrect Variable or Reference as Argument", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5", + "https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-inside": "function transferFrom(...) {\n...\n}\n" + }, + { + "pattern": "_approve(..., allowance(sender, recipient).sub(amount, ...), ...);" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.rigoblock-missing-access-control", + "languages": [ + "solidity" + ], + "message": "setMultipleAllowances() is missing onlyOwner modifier", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://twitter.com/danielvf/status/1494317265835147272", + "https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8", + "https://play.secdim.com/game/dapp/challenge/rigoownsol" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "function setMultipleAllowances(...) {...}" + }, + { + "pattern-not": "function setMultipleAllowances(...) onlyOwner {...}" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.sense-missing-oracle-access-control", + "languages": [ + "solidity" + ], + "message": "Oracle update is not restricted in $F()", + "metadata": { + "author": "https://twitter.com/ArbazKiraak", + "category": "security", + "confidence": "MEDIUM", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function $F(...,$D $REQUEST,...) external {\n ...\n}\n" + }, + { + "pattern-inside": "function $F(...,$D $REQUEST,...) public {\n ...\n}\n" + } + ] + }, + { + "pattern-not-inside": "function $F(...,$D $REQUEST,...) external onlyVault(...) {\n ...\n}\n" + }, + { + "patterns": [ + { + "pattern": "_updateOracle($LASTBLOCK,...,...)" + }, + { + "pattern-not-inside": "...\nif (msg.sender == $BALANCER) { ... }\n...\n" + }, + { + "pattern-not-inside": "...\nrequire(msg.sender == address($BALANCER),...);\n...\n" + }, + { + "pattern-not-inside": "...\nif (_msgSender() == $BALANCER) { ... }\n...\n" + }, + { + "pattern-not-inside": "...\nrequire(_msgSender() == address($BALANCER),...);\n...\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.superfluid-ctx-injection", + "languages": [ + "solidity" + ], + "message": "A specially crafted calldata may be used to impersonate other accounts", + "metadata": { + "category": "security", + "confidence": "HIGH", + "cwe": "CWE-20: Improper Input Validation", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://rekt.news/superfluid-rekt/", + "https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd", + "https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "$T.decodeCtx(ctx);" + }, + { + "pattern-not-inside": "require($T.isCtxValid(...), \"...\");\n...\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.tecra-coin-burnfrom-bug", + "languages": [ + "solidity" + ], + "message": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": "CWE-688: Function Call With Incorrect Variable or Reference as Argument", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://twitter.com/Mauricio_0218/status/1490082073096462340", + "https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-inside": "function $BURN(..., address $FROM, ...) {\n ...\n _burn($FROM, ...);\n ...\n}\n" + }, + { + "pattern-either": [ + { + "pattern": "require(_allowances[$S][$FROM] >= $X, ...)" + }, + { + "pattern": "require(allowance($S, $FROM) >= $X, ...)" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.solidity.security.uniswap-callback-not-protected", + "languages": [ + "solidity" + ], + "message": "Uniswap callback is not protected", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "MEDIUM", + "references": [ + "https://docs.uniswap.org/contracts/v3/guides/flash-integrations/flash-callback" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern": "function $CALLBACK(...) { ... }\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n $VALIDATION.verifyCallback(...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n $CHECK(msg.sender == $U.$PAIR(...), ...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n $CHECK(_msgSender() == $U.$PAIR(...), ...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n require(msg.sender == $POOL, ...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n require(_msgSender() == $POOL, ...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n require($POOL == msg.sender, ...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n require($POOL == _msgSender(), ...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n if (msg.sender != $POOL) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n if (_msgSender() != $POOL) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n if (msg.sender == $POOL) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n if (_msgSender() == $POOL) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n if(!$POOLS[msg.sender]) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n if(!$POOLS[_msgSender()]) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n _verifyCallback(...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) isCallback {\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n require($POOLS[msg.sender], ...);\n ...\n}\n" + }, + { + "pattern-not": "function $CALLBACK(...) {\n ...\n require($POOLS[_msgSender()], ...);\n ...\n}\n" + }, + { + "metavariable-regex": { + "metavariable": "$CALLBACK", + "regex": "(uniswapV2Call|uniswapV3SwapCallback|uniswapV3FlashCallback|uniswapV3MintCallback)" + } + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.solidity.security.unrestricted-transferownership", + "languages": [ + "solidity" + ], + "message": "Unrestricted transferOwnership", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": "CWE-284: Improper Access Control", + "impact": "HIGH", + "likelihood": "HIGH", + "references": [ + "https://medium.com/quillhash/decoding-ragnarok-online-invasion-44k-exploit-quillaudits-261b7e23b55", + "https://www.bscscan.com/address/0xe48b75dc1b131fd3a8364b0580f76efd04cf6e9c" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "solidity" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "function transferOwnership(address $X) public {...}" + }, + { + "pattern": "function transferOwnership(address $X) external {...}" + } + ] + }, + { + "pattern-not": "function transferOwnership(address $X) $M {...}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) $M(...) {...}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n require(<... msg.sender ...>, ...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n require(<... _msgSender ...>, ...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n if (<... msg.sender ...>) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n if (<... _msgSender ...>) {\n ...\n }\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n onlyOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n requireOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n _requireOwnership(...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n $C._enforceIsContractOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n $C._enforceOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {\n ...\n $C.enforceIsContractOwner(...);\n ...\n}\n" + }, + { + "pattern-not": "function transferOwnership(address $X) {}\n" + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.typescript.angular.security.audit.angular-bypasssecuritytrust", + "languages": [ + "typescript" + ], + "message": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://angular.io/api/platform-browser/DomSanitizer", + "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "angular", + "browser" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"underscore.string\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$S.escapeHTML(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"dompurify\")\n...\n" + }, + { + "pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S(...)\n...\n" + }, + { + "pattern": "$VALUE.sanitize(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S.sanitize\n...\n" + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "pattern": "$S.sanitize(...)" + }, + { + "pattern": "$S(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'xss';\n...\n" + }, + { + "pattern-inside": "import * as $S from 'xss';\n...\n" + }, + { + "pattern-inside": "$S = require(\"xss\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'sanitize-html';\n...\n" + }, + { + "pattern-inside": "import * as $S from \"sanitize-html\";\n...\n" + }, + { + "pattern-inside": "$S = require(\"sanitize-html\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern": "sanitizer.sanitize(...)" + }, + { + "pattern-not": "sanitizer.sanitize(SecurityContext.NONE, ...);" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$X.$TRUST($Y)" + } + ] + }, + { + "focus-metavariable": "$Y" + }, + { + "pattern-not": "$X.$TRUST(`...`)\n" + }, + { + "pattern-not": "$X.$TRUST(\"...\")\n" + }, + { + "metavariable-regex": { + "metavariable": "$TRUST", + "regex": "(bypassSecurityTrustHtml|bypassSecurityTrustStyle|bypassSecurityTrustScript|bypassSecurityTrustUrl|bypassSecurityTrustResourceUrl)" + } + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ...({..., $X: string, ...}) { ... }\n" + }, + { + "pattern-inside": "function ...(..., $X: string, ...) { ... }\n" + } + ] + }, + { + "focus-metavariable": "$X" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod", + "languages": [ + "ts" + ], + "message": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-306: Missing Authentication for Critical Function" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "HIGH", + "likelihood": "HIGH", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "AWS-CDK" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "import {Bucket} from '@aws-cdk/aws-s3'\n...\n" + }, + { + "pattern": "const $X = new Bucket(...)\n...\n$X.grantPublicAccess(...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "import * as $Y from '@aws-cdk/aws-s3'\n...\n" + }, + { + "pattern": "const $X = new $Y.Bucket(...)\n...\n$X.grantPublicAccess(...)\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.aws-cdk.security.awscdk-codebuild-project-public", + "languages": [ + "ts" + ], + "message": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-306: Missing Authentication for Critical Function" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2021 - Identification and Authentication Failures" + ], + "references": [ + "https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "AWS-CDK" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "import {Project} from '@aws-cdk/aws-codebuild'\n...\n" + }, + { + "pattern": "const $X = new Project(..., {..., badge: true, ...})\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "import * as $Y from '@aws-cdk/aws-codebuild'\n...\n" + }, + { + "pattern": "const $X = new $Y.Project(..., {..., badge: true, ...})\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.aws-cdk.security.audit.awscdk-bucket-encryption", + "languages": [ + "typescript" + ], + "message": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-311: Missing Encryption of Sensitive Data" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "AWS-CDK" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "import {Bucket} from '@aws-cdk/aws-s3'\n...\n" + }, + { + "pattern": "const $X = new Bucket(...)" + }, + { + "pattern-not": "const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS_MANAGED, ...})\n" + }, + { + "pattern-not": "const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS, ...})\n" + }, + { + "pattern-not": "const $X = new Bucket(..., {..., encryption: BucketEncryption.S3_MANAGED, ...})\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "import * as $Y from '@aws-cdk/aws-s3'\n...\n" + }, + { + "pattern": "const $X = new $Y.Bucket(...)" + }, + { + "pattern-not": "const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS_MANAGED, ...})\n" + }, + { + "pattern-not": "const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS, ...})\n" + }, + { + "pattern-not": "const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.S3_MANAGED, ...})\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.typescript.aws-cdk.security.audit.aws-cdk-bucket-enforcessl", + "languages": [ + "ts" + ], + "message": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-319: Cleartext Transmission of Sensitive Information" + ], + "impact": "MEDIUM", + "likelihood": "MEDIUM", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A02:2021 - Cryptographic Failures" + ], + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "AWS-CDK" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "import {Bucket} from '@aws-cdk/aws-s3';\n...\n" + }, + { + "pattern": "const $X = new Bucket(...)" + }, + { + "pattern-not": "const $X = new Bucket(..., {enforceSSL: true}, ...)\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "import * as $Y from '@aws-cdk/aws-s3';\n...\n" + }, + { + "pattern": "const $X = new $Y.Bucket(...)" + }, + { + "pattern-not": "const $X = new $Y.Bucket(..., {..., enforceSSL: true, ...})\n" + } + ] + } + ], + "severity": "ERROR" + }, + { + "id": "vendored-rules.typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue", + "languages": [ + "ts" + ], + "message": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-311: Missing Encryption of Sensitive Data" + ], + "impact": "HIGH", + "likelihood": "LOW", + "owasp": [ + "A03:2017 - Sensitive Data Exposure", + "A04:2021 - Insecure Design" + ], + "references": [ + "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "AWS-CDK" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "import {Queue} from '@aws-cdk/aws-sqs'\n...\n" + }, + { + "pattern": "const $X = new Queue(...)" + }, + { + "pattern-not": "const $X = new Queue(..., {..., encryption: QueueEncryption.KMS_MANAGED, ...})\n" + }, + { + "pattern-not": "const $X = new Queue(..., {..., encryption: QueueEncryption.KMS, ...})\n" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "import * as $Y from '@aws-cdk/aws-sqs'\n...\n" + }, + { + "pattern": "const $X = new $Y.Queue(...)" + }, + { + "pattern-not": "const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS_MANAGED, ...})\n" + }, + { + "pattern-not": "const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS, ...})\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.lang.security.audit.cors-regex-wildcard", + "languages": [ + "ts" + ], + "message": "Unescaped '.' character in CORS domain regex $CORS: $PATTERN", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-183: Permissive List of Allowed Inputs" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A04:2021 - Insecure Design" + ], + "references": [ + "https://owasp.org/Top10/A04_2021-Insecure_Design" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "cors" + ] + }, + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$CORS = [...,/$PATTERN/,...]" + }, + { + "pattern": "$CORS = /$PATTERN/" + } + ] + }, + { + "focus-metavariable": "$PATTERN" + }, + { + "metavariable-regex": { + "metavariable": "$PATTERN", + "regex": ".+?(?\n" + }, + { + "pattern": "<$EL escapeHtml={false} />\n" + }, + { + "pattern": "<$EL transformLinkUri=... />\n" + }, + { + "pattern": "<$EL transformImageUri=... />\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.react.security.audit.react-dangerouslysetinnerhtml", + "languages": [ + "js", + "ts" + ], + "message": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "react" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"underscore.string\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$S.escapeHTML(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"dompurify\")\n...\n" + }, + { + "pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S(...)\n...\n" + }, + { + "pattern": "$VALUE.sanitize(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S.sanitize\n...\n" + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "pattern": "$S.sanitize(...)" + }, + { + "pattern": "$S(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'xss';\n...\n" + }, + { + "pattern-inside": "import * as $S from 'xss';\n...\n" + }, + { + "pattern-inside": "$S = require(\"xss\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'sanitize-html';\n...\n" + }, + { + "pattern-inside": "import * as $S from \"sanitize-html\";\n...\n" + }, + { + "pattern-inside": "$S = require(\"sanitize-html\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$S = new Remarkable()\n...\n" + } + ] + }, + { + "pattern": "$S.render(...)" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$X" + }, + { + "pattern-either": [ + { + "pattern": "{...,dangerouslySetInnerHTML: {__html: $X},...}\n" + }, + { + "pattern": "<$Y ... dangerouslySetInnerHTML={{__html: $X}} />\n" + } + ] + }, + { + "pattern-not": "<$Y ... dangerouslySetInnerHTML={{__html: \"...\"}} />\n" + }, + { + "pattern-not": "{...,dangerouslySetInnerHTML:{__html: \"...\"},...}\n" + }, + { + "metavariable-pattern": { + "metavariable": "$X", + "patterns": [ + { + "pattern-not": "{...}\n" + } + ] + } + }, + { + "pattern-not": "<... {__html: \"...\"} ...>\n" + }, + { + "pattern-not": "<... {__html: `...`} ...>\n" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ...({..., $X, ...}) { ... }\n" + }, + { + "pattern-inside": "function ...(..., $X, ...) { ... }\n" + } + ] + }, + { + "focus-metavariable": "$X" + }, + { + "pattern-not-inside": "$F. ... .$SANITIZEUNC(...)\n" + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.react.security.audit.react-href-var", + "languages": [ + "js", + "ts" + ], + "message": "Detected a variable used in an anchor tag with the 'href' attribute. A malicious actor may be able to input the 'javascript:' URI, which could cause cross-site scripting (XSS). It is recommended to disallow 'javascript:' URIs within your application.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://reactjs.org/blog/2019/08/08/react-v16.9.0.html#deprecating-javascript-urls", + "https://pragmaticwebsecurity.com/articles/spasecurity/react-xss-part1.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "react" + ] + }, + "mode": "taint", + "pattern-sinks": [ + { + "patterns": [ + { + "focus-metavariable": "$X" + }, + { + "pattern-either": [ + { + "pattern": "<$EL href={$X} />\n" + }, + { + "pattern": "React.createElement($EL, {href: $X})\n" + }, + { + "pattern-inside": "$PARAMS = {href: $X};\n...\nReact.createElement($EL, $PARAMS);\n" + } + ] + }, + { + "metavariable-pattern": { + "metavariable": "$EL", + "patterns": [ + { + "pattern-not-regex": "(?i)(button)" + } + ] + } + } + ], + "requires": "TAINTED and not CONCAT and not CLEAN" + } + ], + "pattern-sources": [ + { + "label": "TAINTED", + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ...({..., $X, ...}) { ... }\n" + }, + { + "pattern-inside": "function ...(..., $X, ...) { ... }\n" + } + ] + }, + { + "focus-metavariable": "$X" + }, + { + "pattern-either": [ + { + "pattern": "$X.$Y" + }, + { + "pattern": "$X[...]" + } + ] + }, + { + "pattern-not-inside": "$F. ... .$SANITIZEUNC(...)\n" + } + ] + }, + { + "label": "CONCAT", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "`...${$X}...`\n" + }, + { + "pattern": "$SANITIZE + <... $X ...>\n" + } + ] + }, + { + "pattern-not": "`${$X}...`\n" + }, + { + "pattern-not": "$X + ...\n" + }, + { + "focus-metavariable": "$X" + } + ], + "requires": "TAINTED" + }, + { + "by-side-effect": true, + "label": "CLEAN", + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$A($SOURCE)" + }, + { + "pattern": "$SANITIZE. ... .$A($SOURCE)" + }, + { + "pattern": "$A. ... .$SANITIZE($SOURCE)" + } + ] + }, + { + "focus-metavariable": "$SOURCE" + }, + { + "metavariable-regex": { + "metavariable": "$A", + "regex": "(?i)(.*valid|.*sanitiz)" + } + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.react.security.audit.react-jwt-decoded-property", + "languages": [ + "js", + "ts" + ], + "message": "Property decoded from JWT token without verifying and cannot be trustworthy.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-922: Insecure Storage of Sensitive Information" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "react" + ] + }, + "patterns": [ + { + "pattern-inside": "import jwt_decode from \"jwt-decode\";\n...\n" + }, + { + "pattern-inside": "$DECODED = jwt_decode($TOKEN,...);\n...\n" + }, + { + "pattern": "$DECODED.$PROPERTY" + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.typescript.react.security.audit.react-jwt-in-localstorage", + "languages": [ + "js", + "ts" + ], + "message": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.", + "metadata": { + "category": "security", + "confidence": "LOW", + "cwe": [ + "CWE-922: Insecure Storage of Sensitive Information" + ], + "impact": "LOW", + "likelihood": "LOW", + "owasp": [ + "A01:2021 - Broken Access Control" + ], + "references": [ + "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "react" + ] + }, + "patterns": [ + { + "pattern-inside": "import jwt_decode from \"jwt-decode\";\n...\n" + }, + { + "pattern-either": [ + { + "pattern": "$DECODED = jwt_decode($TOKEN,...);\n...\nlocalStorage.setItem($NAME, <... $TOKEN ...>);\n" + }, + { + "pattern": "$DECODED = jwt_decode(...);\n...\nlocalStorage.setItem($NAME, <... $DECODED ...>);\n" + } + ] + } + ], + "severity": "INFO" + }, + { + "id": "vendored-rules.typescript.react.security.audit.react-unsanitized-method", + "languages": [ + "js", + "ts" + ], + "message": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "HIGH", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln", + "https://developer.mozilla.org/en-US/docs/Web/API/Document/write", + "https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "react" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"underscore.string\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$S.escapeHTML(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"dompurify\")\n...\n" + }, + { + "pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S(...)\n...\n" + }, + { + "pattern": "$VALUE.sanitize(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S.sanitize\n...\n" + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "pattern": "$S.sanitize(...)" + }, + { + "pattern": "$S(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'xss';\n...\n" + }, + { + "pattern-inside": "import * as $S from 'xss';\n...\n" + }, + { + "pattern-inside": "$S = require(\"xss\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'sanitize-html';\n...\n" + }, + { + "pattern-inside": "import * as $S from \"sanitize-html\";\n...\n" + }, + { + "pattern-inside": "$S = require(\"sanitize-html\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$S = new Remarkable()\n...\n" + } + ] + }, + { + "pattern": "$S.render(...)" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "this.window.document. ... .$HTML('...',$SINK) \n" + }, + { + "pattern": "window.document. ... .$HTML('...',$SINK) \n" + }, + { + "pattern": "document.$HTML($SINK) \n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTML", + "regex": "(writeln|write)" + } + }, + { + "focus-metavariable": "$SINK" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "$PROP. ... .$HTML('...',$SINK) \n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTML", + "regex": "(insertAdjacentHTML)" + } + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ...({..., $X, ...}) { ... }\n" + }, + { + "pattern-inside": "function ...(..., $X, ...) { ... }\n" + } + ] + }, + { + "focus-metavariable": "$X" + }, + { + "pattern-either": [ + { + "pattern": "$X.$Y" + }, + { + "pattern": "$X[...]" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "id": "vendored-rules.typescript.react.security.audit.react-unsanitized-property", + "languages": [ + "js", + "ts" + ], + "message": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "MEDIUM", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html" + ], + "subcategory": [ + "vuln" + ], + "technology": [ + "react" + ] + }, + "mode": "taint", + "pattern-sanitizers": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "import $S from \"underscore.string\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"underscore.string\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$S.escapeHTML(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"dompurify\")\n...\n" + }, + { + "pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n" + }, + { + "pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S(...)\n...\n" + }, + { + "pattern": "$VALUE.sanitize(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-inside": "$VALUE = $S.sanitize\n...\n" + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "pattern": "$S.sanitize(...)" + }, + { + "pattern": "$S(...)" + } + ] + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'xss';\n...\n" + }, + { + "pattern-inside": "import * as $S from 'xss';\n...\n" + }, + { + "pattern-inside": "$S = require(\"xss\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import $S from 'sanitize-html';\n...\n" + }, + { + "pattern-inside": "import * as $S from \"sanitize-html\";\n...\n" + }, + { + "pattern-inside": "$S = require(\"sanitize-html\")\n...\n" + } + ] + }, + { + "pattern": "$S(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$S = new Remarkable()\n...\n" + } + ] + }, + { + "pattern": "$S.render(...)" + } + ] + } + ], + "pattern-sinks": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "$BODY = $REACT.useRef(...)\n...\n" + }, + { + "pattern-inside": "$BODY = useRef(...)\n...\n" + }, + { + "pattern-inside": "$BODY = findDOMNode(...)\n...\n" + }, + { + "pattern-inside": "$BODY = createRef(...)\n...\n" + }, + { + "pattern-inside": "$BODY = $REACT.findDOMNode(...)\n...\n" + }, + { + "pattern-inside": "$BODY = $REACT.createRef(...)\n...\n" + } + ] + }, + { + "pattern-either": [ + { + "pattern": "$BODY. ... .$HTML = $SINK \n" + }, + { + "pattern": "$BODY.$HTML = $SINK \n" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTML", + "regex": "(innerHTML|outerHTML)" + } + }, + { + "focus-metavariable": "$SINK" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern": "ReactDOM.findDOMNode(...).$HTML = $SINK" + } + ] + }, + { + "metavariable-regex": { + "metavariable": "$HTML", + "regex": "(innerHTML|outerHTML)" + } + }, + { + "focus-metavariable": "$SINK" + } + ] + } + ], + "pattern-sources": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "function ...({..., $X, ...}) { ... }\n" + }, + { + "pattern-inside": "function ...(..., $X, ...) { ... }\n" + } + ] + }, + { + "focus-metavariable": "$X" + }, + { + "pattern-either": [ + { + "pattern": "$X.$Y" + }, + { + "pattern": "$X[...]" + } + ] + } + ] + } + ], + "severity": "WARNING" + }, + { + "fix": "/* Use sql`...` template literals or parameterized queries instead */", + "id": "replit-rules.javascript.drizzle-orm.security.audit.ban-drizzle-sql-raw", + "languages": [ + "js", + "ts" + ], + "message": "Use of sql.raw() is not allowed as it may lead to SQL injection. Use parameterized queries with Drizzle's query builders instead.", + "metadata": { + "category": "security", + "references": [ + "https://orm.drizzle.team/docs/sql#sqlraw" + ], + "subcategory": [ + "audit" + ], + "technology": [ + "javascript", + "typescript", + "drizzle-orm" + ] + }, + "pattern-either": [ + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "const { sql } = require('drizzle-orm')\n...\n" + }, + { + "pattern-inside": "import { sql } from 'drizzle-orm'\n...\n" + } + ] + }, + { + "pattern": "sql.raw(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "import { sql as $ALIAS } from 'drizzle-orm'\n...\n" + }, + { + "pattern-inside": "const { sql: $ALIAS } = require('drizzle-orm')\n...\n" + } + ] + }, + { + "pattern": "$ALIAS.raw(...)" + } + ] + }, + { + "patterns": [ + { + "pattern-either": [ + { + "pattern-inside": "const $DRIZZLE = require('drizzle-orm')\n...\n" + }, + { + "pattern-inside": "import $DRIZZLE from 'drizzle-orm'\n...\n" + } + ] + }, + { + "pattern": "$DRIZZLE.sql.raw(...)" + } + ] + } + ], + "severity": "ERROR" + } + ] +} \ No newline at end of file diff --git a/.config/.semgrep/settings.yml b/.config/.semgrep/settings.yml new file mode 100644 index 0000000..ab07c08 --- /dev/null +++ b/.config/.semgrep/settings.yml @@ -0,0 +1,2 @@ +has_shown_metrics_notification: true +anonymous_user_id: e3c333de-dabb-4909-a90d-30c3616cc5f8 diff --git a/attached_assets/DSC01368 2.jpeg b/attached_assets/DSC01368 2.jpeg deleted file mode 100644 index 0a4e975..0000000 Binary files a/attached_assets/DSC01368 2.jpeg and /dev/null differ diff --git a/attached_assets/Fadia-167-crop_1749865267638.jpg b/attached_assets/Fadia-167-crop_1749865267638.jpg deleted file mode 100644 index 6bfbc49..0000000 Binary files a/attached_assets/Fadia-167-crop_1749865267638.jpg and /dev/null differ diff --git a/attached_assets/Fadia-167.jpg b/attached_assets/Fadia-167.jpg deleted file mode 100644 index 14337cd..0000000 Binary files a/attached_assets/Fadia-167.jpg and /dev/null differ diff --git a/attached_assets/Fadia-6_1749838606834.jpg b/attached_assets/Fadia-6_1749838606834.jpg deleted file mode 100644 index 97f9271..0000000 Binary files a/attached_assets/Fadia-6_1749838606834.jpg and /dev/null differ diff --git a/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749993908224_1749993908225.txt b/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749993908224_1749993908225.txt deleted file mode 100644 index a332202..0000000 --- a/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749993908224_1749993908225.txt +++ /dev/null @@ -1,152 +0,0 @@ - - - - - - Privacy Policy - Pilates with Fadia - - - -
-

Privacy Policy

- -
- Last Updated: [INSERT DATE] -
- -

At Pilates with Fadia ("we," "our," or "us"), we are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website pilateswithfadia.com and use our services.

- -

1. Information We Collect

- -

Personal Information

-

We may collect personal information that you voluntarily provide to us, including:

-
    -
  • Name and contact information (email address, phone number, mailing address)
    • -
  • Account credentials (username and password)
    • -
  • Payment information (processed securely through third-party payment processors)
    • -
  • Health and fitness information relevant to your Pilates practice
    • -
  • Class preferences and booking history
    • -
  • Communication preferences
    • -
- -

Automatically Collected Information

-

When you visit our website, we may automatically collect:

-
    -
  • IP address and location data
    • -
  • Browser type and version
    • -
  • Device information
    • -
  • Pages visited and time spent on our site
    • -
  • Referring website information
    • -
- -

2. How We Use Your Information

-

We use your information to:

-
    -
  • Provide and improve our Pilates services and classes
    • -
  • Process bookings and payments
    • -
  • Send class schedules, updates, and important notifications
    • -
  • Respond to your inquiries and provide customer support
    • -
  • Personalize your experience and class recommendations
    • -
  • Send marketing communications (with your consent)
    • -
  • Ensure the safety and security of our services
    • -
  • Comply with legal obligations
    • -
- -

3. Information Sharing and Disclosure

-

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

-
    -
  • Service Providers: With trusted third-party service providers who assist us in operating our website and providing services
    • -
  • Legal Requirements: When required by law or to protect our rights and safety
    • -
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
    • -
  • Consent: With your explicit consent for specific purposes
    • -
- -

4. Data Security

-

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet is 100% secure.

- -

5. Your Rights and Choices

-

You have the right to:

-
    -
  • Access, update, or delete your personal information
    • -
  • Opt-out of marketing communications
    • -
  • Request data portability
    • -
  • Object to certain data processing activities
    • -
  • Withdraw consent at any time
    • -
- -

6. Cookies and Tracking Technologies

-

We use cookies and similar tracking technologies to enhance your browsing experience. Please refer to our Cookie Policy for detailed information about our use of cookies.

- -

7. Third-Party Links

-

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

- -

8. Children's Privacy

-

Our services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

- -

9. International Data Transfers

-

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers.

- -

10. Data Retention

-

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law.

- -

11. Changes to This Privacy Policy

-

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on our website and updating the "Last Updated" date.

- -

12. Contact Us

-
-

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

-

Pilates with Fadia
- Email: [INSERT EMAIL]
- Phone: [INSERT PHONE]
- Address: [INSERT ADDRESS]
- Website: pilateswithfadia.com

-
-
- - \ No newline at end of file diff --git a/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749997966373_1749997966374.txt b/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749997966373_1749997966374.txt deleted file mode 100644 index 3208a9d..0000000 --- a/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749997966373_1749997966374.txt +++ /dev/null @@ -1,207 +0,0 @@ - - - - - - Terms of Service - Pilates with Fadia - - - -
-

Terms of Service

- -
- Last Updated: [INSERT DATE] -
- -

Welcome to Pilates with Fadia. These Terms of Service ("Terms") govern your use of our website pilateswithfadia.com and our services. By accessing or using our services, you agree to be bound by these Terms.

- -

1. Acceptance of Terms

-

By accessing and using our website and services, you accept and agree to be bound by the terms and provision of this agreement. If you do not agree to abide by the above, please do not use this service.

- -

2. Description of Services

-

Pilates with Fadia provides:

-
    -
  • In-person and virtual Pilates classes
    • -
  • Private and group instruction
    • -
  • Wellness coaching and fitness guidance
    • -
  • Online class booking and scheduling
    • -
  • Educational content and resources
    • -
- -

3. User Registration and Accounts

-

To access certain services, you may be required to create an account. You agree to:

-
    -
  • Provide accurate, current, and complete information
    • -
  • Maintain and update your account information
    • -
  • Keep your login credentials secure and confidential
    • -
  • Notify us immediately of any unauthorized use of your account
    • -
  • Accept responsibility for all activities under your account
    • -
- -

4. Health and Safety Considerations

-
- Important Health Notice: Pilates and physical exercise involve inherent risks. By participating in our classes and services, you acknowledge and assume these risks. -
- -

Before participating in any classes, you agree to:

-
    -
  • Consult with a healthcare provider if you have any medical conditions
    • -
  • Inform us of any injuries, limitations, or health concerns
    • -
  • Listen to your body and exercise within your limits
    • -
  • Follow all safety instructions provided by instructors
    • -
  • Understand that you participate at your own risk
    • -
- -

5. Class Policies

- -

Booking and Cancellation

-
    -
  • Classes must be booked in advance through our booking system
    • -
  • Cancellations must be made at least [INSERT TIME] hours before class
    • -
  • Late cancellations may result in forfeiture of class credit
    • -
  • No-shows will be charged the full class fee
    • -
  • We reserve the right to cancel classes due to low enrollment or unforeseen circumstances
    • -
- -

Class Conduct

-
    -
  • Arrive on time for classes
    • -
  • Turn off or silence mobile devices
    • -
  • Respect other participants and instructors
    • -
  • Follow studio rules and guidelines
    • -
  • Maintain appropriate attire and hygiene
    • -
- -

6. Payment Terms

-
    -
  • Payment is due at the time of booking unless otherwise arranged
    • -
  • We accept major credit cards and other approved payment methods
    • -
  • Package deals and memberships are non-refundable unless required by law
    • -
  • Prices are subject to change with reasonable notice
    • -
  • Outstanding balances may result in suspension of services
    • -
- -

7. Refund and Cancellation Policy

-
    -
  • Refunds are considered on a case-by-case basis
    • -
  • Medical exemptions may qualify for partial refunds with documentation
    • -
  • Credits may be offered in lieu of refunds when appropriate
    • -
  • Membership cancellations require [INSERT NOTICE PERIOD] written notice
    • -
- -

8. Intellectual Property Rights

-

All content on our website and in our classes, including but not limited to text, graphics, logos, images, video content, and software, is the property of Pilates with Fadia and is protected by copyright and other intellectual property laws.

- -

You may not:

-
    -
  • Copy, distribute, or reproduce our content without permission
    • -
  • Record classes without explicit written consent
    • -
  • Use our materials for commercial purposes
    • -
  • Modify or create derivative works from our content
    • -
- -

9. Privacy and Data Protection

-

Your privacy is important to us. Please review our Privacy Policy, which governs how we collect, use, and protect your personal information.

- -

10. Limitation of Liability

-

To the fullest extent permitted by law, Pilates with Fadia shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising out of your use of our services, even if we have been advised of the possibility of such damages.

- -

11. Indemnification

-

You agree to indemnify and hold harmless Pilates with Fadia, its instructors, and affiliates from any claims, damages, or expenses arising from your use of our services or violation of these Terms.

- -

12. Prohibited Uses

-

You may not use our services to:

-
    -
  • Violate any applicable laws or regulations
    • -
  • Harass, abuse, or harm other users or staff
    • -
  • Transmit malicious code or attempt to gain unauthorized access
    • -
  • Impersonate others or provide false information
    • -
  • Engage in any activity that interferes with our services
    • -
- -

13. Termination

-

We reserve the right to terminate or suspend your account and access to our services at our sole discretion, without prior notice, for conduct that we believe violates these Terms or is harmful to other users or our business.

- -

14. Modifications to Terms

-

We reserve the right to modify these Terms at any time. We will notify users of any material changes by posting the updated Terms on our website. Your continued use of our services after such modifications constitutes acceptance of the updated Terms.

- -

15. Governing Law

-

These Terms shall be governed by and construed in accordance with the laws of [INSERT JURISDICTION], without regard to its conflict of law principles.

- -

16. Dispute Resolution

-

Any disputes arising under these Terms shall be resolved through binding arbitration in accordance with the rules of [INSERT ARBITRATION RULES], except where prohibited by law.

- -

17. Severability

-

If any provision of these Terms is found to be unenforceable or invalid, the remaining provisions will continue to be valid and enforceable.

- -

18. Contact Information

-
-

If you have any questions about these Terms of Service, please contact us:

-

Pilates with Fadia
- Email: [INSERT EMAIL]
- Phone: [INSERT PHONE]
- Address: [INSERT ADDRESS]
- Website: pilateswithfadia.com

-
- -

By using our services, you acknowledge that you have read, understood, and agree to be bound by these Terms of Service.

-
- - \ No newline at end of file diff --git a/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749997976869_1749997976869.txt b/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749997976869_1749997976869.txt deleted file mode 100644 index f4b585f..0000000 --- a/attached_assets/Pasted--DOCTYPE-html-html-lang-en-head-meta-charset-UTF-8-meta-name-viewport-con-1749997976869_1749997976869.txt +++ /dev/null @@ -1,286 +0,0 @@ - - - - - - Cookie Policy - Pilates with Fadia - - - -
-

Cookie Policy

- -
- Last Updated: [INSERT DATE] -
- -

This Cookie Policy explains how Pilates with Fadia ("we," "our," or "us") uses cookies and similar tracking technologies on our website pilateswithfadia.com ("Site"). This policy should be read alongside our Privacy Policy.

- -

1. What Are Cookies?

-

Cookies are small text files that are placed on your device (computer, smartphone, tablet) when you visit a website. They are widely used to make websites work more efficiently and to provide information to website owners about how users interact with their sites.

- -

2. How We Use Cookies

-

We use cookies to:

-
    -
  • Remember your preferences and settings
    • -
  • Keep you logged into your account
    • -
  • Analyze how our website is used and improve its performance
    • -
  • Provide personalized content and recommendations
    • -
  • Enable social media features
    • -
  • Measure the effectiveness of our marketing campaigns
    • -
  • Ensure the security of our website
    • -
- -

3. Types of Cookies We Use

- -
-

Essential Cookies

-

Purpose: These cookies are necessary for the website to function properly. They enable core functionality such as security, network management, and accessibility.

-

Examples: Login authentication, shopping cart functionality, security features

-

Can be disabled: No - the website cannot function without these cookies

-
- -
-

Functional Cookies

-

Purpose: These cookies enable the website to provide enhanced functionality and personalization, such as remembering your preferences.

-

Examples: Language preferences, region selection, accessibility settings

-

Can be disabled: Yes - but may affect website functionality

-
- -
-

Analytics Cookies

-

Purpose: These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously.

-

Examples: Google Analytics, page visit tracking, user behavior analysis

-

Can be disabled: Yes

-
- -
-

Marketing Cookies

-

Purpose: These cookies are used to track visitors across websites to display relevant and engaging advertisements.

-

Examples: Social media pixels, advertising network cookies, retargeting cookies

-

Can be disabled: Yes

-
- -

4. Specific Cookies We Use

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cookie NameTypePurposeDuration
session_idEssentialMaintains user session and login stateSession
user_preferencesFunctionalStores user preferences and settings1 year
_gaAnalyticsGoogle Analytics - distinguishes unique users2 years
_gatAnalyticsGoogle Analytics - throttles request rate1 minute
_gidAnalyticsGoogle Analytics - distinguishes unique users24 hours
fb_pixelMarketingFacebook advertising and retargeting3 months
- -

5. Third-Party Cookies

-

We may also use third-party services that set their own cookies on our website, including:

-
    -
  • Google Analytics: For website analytics and performance monitoring
    • -
  • Social Media Platforms: For social sharing and engagement features
    • -
  • Payment Processors: For secure payment processing
    • -
  • Booking Systems: For class scheduling and appointment booking
    • -
  • Live Chat Services: For customer support features
    • -
- -

6. Cookie Duration

-

Cookies may be either:

-
    -
  • Session Cookies: Temporary cookies that are deleted when you close your browser
    • -
  • Persistent Cookies: Cookies that remain on your device for a set period or until you delete them
    • -
- -

7. Managing Your Cookie Preferences

- -
-

Browser Settings

-

You can control and manage cookies through your browser settings. Most browsers allow you to:

-
    -
  • View what cookies have been set and delete them individually
    • -
  • Block third-party cookies
    • -
  • Block cookies from particular sites
    • -
  • Block all cookies from being set
    • -
  • Delete all cookies when you close your browser
    • -
-
- -

Browser-Specific Instructions:

-
    -
  • Chrome: Settings > Privacy and Security > Cookies and other site data
    • -
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
    • -
  • Safari: Preferences > Privacy > Manage Website Data
    • -
  • Edge: Settings > Cookies and site permissions
    • -
- -

Opt-Out Tools

- - -

8. Mobile Device Settings

-

For mobile devices, you can manage cookies and tracking through your device settings:

-
    -
  • iOS: Settings > Privacy > Tracking / Settings > Safari > Privacy & Security
    • -
  • Android: Settings > Privacy > Advanced > Site Settings > Cookies
    • -
- -

9. Impact of Disabling Cookies

-

Please note that disabling certain cookies may impact your experience on our website:

-
    -
  • You may need to re-enter information more frequently
    • -
  • Some website features may not work properly
    • -
  • Personalized content and recommendations may not be available
    • -
  • You may still see advertisements, but they will be less relevant
    • -
- -

10. Do Not Track Signals

-

Some browsers include a "Do Not Track" feature that lets you tell websites you do not want to have your online activities tracked. Our website does not currently respond to Do Not Track browser signals or mechanisms.

- -

11. Updates to This Cookie Policy

-

We may update this Cookie Policy from time to time to reflect changes in technology, legislation, or our business practices. We will notify you of any significant changes by posting the updated policy on our website.

- -

12. Contact Us

-
-

If you have any questions about our use of cookies or this Cookie Policy, please contact us:

-

Pilates with Fadia
- Email: [INSERT EMAIL]
- Phone: [INSERT PHONE]
- Address: [INSERT ADDRESS]
- Website: pilateswithfadia.com

-
- -

By continuing to use our website, you consent to our use of cookies in accordance with this Cookie Policy.

-
- - \ No newline at end of file diff --git a/attached_assets/fadia-bridge3_1749866400701.jpg b/attached_assets/fadia-bridge3_1749866400701.jpg deleted file mode 100644 index 148fafd..0000000 Binary files a/attached_assets/fadia-bridge3_1749866400701.jpg and /dev/null differ diff --git a/attached_assets/save.jpeg b/attached_assets/save.jpeg deleted file mode 100644 index b8130a3..0000000 Binary files a/attached_assets/save.jpeg and /dev/null differ diff --git a/attached_assets/screenshot-1746834255836.png b/attached_assets/screenshot-1746834255836.png deleted file mode 100644 index 963a2c0..0000000 Binary files a/attached_assets/screenshot-1746834255836.png and /dev/null differ diff --git a/attached_assets/targeted_element_1749831126802.png b/attached_assets/targeted_element_1749831126802.png deleted file mode 100644 index 191b196..0000000 Binary files a/attached_assets/targeted_element_1749831126802.png and /dev/null differ diff --git a/attached_assets/targeted_element_1749831527971.png b/attached_assets/targeted_element_1749831527971.png deleted file mode 100644 index 191b196..0000000 Binary files a/attached_assets/targeted_element_1749831527971.png and /dev/null differ