jeffemmett
/
pwf-website-new
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pwf-website-new/.config/.semgrep/semgrep_rules.json

85514 lines
2.8 MiB
Raw Blame History

{
"rules": [
{
"id": "vendored-rules.bash.curl.security.curl-eval",
"languages": [
"bash"
],
"message": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"bash",
"curl"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "eval ..."
}
],
"pattern-sources": [
{
"pattern": "$(curl ...)\n"
},
{
"pattern": "`curl ...`\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.bash.curl.security.curl-pipe-bash",
"languages": [
"bash"
],
"message": "Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"bash",
"curl"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "curl ... | ... bash ..."
},
{
"pattern": "curl ... | ... /bin/bash ..."
},
{
"pattern": "... bash <(curl ...)"
},
{
"pattern": "... /bin/bash <(curl ...)"
},
{
"pattern": "... bash -c \"$(curl ...)\""
},
{
"pattern": "... /bin/bash -c \"$(curl ...)\""
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.bash.lang.security.ifs-tampering",
"languages": [
"bash"
],
"message": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-20: Improper Input Validation"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"bash"
]
},
"pattern": "IFS=...",
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.double-free",
"languages": [
"c"
],
"message": "Variable '$VAR' was freed twice. This can lead to undefined behavior.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-415: Double Free"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection",
"A01:2017 - Injection"
],
"references": [
"https://cwe.mitre.org/data/definitions/415.html",
"https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory"
],
"subcategory": [
"vuln"
],
"technology": [
"c"
]
},
"patterns": [
{
"pattern-not": "free($VAR);\n...\n$VAR = NULL;\n...\nfree($VAR);\n"
},
{
"pattern-not": "free($VAR);\n...\n$VAR = malloc(...);\n...\nfree($VAR);\n"
},
{
"pattern-inside": "free($VAR);\n...\n$FREE($VAR);\n"
},
{
"metavariable-pattern": {
"metavariable": "$FREE",
"pattern": "free"
}
},
{
"focus-metavariable": "$FREE"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.c.lang.security.function-use-after-free",
"languages": [
"c"
],
"message": "Variable '$VAR' was passed to a function after being freed. This can lead to undefined behavior.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-416: Use After Free"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/416.html",
"https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/"
],
"subcategory": [
"vuln"
],
"technology": [
"c"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$FUNC(..., <... $VAR ...>, ...)"
},
{
"pattern": "$FUNC(..., <... $VAR->$ACCESSOR ...>, ...)"
},
{
"pattern": "$FUNC(..., <... (*$VAR).$ACCESSOR ...>, ...)"
},
{
"pattern": "$FUNC(..., <... $VAR[$NUM] ...>, ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(?!^free$)"
}
},
{
"pattern-inside": "free($VAR); ..."
},
{
"pattern-not-inside": "free($VAR); ... $VAR = NULL; ..."
},
{
"pattern-not-inside": "free($VAR); ... $VAR = malloc(...); ..."
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.info-leak-on-non-formated-string",
"languages": [
"c"
],
"message": "Use %s, %d, %c... to format your variables, otherwise this could leak information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-532: Insertion of Sensitive Information into Log File"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A09:2021 - Security Logging and Monitoring Failures"
],
"references": [
"http://nebelwelt.net/files/13PPREW.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern": "printf(argv[$NUM]);",
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.insecure-use-gets-fn",
"languages": [
"c"
],
"message": "Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-676: Use of Potentially Dangerous Function"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern": "gets(...)",
"severity": "ERROR"
},
{
"fix": "memset_s($...VARS)",
"id": "vendored-rules.c.lang.security.insecure-use-memset",
"languages": [
"c"
],
"message": "When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While `memset()` is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the `memset_s()` function instead. `memset_s()` is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using `memset_s()` instead of `memset()`, you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-14: Compiler Removal of Code to Clear Buffers"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://cwe.mitre.org/data/definitions/14.html",
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern": "memset($...VARS)",
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.insecure-use-printf-fn",
"languages": [
"c"
],
"message": "Avoid using user-controlled format strings passed into 'sprintf', 'printf' and 'vsprintf'. These functions put you at risk of buffer overflow vulnerabilities through the use of format string exploits. Instead, use 'snprintf' and 'vsnprintf'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-134: Use of Externally-Controlled Format String"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://doc.castsoftware.com/display/SBX/Never+use+sprintf%28%29+or+vsprintf%28%29+functions",
"https://www.cvedetails.com/cwe-details/134/Uncontrolled-Format-String.html"
],
"subcategory": [
"vuln"
],
"technology": [
"c"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$FUNC($BUFFER, argv[$NUM], ...);\n...\nvsprintf(..., $BUFFER, ...);\n"
},
{
"pattern": "vsprintf(..., argv[$NUM], ...)"
},
{
"pattern": "$FUNC($BUFFER, argv[$NUM], ...);\n...\nsprintf(..., $BUFFER, ...);\n"
},
{
"pattern": "sprintf(...,argv[$NUM],...)"
},
{
"pattern": "$FUNC($BUFFER, argv[$NUM], ...);\n...\nprintf(..., $BUFFER, ...);\n"
},
{
"pattern": "printf(...,argv[$NUM],...)"
}
]
},
{
"metavariable-comparison": {
"comparison": "int($NUM) > 0",
"metavariable": "$NUM"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.insecure-use-scanf-fn",
"languages": [
"c"
],
"message": "Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-676: Use of Potentially Dangerous Function"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern": "scanf(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.insecure-use-strcat-fn",
"languages": [
"c"
],
"message": "Finding triggers whenever there is a strcat or strncat used. This is an issue because strcat or strncat can lead to buffer overflow vulns. Fix this by using strcat_s instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-676: Use of Potentially Dangerous Function"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-12553",
"https://techblog.mediaservice.net/2020/04/cve-2020-2851-stack-based-buffer-overflow-in-cde-libdtsvc/"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern-either": [
{
"pattern": "strcat(...)"
},
{
"pattern": "strncat(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.insecure-use-string-copy-fn",
"languages": [
"c"
],
"message": "Finding triggers whenever there is a strcpy or strncpy used. This is an issue because strcpy does not affirm the size of the destination array and strncpy will not automatically NULL-terminate strings. This can lead to buffer overflows, which can cause program crashes and potentially let an attacker inject code in the program. Fix this by using strcpy_s instead (although note that strcpy_s is an optional part of the C11 standard, and so may not be available).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-676: Use of Potentially Dangerous Function"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/676",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11365"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern-either": [
{
"pattern": "strcpy(...)"
},
{
"pattern": "strncpy(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.insecure-use-strtok-fn",
"languages": [
"c"
],
"message": "Avoid using 'strtok()'. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-676: Use of Potentially Dangerous Function"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged",
"https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS",
"https://stackoverflow.com/a/40335556"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern": "strtok(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.random-fd-exhaustion",
"languages": [
"c"
],
"message": "Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://lwn.net/Articles/606141/"
],
"subcategory": [
"audit"
],
"technology": [
"c"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "$FD = open(\"/dev/urandom\", ...);\n...\nread($FD, ...);\n"
},
{
"pattern-not": "$FD = open(\"/dev/urandom\", ...);\n...\n$BYTES_READ = read($FD, ...);\n"
}
]
},
{
"patterns": [
{
"pattern": "$FD = open(\"/dev/random\", ...);\n...\nread($FD, ...);\n"
},
{
"pattern-not": "$FD = open(\"/dev/random\", ...);\n...\n$BYTES_READ = read($FD, ...);\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.c.lang.security.use-after-free",
"languages": [
"c"
],
"message": "Variable '$VAR' was used after being freed. This can lead to undefined behavior.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-416: Use After Free"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/416.html",
"https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/"
],
"subcategory": [
"vuln"
],
"technology": [
"c"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$VAR->$ACCESSOR"
},
{
"pattern": "(*$VAR).$ACCESSOR"
},
{
"pattern": "$VAR[$NUM]"
}
]
},
{
"pattern-inside": "free($VAR); ..."
},
{
"pattern-not-inside": "$VAR = NULL; ..."
},
{
"pattern-not-inside": "free($VAR); ... $VAR = malloc(...); ..."
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.clojure.lang.security.command-injection-shell-call",
"languages": [
"clojure"
],
"message": "A call to clojure.java.shell has been found, this could lead to an RCE if the inputs are user-controllable. Please ensure their origin is validated and sanitized.",
"metadata": {
"author": "Gabriel Marquet <gab.marquet@gmail.com>",
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://clojuredocs.org/clojure.java.shell/sh"
],
"subcategory": [
"audit"
],
"technology": [
"clojure"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "(ns ...\n...\n(:require \n... \n[clojure.java.shell ... [sh]]\n...\n))\n...\n"
},
{
"pattern-inside": "(ns ...\n...\n(:use \n... \n[clojure.java.shell ... [sh]]\n...\n))\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern": "(sh $BASH ...)"
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern": "(sh $ARG ...)"
},
{
"pattern-not": "(sh \"...\" ...)"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.clojure.lang.security.documentbuilderfactory-xxe",
"languages": [
"clojure"
],
"message": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://xerces.apache.org/xerces2-j/features.html"
],
"source-rule-url": "https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/xxe-clojure-xml/xxe-clojure-xml.yml",
"subcategory": [
"vuln"
],
"technology": [
"clojure",
"xml"
]
},
"patterns": [
{
"pattern-inside": "(ns ... (:require [clojure.xml :as ...]))\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "(def ... ... ( ... ))\n"
},
{
"pattern-inside": "(defn ... ... ( ... ))\n"
}
]
},
{
"pattern-either": [
{
"pattern": "(clojure.xml/parse $INPUT)"
},
{
"patterns": [
{
"pattern-inside": "(doto (javax.xml.parsers.SAXParserFactory/newInstance) ...)\n"
},
{
"pattern": "(.setFeature \"http://apache.org/xml/features/disallow-doctype-decl\" false)"
},
{
"pattern-not-inside": "(doto (javax.xml.parsers.SAXParserFactory/newInstance)\n ...\n (.setFeature \"http://xml.org/sax/features/external-general-entities\" false)\n ...\n (.setFeature \"http://xml.org/sax/features/external-parameter-entities\" false)\n ...)\n"
},
{
"pattern-not-inside": "(doto (javax.xml.parsers.SAXParserFactory/newInstance)\n ...\n (.setFeature \"http://xml.org/sax/features/external-parameter-entities\" false)\n ...\n (.setFeature \"http://xml.org/sax/features/external-general-entities\" false)\n ...)\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.clojure.lang.security.use-of-md5",
"languages": [
"clojure"
],
"message": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.",
"metadata": {
"author": "Gabriel Marquet <gab.marquet@gmail.com>",
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html",
"https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml",
"subcategory": [
"vuln"
],
"technology": [
"clojure"
]
},
"pattern-either": [
{
"pattern": "(MessageDigest/getInstance \"MD5\")"
},
{
"pattern": "(MessageDigest/getInstance MessageDigestAlgorithms/MD5)"
},
{
"pattern": "(MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)"
},
{
"pattern": "(java.security.MessageDigest/getInstance \"MD5\")"
},
{
"pattern": "(java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)"
},
{
"pattern": "(java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.clojure.lang.security.use-of-sha1",
"languages": [
"clojure"
],
"message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"CWE-328: Use of Weak Hash"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html",
"https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"clojure"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "(MessageDigest/getInstance $ALGO)"
},
{
"pattern": "(java.security.MessageDigest/getInstance $ALGO)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ALGO",
"regex": "(((org\\.apache\\.commons\\.codec\\.digest\\.)?MessageDigestAlgorithms/)?\"?(SHA-1|SHA1)\"?)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.clojure.security.clojure-read-string.read-string-unsafe",
"languages": [
"clojure"
],
"message": "The default core Clojure read-string method is dangerous and can lead to deserialization vulnerabilities. Use the edn/read-string instead.",
"metadata": {
"author": "Gabriel Marquet <gab.marquet@gmail.com>",
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2020-top25": true,
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"http://www.learningclojure.com/2013/02/clojures-reader-is-unsafe.html#post-body-2898830171141471587",
"https://ericnormand.me/article/clojure-web-security",
"https://github.com/jafingerhut/jafingerhut.github.com/blob/master/clojure-info/using-edn-safely.md#vulnerabilities-in-clojurecores-read-and-read-string"
],
"source-rule-url": "https://github.com/clj-holmes/clj-holmes-rules/tree/main/security/clojure-read-string",
"subcategory": [
"audit"
],
"technology": [
"clojure"
]
},
"patterns": [
{
"pattern-not-inside": "(ns ...\n(... :exclude [read read-string]))\n...\n(defn $VAR [$X]...)\n"
},
{
"pattern-inside": "(defn $VAR [$X]...)\n"
},
{
"pattern": "(read-string $X)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.dotnet.security.mvc-missing-antiforgery",
"languages": [
"csharp"
],
"message": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery",
"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests"
],
"subcategory": [
"audit"
],
"technology": [
".net",
"mvc"
]
},
"patterns": [
{
"pattern": "[$HTTPMETHOD]\npublic IActionResult $METHOD(...){\n ...\n}\n"
},
{
"pattern-inside": "using Microsoft.AspNetCore.Mvc;\n...\n"
},
{
"pattern-not": "[ValidateAntiForgeryToken]\npublic IActionResult $METHOD(...){\n ...\n}\n"
},
{
"pattern-not": "[Consumes(...)]\npublic IActionResult $METHOD(...){\n ...\n}\n"
},
{
"metavariable-regex": {
"metavariable": "$HTTPMETHOD",
"regex": "Http(Post|Put|Delete|Patch)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.net-webconfig-debug",
"languages": [
"generic"
],
"message": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `<compilation ... />`",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-11: ASP.NET Misconfiguration: Creating Debug Binary"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/",
"https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"paths": {
"include": [
"*web.config*"
]
},
"patterns": [
{
"pattern": "<compilation ... debug = \"true\" ... />\n"
},
{
"pattern-inside": "<system.web>\n ...\n</system.web>\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.net-webconfig-trace-enabled",
"languages": [
"generic"
],
"message": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1323: Improper Management of Sensitive Trace Data"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": "A05:2021 - Security Misconfiguration",
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance",
"https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"paths": {
"include": [
"*web.config*"
]
},
"patterns": [
{
"pattern": "<trace ... enabled = \"true\" ... />\n"
},
{
"pattern-inside": "<system.web>\n ...\n</system.web>\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.razor-template-injection",
"languages": [
"csharp"
],
"message": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/"
],
"subcategory": [
"vuln"
],
"technology": [
".net",
"razor",
"asp"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"not_conflicting": true,
"pattern": "$F(...)"
}
],
"pattern-sinks": [
{
"pattern": "Razor.Parse(...)\n"
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$ARG"
},
{
"pattern-inside": "public ActionResult $METHOD(..., string $ARG,...){...}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.use_deprecated_cipher_algorithm",
"languages": [
"csharp"
],
"message": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern": "$KEYTYPE.Create(...);"
},
{
"metavariable-pattern": {
"metavariable": "$KEYTYPE",
"pattern-either": [
{
"pattern": "DES"
},
{
"pattern": "RC2"
}
]
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.dotnet.security.use_ecb_mode",
"languages": [
"csharp"
],
"message": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0",
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "($KEYTYPE $KEY).EncryptEcb(...);"
},
{
"pattern": "($KEYTYPE $KEY).DecryptEcb(...);"
},
{
"pattern": "($KEYTYPE $KEY).Mode = CipherMode.ECB;"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$KEYTYPE",
"pattern-either": [
{
"pattern": "SymmetricAlgorithm"
},
{
"pattern": "Aes"
},
{
"pattern": "Rijndael"
},
{
"pattern": "DES"
},
{
"pattern": "TripleDES"
},
{
"pattern": "RC2"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.use_weak_rng_for_keygeneration",
"languages": [
"csharp"
],
"message": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks",
"https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0",
"https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors",
"https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "($KEYTYPE $CIPHER).Key = $SINK;"
},
{
"focus-metavariable": "$SINK"
},
{
"metavariable-pattern": {
"metavariable": "$KEYTYPE",
"pattern-either": [
{
"pattern": "SymmetricAlgorithm"
},
{
"pattern": "Aes"
},
{
"pattern": "Rijndael"
},
{
"pattern": "DES"
},
{
"pattern": "TripleDES"
},
{
"pattern": "RC2"
}
]
}
}
]
},
{
"pattern": "new AesGcm(...)"
},
{
"pattern": "new AesCcm(...)"
},
{
"pattern": "new ChaCha20Poly1305(...)"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "(System.Random $RNG).NextBytes($KEY); ..."
},
{
"pattern": "$KEY"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.dotnet.security.use_weak_rsa_encryption_padding",
"languages": [
"csharp"
],
"message": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-780: Use of RSA Algorithm without OAEP"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter",
"https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"pattern-either": [
{
"pattern": "(RSAPKCS1KeyExchangeFormatter $FORMATER).CreateKeyExchange(...);"
},
{
"pattern": "(RSAPKCS1KeyExchangeDeformatter $DEFORMATER).DecryptKeyExchange(...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.web-config-insecure-cookie-settings",
"languages": [
"generic"
],
"message": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies",
"https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL",
"https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL"
],
"subcategory": [
"audit"
],
"technology": [
".net",
"asp",
"webforms"
]
},
"paths": {
"include": [
"*web.config"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "requireSSL=\"false\"\n"
},
{
"pattern": "cookieRequireSSL=\"false\"\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "<httpCookies ...>\n"
},
{
"pattern-inside": "<forms ...>\n"
},
{
"pattern-inside": "<roleManager ...>\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.audit.ldap-injection",
"languages": [
"csharp"
],
"message": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection/",
"https://cwe.mitre.org/data/definitions/90",
"https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"mode": "taint",
"options": {
"taint_unify_mvars": true
},
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "Regex.Replace($INPUT, ...)"
},
{
"pattern": "$ENCODER.LdapFilterEncode($INPUT)"
},
{
"pattern": "$ENCODER.LdapDistinguishedNameEncode($INPUT)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$S.Filter = ... + $INPUT + ..."
},
{
"pattern": "$S.Filter = String.Format(...,$INPUT)"
},
{
"pattern": "$S.Filter = String.Concat(...,$INPUT)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$INPUT"
},
{
"pattern-inside": "$T $M($INPUT,...) {...}"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.dotnet.security.audit.mass-assignment",
"languages": [
"csharp"
],
"message": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/915.html",
"https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "View(...)"
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "public IActionResult $METHOD(..., $TYPE $ARG, ...){\n ...\n}\n"
},
{
"pattern": "public ActionResult $METHOD(..., $TYPE $ARG, ...){\n ...\n}\n"
}
]
},
{
"pattern-inside": "using Microsoft.AspNetCore.Mvc;\n...\n"
},
{
"pattern-not": "public IActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){\n ...\n}\n"
},
{
"pattern-not": "public ActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){\n ...\n}\n"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.audit.misconfigured-lockout-option",
"languages": [
"csharp"
],
"message": "A misconfigured lockout mechanism allows an attacker to execute brute-force attacks. Account lockout must be correctly configured and enabled to prevent these attacks.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-307: Improper Restriction of Excessive Authentication Attempts"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures",
"https://cwe.mitre.org/data/definitions/307.html"
],
"subcategory": [
"audit"
],
"technology": [
"dotnet"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SIGNIN.PasswordSignInAsync(...,lockoutOnFailure: false,...);\n"
},
{
"pattern": "$SIGNIN.CheckPasswordSignInAsync(...,lockoutOnFailure: false,...);\n"
}
]
},
{
"pattern-inside": "public async $TYPE<IActionResult> $METHOD(...) {\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.audit.missing-or-broken-authorization",
"languages": [
"csharp"
],
"message": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-862: Missing Authorization"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"cwe2023-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control",
"https://cwe.mitre.org/data/definitions/862.html",
"https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0"
],
"subcategory": [
"vuln"
],
"technology": [
".net",
"mvc"
]
},
"patterns": [
{
"pattern": "public class $CLASS : Controller {\n ...\n}\n"
},
{
"pattern-inside": "using Microsoft.AspNetCore.Mvc;\n...\n"
},
{
"pattern-not": "[AllowAnonymous]\npublic class $CLASS : Controller {\n ...\n}\n"
},
{
"pattern-not": "[Authorize]\npublic class $CLASS : Controller {\n ...\n}\n"
},
{
"pattern-not": "[Authorize(Roles = ...)]\npublic class $CLASS : Controller {\n ...\n}\n"
},
{
"pattern-not": "[Authorize(Policy = ...)]\npublic class $CLASS : Controller {\n ...\n}\n"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.csharp.dotnet.security.audit.open-directory-listing",
"languages": [
"csharp"
],
"message": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-548: Exposure of Information Through Directory Listing"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A01:2021 - Broken Access Control"
],
"references": [
"https://cwe.mitre.org/data/definitions/548.html",
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
"https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing"
],
"subcategory": [
"vuln"
],
"technology": [
".net",
"mvc"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "(IApplicationBuilder $APP).UseDirectoryBrowser(...);"
},
{
"pattern": "$BUILDER.Services.AddDirectoryBrowser(...);"
}
]
},
{
"pattern-inside": "public void Configure(...) {\n ...\n}\n"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.csharp.dotnet.security.audit.razor-use-of-htmlstring",
"languages": [
"generic"
],
"message": "ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://cwe.mitre.org/data/definitions/116.html",
"https://owasp.org/Top10/A03_2021-Injection/",
"https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-6.0#html-encoding-using-razor"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"paths": {
"include": [
"*.cshtml"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "new ...HtmlString(...)"
},
{
"pattern": "@(new ...HtmlString(...))"
}
]
},
{
"pattern-not-inside": "@(new ...HtmlString(...HtmlEncode(...)))"
},
{
"pattern-not-inside": "@(new ...HtmlString(...Encode(...)))"
},
{
"pattern-not-inside": "new ...HtmlString(...HtmlEncode(...))"
},
{
"pattern-not-inside": "new ...HtmlString(...Encode(...))"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.dotnet.security.audit.xpath-injection",
"languages": [
"csharp"
],
"message": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection/",
"https://cwe.mitre.org/data/definitions/643.html"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "XPathExpression $EXPR = $NAV.Compile(\"...\" + $INPUT + \"...\");"
},
{
"pattern": "var $EXPR = $NAV.Compile(\"...\" + $INPUT + \"...\");"
},
{
"pattern": "XPathNodeIterator $NODE = $NAV.Select(\"...\" + $INPUT + \"...\");"
},
{
"pattern": "var $NODE = $NAV.Select(\"...\" + $INPUT + \"...\");"
},
{
"pattern": "Object $OBJ = $NAV.Evaluate(\"...\" + $INPUT + \"...\");"
},
{
"pattern": "var $OBJ = $NAV.Evaluate(\"...\" + $INPUT + \"...\");"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "$T $M($INPUT,...) {...}"
},
{
"pattern": "$T $M(...) {\n ...\n string $INPUT;\n}\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.missing-hsts-header",
"languages": [
"csharp"
],
"message": "The HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-346: Origin Validation Error"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/346.html",
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
],
"subcategory": [
"audit"
],
"technology": [
"dotnet"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "public void Configure(...) {\n ...\n (IApplicationBuilder $APP). ...;\n ...\n}\n"
},
{
"focus-metavariable": "$APP"
},
{
"pattern-not-inside": "public void Configure(...) {\n ...\n (IApplicationBuilder $APP).UseHsts(...);\n ...\n}\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "public void ConfigureServices(...) {\n ...\n (IServiceCollection $SERVICES). ...;\n ...\n}\n"
},
{
"focus-metavariable": "$SERVICES"
},
{
"pattern-not-inside": "public void ConfigureServices(...) {\n ...\n (IServiceCollection $SERVICES).AddHsts(...);\n ...\n}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.open-redirect",
"languages": [
"csharp"
],
"message": "A query string parameter may contain a URL value that could cause the web application to redirect the request to a malicious website controlled by an attacker. Make sure to sanitize this parameter sufficiently.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cwe.mitre.org/data/definitions/601.html"
],
"subcategory": [
"vuln"
],
"technology": [
"csharp"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "Redirect(...)"
},
{
"pattern-not-inside": "if (IsLocalUrl(...)) { \n ... \n Redirect(...); \n ...\n}\n"
},
{
"pattern-not-inside": "if ($URL.IsLocalUrl(...)) { \n ... \n Redirect(...); \n ...\n}\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$PARAM"
},
{
"pattern-inside": "public $TYPE $FUNCNAME (..., string $PARAM, ...) {\n ...\n}\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.stacktrace-disclosure",
"languages": [
"csharp"
],
"message": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-209: Generation of Error Message Containing Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A04:2021 - Insecure Design"
],
"references": [
"https://cwe.mitre.org/data/definitions/209.html",
"https://owasp.org/Top10/A04_2021-Insecure_Design/"
],
"subcategory": [
"audit"
],
"technology": [
"csharp"
]
},
"patterns": [
{
"pattern": "$APP.UseDeveloperExceptionPage(...);"
},
{
"pattern-not-inside": "if ($ENV.IsDevelopment(...)) {\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"fix": "true\n",
"id": "vendored-rules.csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation",
"languages": [
"csharp"
],
"message": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-613: Insufficient Session Expiration"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/",
"https://cwe.mitre.org/data/definitions/613.html",
"https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet"
],
"subcategory": [
"audit"
],
"technology": [
"csharp"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$LIFETIME = $FALSE"
},
{
"pattern-inside": "new TokenValidationParameters {...}"
}
]
},
{
"patterns": [
{
"pattern": "(TokenValidationParameters $OPTS). ... .$LIFETIME = $FALSE\n"
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$LIFETIME",
"regex": "(RequireExpirationTime|ValidateLifetime)"
}
},
{
"metavariable-regex": {
"metavariable": "$FALSE",
"regex": "(false)"
}
},
{
"focus-metavariable": "$FALSE"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.cryptography.X509-subject-name-validation",
"languages": [
"csharp"
],
"message": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.IdentityModel.Tokens;\n...\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "X509SecurityToken $TOK = $RHS;\n...\n"
},
{
"pattern-inside": "$T $M(..., X509SecurityToken $TOK, ...) {\n ...\n}\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$RHS",
"pattern-either": [
{
"pattern": "$T as X509SecurityToken"
},
{
"pattern": "new X509SecurityToken(...)"
}
]
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "X509Certificate2 $CERT = new X509Certificate2(...);\n...\n"
},
{
"pattern-inside": "$T $M(..., X509Certificate2 $CERT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "foreach (X509Certificate2 $CERT in $COLLECTION) {\n ...\n}\n"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "String.Equals($NAME, \"...\")"
},
{
"pattern": "String.Equals(\"...\", $NAME)"
},
{
"pattern": "$NAME.Equals(\"...\")"
},
{
"pattern": "$NAME == \"...\""
},
{
"pattern": "$NAME != \"...\""
},
{
"pattern": "\"...\" == $NAME\n"
},
{
"pattern": "\"...\" != $NAME\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$NAME",
"pattern-either": [
{
"pattern": "$TOK.Certificate.SubjectName.Name"
},
{
"pattern": "$CERT.SubjectName.Name"
},
{
"pattern": "$CERT.GetNameInfo(...)"
}
]
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.cryptography.X509Certificate2-privkey",
"languages": [
"C#"
],
"message": "X509Certificate2.PrivateKey is obsolete. Use a method such as GetRSAPrivateKey() or GetECDsaPrivateKey(). Alternatively, use the CopyWithPrivateKey() method to create a new instance with a private key. Further, if you set X509Certificate2.PrivateKey to `null` or set it to another key without deleting it first, the private key will be left on disk. ",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-310: CWE CATEGORY: Cryptographic Issues"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.privatekey"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Security.Cryptography;\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "X509Certificate2Collection $COLLECTION = ...;\n...\n"
},
{
"pattern-inside": "X509Certificate2 $CERT = ...;\n...\n"
}
]
},
{
"pattern": "$CERT.PrivateKey"
}
],
"severity": "WARNING"
},
{
"fix": "RequireSignedTokens = true",
"id": "vendored-rules.csharp.lang.security.cryptography.unsigned-security-token",
"languages": [
"csharp"
],
"message": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-347: Improper Verification of Cryptographic Signature"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/",
"https://cwe.mitre.org/data/definitions/347"
],
"subcategory": [
"vuln"
],
"technology": [
"csharp"
]
},
"patterns": [
{
"pattern": "RequireSignedTokens = false"
},
{
"pattern-inside": "new TokenValidationParameters {\n ...\n}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.filesystem.unsafe-path-combine",
"languages": [
"csharp"
],
"message": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/",
"https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "Path.GetFileName(...)\n"
},
{
"patterns": [
{
"pattern-inside": "$X = Path.GetFileName(...);\n...\n"
},
{
"pattern": "$X"
}
]
},
{
"patterns": [
{
"pattern": "$X"
},
{
"pattern-inside": "if(<... Path.GetFileName($X) != $X ...>){\n ...\n throw new $EXCEPTION(...);\n}\n...\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$X"
},
{
"pattern": "File.$METHOD($X,...)\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(?i)^(read|write)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$A"
},
{
"pattern-inside": "Path.Combine(...,$A,...)\n"
},
{
"pattern-inside": "public $TYPE $M(...,$A,...){...}\n"
},
{
"pattern-not-inside": "<... Path.GetFileName($A) != $A ...>\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.http.http-listener-wildcard-bindings",
"languages": [
"C#"
],
"message": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Net;\n...\n"
},
{
"pattern": "$LISTENER.Prefixes.Add(\"$PREFIX\")"
},
{
"metavariable-regex": {
"metavariable": "$PREFIX",
"regex": "(http|https)://(\\*|\\+)(.[a-zA-Z]{2,})?:[0-9]+"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.injections.os-command-injection",
"languages": [
"csharp"
],
"message": "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/Command_Injection"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Diagnostics;\n...\n"
},
{
"pattern-inside": "public $T $F(..., $ARG, ...)\n{\n ...\n}\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern": "Process.Start($ARG, ...);\n"
},
{
"focus-metavariable": "$ARG"
}
]
},
{
"patterns": [
{
"pattern-inside": "Process $PROC = new Process();\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "$PROC.StartInfo.FileName = $ARG;\n...\n"
},
{
"pattern-inside": "$PROC.StartInfo.Arguments = <... $ARG ...>;\n...\n"
}
]
},
{
"pattern": "$PROC.Start();\n"
}
]
},
{
"patterns": [
{
"patterns": [
{
"pattern-inside": "ProcessStartInfo $PSINFO = new ProcessStartInfo()\n{\n ...\n};\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "FileName = $ARG;\n...\n"
},
{
"pattern-inside": "Arguments = <... $ARG ...>;\n...\n"
}
]
}
]
},
{
"pattern": "Process.Start($PSINFO);\n"
},
{
"focus-metavariable": "$PSINFO"
}
]
},
{
"patterns": [
{
"pattern-inside": "Process $PROC = new Process()\n{\n StartInfo = new ProcessStartInfo()\n {\n ...\n }\n};\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "FileName = $ARG;\n...\n"
},
{
"pattern-inside": "Arguments = $ARG;\n...\n"
}
]
},
{
"pattern": "$PROC.Start();\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-binaryformatter-deserialization",
"languages": [
"C#"
],
"message": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Runtime.Serialization.Formatters.Binary;\n...\n"
},
{
"pattern": "new BinaryFormatter();\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.data-contract-resolver",
"languages": [
"C#"
],
"message": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern": "class $MYDCR : DataContractResolver { ... }\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-fastjson-deserialization",
"languages": [
"C#"
],
"message": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/mgholam/fastJSON#security-warning-update"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using fastJSON;\n...\n"
},
{
"pattern": "new JSONParameters\n{\n BadListTypeChecking = false\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-fspickler-deserialization",
"languages": [
"C#"
],
"message": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using MBrace.FsPickler.Json;\n...\n"
},
{
"pattern": "FsPickler.CreateJsonSerializer();\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full",
"languages": [
"C#"
],
"message": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0",
"https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new BinaryServerFormatterSinkProvider { TypeFilterLevel = $LEVEL }"
},
{
"patterns": [
{
"pattern-inside": "$TYPE $SP = new BinaryServerFormatterSinkProvider(...);\n...\n"
},
{
"pattern": "$SP.TypeFilterLevel = $LEVEL\n"
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$LEVEL",
"regex": "(.*)TypeFilterLevel\\.(Full|Low)"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "$DICT[\"typeFilterLevel\"] = $VAL;\n...\n"
},
{
"pattern": "new BinaryServerFormatterSinkProvider(..., $DICT, ...)"
},
{
"metavariable-regex": {
"metavariable": "$VAL",
"regex": "(\\\"Full\\\"|\\\"Low\\\")"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-javascriptserializer-deserialization",
"languages": [
"C#"
],
"message": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Web.Script.Serialization;\n...\n"
},
{
"pattern": "new JavaScriptSerializer((SimpleTypeResolver $RESOLVER))\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-losformatter-deserialization",
"languages": [
"C#"
],
"message": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Web.UI;\n...\n"
},
{
"pattern": "new LosFormatter();\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-netdatacontract-deserialization",
"languages": [
"C#"
],
"message": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Runtime.Serialization;\n...\n"
},
{
"pattern": "new NetDataContractSerializer();\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-newtonsoft-deserialization",
"languages": [
"csharp"
],
"message": "TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks"
],
"subcategory": [
"audit"
],
"technology": [
".net",
"newtonsoft",
"json"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "TypeNameHandling = TypeNameHandling.$TYPEHANDLER"
},
{
"pattern": "$SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER;\n...\nJsonConvert.DeserializeObject<$TYPE>(...,$SETTINGS);\n"
},
{
"pattern": "$SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER;\n...\nJsonConvert.DeserializeObject(...,$SETTINGS);\n"
}
]
},
{
"pattern-inside": "using Newtonsoft.Json;\n...\n"
},
{
"metavariable-regex": {
"metavariable": "$TYPEHANDLER",
"regex": "(All|Auto|Objects|Arrays)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.insecure-deserialization.insecure-soapformatter-deserialization",
"languages": [
"C#"
],
"message": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks"
],
"subcategory": [
"vuln"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Runtime.Serialization.Formatters.Soap;\n...\n"
},
{
"pattern": "new SoapFormatter();\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.memory.memory-marshal-create-span",
"languages": [
"C#"
],
"message": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-125: Out-of-bounds Read"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0",
"https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"pattern-either": [
{
"pattern": "MemoryMarshal.CreateSpan(...)"
},
{
"pattern": "MemoryMarshal.CreateReadOnlySpan(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout",
"languages": [
"C#"
],
"message": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": "A01:2017 - Injection",
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS",
"https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout",
"https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Text.RegularExpressions;\n...\n"
},
{
"pattern-either": [
{
"pattern": "new Regex(..., TimeSpan.InfiniteMatchTimeout)"
},
{
"patterns": [
{
"pattern": "new Regex(..., TimeSpan.FromSeconds($TIME))"
},
{
"metavariable-comparison": {
"comparison": "$TIME > 5",
"metavariable": "$TIME"
}
}
]
},
{
"pattern": "new Regex(..., TimeSpan.FromMinutes(...))"
},
{
"pattern": "new Regex(..., TimeSpan.FromHours(...))"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.regular-expression-dos.regular-expression-dos",
"languages": [
"C#"
],
"message": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": "A01:2017 - Injection",
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS",
"https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Text.RegularExpressions;\n...\n"
},
{
"pattern-either": [
{
"pattern": "public $T $F($X)\n{\n Regex $Y = new Regex($P);\n ...\n $Y.Match($X);\n}\n"
},
{
"pattern": "public $T $F($X)\n{\n Regex $Y = new Regex($P, $O);\n ...\n $Y.Match($X);\n}\n"
},
{
"pattern": "public $T $F($X)\n{\n ... Regex.Match($X, $P);\n}\n"
},
{
"pattern": "public $T $F($X)\n{\n ... Regex.Match($X, $P, $O);\n}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.sqli.csharp-sqli",
"languages": [
"csharp"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"csharp"
]
},
"mode": "taint",
"pattern-propagators": [
{
"from": "$X",
"pattern": "(StringBuilder $B).$ANY(...,(string $X),...)",
"to": "$B"
}
],
"pattern-sanitizers": [
{
"by-side-effect": true,
"pattern-either": [
{
"pattern": "$CMD.Parameters.add(...)\n"
},
{
"pattern": "$CMD.Parameters[$IDX] = ...\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "new $PATTERN($CMD,...)\n"
},
{
"focus-metavariable": "$CMD"
}
]
},
{
"patterns": [
{
"pattern": "$CMD.$PATTERN = $VALUE;\n"
},
{
"focus-metavariable": "$VALUE"
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$PATTERN",
"regex": "^(SqlCommand|CommandText|OleDbCommand|OdbcCommand|OracleCommand)$"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "(string $X)\n"
},
{
"pattern-not": "\"...\"\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.ssrf.ssrf",
"languages": [
"csharp"
],
"message": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Net.Http;\n...\n"
},
{
"pattern-either": [
{
"pattern": "$T $F(..., $X, ...)\n{\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetAsync(<... $X ...>, ...);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetAsync($B, ...);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetStringAsync(<... $X ...>);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nHttpClient $Y = new HttpClient();\n...\n... $Y.GetStringAsync($B);\n}\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.ssrf.ssrf",
"languages": [
"csharp"
],
"message": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using RestSharp;\n...\n"
},
{
"pattern-either": [
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n... new RestClient(<... $X ...>);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\n... new RestClient($B);\n}\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.ssrf.ssrf",
"languages": [
"csharp"
],
"message": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Net;\n...\n"
},
{
"pattern-either": [
{
"pattern": "$T $F(..., $X, ...)\n{\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenRead(<... $X ...>);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenRead($B);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenReadAsync(<... $X ...>, ...);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nWebClient $Y = new WebClient();\n...\n... $Y.OpenReadAsync($B, ...);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\nWebClient $Y = new WebClient();\n...\n... $Y.DownloadString(<... $X ...>);\n}\n"
},
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n$A $B = <... $X ...>;\n...\nWebClient $Y = new WebClient();\n...\n... $Y.DownloadString($B);\n}\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.ssrf.ssrf",
"languages": [
"csharp"
],
"message": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cwe.mitre.org/data/definitions/918.html",
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
".net"
]
},
"patterns": [
{
"pattern-inside": "using System.Net;\n...\n"
},
{
"pattern-either": [
{
"pattern": "$T $F(..., $X, ...)\n{\n...\n... WebRequest.Create(<... $X ...>);\n}\n"
},
{
"pattern": "$T $F($X)\n{\n...\n$A $B = <... $X ...>;\n...\n... WebRequest.Create($B);\n}\n"
},
{
"pattern": "$T $F($X)\n{\n...\n$A $B = <... $X ...>;\n...\n$C $D = <... $B ...>;\n...\n... WebRequest.Create($D);\n}\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.csharp.lang.security.xxe.xmldocument-unsafe-parser-override",
"languages": [
"csharp"
],
"message": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://www.jardinesoftware.net/2016/05/26/xxe-and-net/",
"https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks"
],
"subcategory": [
"vuln"
],
"technology": [
".net",
"xml"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$XMLDOCUMENT.$METHOD(...)\n"
},
{
"pattern-inside": "XmlDocument $XMLDOCUMENT = new XmlDocument(...);\n...\n$XMLDOCUMENT.XmlResolver = new XmlUrlResolver(...);\n... \n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$ARG"
},
{
"pattern-inside": "public $T $M(...,string $ARG,...){...}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override",
"languages": [
"csharp"
],
"message": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://www.jardinesoftware.net/2016/05/26/xxe-and-net/",
"https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks"
],
"subcategory": [
"vuln"
],
"technology": [
".net",
"xml"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "XmlReader $READER = XmlReader.Create(...,$RS,...);\n"
},
{
"pattern-inside": "XmlReaderSettings $RS = new XmlReaderSettings();\n...\n$RS.DtdProcessing = DtdProcessing.Parse;\n... \n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$ARG"
},
{
"pattern-inside": "public $T $M(...,string $ARG,...){...}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.lang.security.xxe.xmltextreader-unsafe-defaults",
"languages": [
"csharp"
],
"message": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://www.jardinesoftware.net/2016/05/26/xxe-and-net/",
"https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks"
],
"subcategory": [
"vuln"
],
"technology": [
".net",
"xml"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$READER.$METHOD(...)\n"
},
{
"pattern-not-inside": "$READER.DtdProcessing = DtdProcessing.Prohibit;\n...\n"
},
{
"pattern-inside": "XmlTextReader $READER = new XmlTextReader(...);\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$ARG"
},
{
"pattern-inside": "public $T $M(...,string $ARG,...){...}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.csharp.razor.security.html-raw-json",
"languages": [
"generic"
],
"message": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `</script>` is not properly encoded.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"razor"
]
},
"paths": {
"include": [
"*.cshtml"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "@Html.Raw(Json.Encode(...))"
},
{
"pattern": "@Html.Raw(JsonConvert.SerializeObject(...))"
},
{
"pattern": "@Html.Raw(...ToJson(...))"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.dockerfile.audit.dockerfile-source-not-pinned",
"languages": [
"dockerfile"
],
"message": "To ensure reproducible builds, pin Dockerfile `FROM` commands to a specific hash. You can find the hash by running `docker pull $IMAGE` and then specify it with `$IMAGE:$VERSION@sha256:<hash goes here>`",
"metadata": {
"category": "best-practice",
"references": [
"https://stackoverflow.com/a/33511811/4965"
],
"technology": [
"docker"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "FROM $IMAGE:$VERSION@$HASH"
},
{
"metavariable-regex": {
"metavariable": "$HASH",
"regex": "(?!sha256:)"
}
}
]
},
{
"patterns": [
{
"pattern": "FROM $IMAGE"
},
{
"pattern": "FROM $IMAGE:$VERSION"
},
{
"pattern-not-inside": "FROM $IMAGE:$VERSION@$HASH"
}
]
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.dockerfile.security.dockerfile-dockerd-socket-mount",
"languages": [
"dockerfile",
"yaml"
],
"message": "The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-862: Missing Authorization",
"CWE-269: Improper Privilege Management"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html",
"https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/",
"https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html"
],
"subcategory": [
"audit"
],
"technology": [
"dockerfile"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "VOLUME $X"
},
{
"metavariable-regex": {
"metavariable": "$X",
"regex": "/var/run/docker.sock"
}
}
]
},
{
"patterns": [
{
"pattern-regex": "- \"/var/run/docker.sock:.*\""
},
{
"pattern-inside": "volumes:\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.dockerfile.security.last-user-is-root",
"languages": [
"dockerfile"
],
"message": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-269: Improper Privilege Management"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://github.com/hadolint/hadolint/wiki/DL3002"
],
"source-rule-url": "https://github.com/hadolint/hadolint/wiki/DL3002",
"subcategory": [
"audit"
],
"technology": [
"dockerfile"
]
},
"patterns": [
{
"pattern": "USER root"
},
{
"pattern-not-inside": {
"patterns": [
{
"pattern": "USER root\n...\nUSER $X\n"
},
{
"metavariable-pattern": {
"metavariable": "$X",
"patterns": [
{
"pattern-not": "root"
}
]
}
}
]
}
}
],
"severity": "ERROR"
},
{
"fix": "USER non-root\nENTRYPOINT $...VARS\n",
"id": "vendored-rules.dockerfile.security.missing-user-entrypoint",
"languages": [
"dockerfile"
],
"message": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-269: Improper Privilege Management"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"subcategory": [
"audit"
],
"technology": [
"dockerfile"
]
},
"patterns": [
{
"pattern": "ENTRYPOINT $...VARS\n"
},
{
"pattern-not-inside": "USER $USER\n...\n"
}
],
"severity": "ERROR"
},
{
"fix": "USER non-root\nCMD $...VARS\n",
"id": "vendored-rules.dockerfile.security.missing-user",
"languages": [
"dockerfile"
],
"message": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-269: Improper Privilege Management"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"subcategory": [
"audit"
],
"technology": [
"dockerfile"
]
},
"patterns": [
{
"pattern": "CMD $...VARS\n"
},
{
"pattern-not-inside": "USER $USER\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.dockerfile.security.no-sudo-in-dockerfile",
"languages": [
"dockerfile"
],
"message": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-250: Execution with Unnecessary Privileges"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://cwe.mitre.org/data/definitions/250.html",
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user"
],
"subcategory": [
"audit"
],
"technology": [
"dockerfile"
]
},
"patterns": [
{
"pattern": "RUN sudo ...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.dockerfile.security.secret-in-build-arg",
"languages": [
"dockerfile"
],
"message": "Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running `docker image history` on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cwe.mitre.org/data/definitions/538.html",
"https://docs.docker.com/engine/reference/builder/#arg"
],
"subcategory": [
"audit"
],
"technology": [
"dockerfile"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "ARG $ARG"
},
{
"pattern": "ARG $ARG=..."
}
]
},
{
"metavariable-regex": {
"metavariable": "$ARG",
"regex": "(?i).*(password|secret|token|key|cert|api|auth)"
}
}
],
"severity": "WARNING"
},
{
"fix": "$MODULE.to_existing_atom($STRING)",
"id": "vendored-rules.elixir.lang.correctness.atom_exhaustion",
"languages": [
"elixir"
],
"message": "Atom values are appended to a global table but never removed. If input is user-controlled, dynamic instantiations such as `String.to_atom` or `List.to_atom` can lead to possible memory leaks. Instead, use `String.to_existing_atom` or `List.to_existing_atom`.",
"metadata": {
"category": "correctness",
"references": [
"https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/atom_exhaustion.html"
],
"technology": [
"elixir"
]
},
"patterns": [
{
"pattern": "$MODULE.to_atom($STRING)"
},
{
"metavariable-regex": {
"metavariable": "$MODULE",
"regex": "^(String|List)$"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.bicep.security.secure-parameter-for-secrets",
"languages": [
"generic"
],
"message": "Mark sensitive parameters with the @secure() decorator. This avoids logging the value or displaying it in the Azure portal, Azure CLI, or Azure PowerShell.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-532: Insertion of Sensitive Information into Log File"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A09:2021 - Security Logging and Monitoring Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/532.html",
"https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets"
],
"subcategory": [
"audit"
],
"technology": [
"bicep"
]
},
"paths": {
"include": [
"*.bicep"
]
},
"patterns": [
{
"pattern": "param $NAME string"
},
{
"pattern-not-inside": "@secure()\nparam $NAME string\n"
},
{
"metavariable-regex": {
"metavariable": "$NAME",
"regex": "(?i).*(password|secret|token)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.ci.audit.changed-semgrepignore",
"languages": [
"generic"
],
"message": "`$1` has been added to the .semgrepignore list of ignored paths. Someone from app-sec may want to audit these changes.",
"metadata": {
"category": "best-practice",
"references": [
"https://semgrep.dev/docs/ignoring-files-folders-code/"
],
"technology": [
"semgrep"
]
},
"paths": {
"include": [
".semgrepignore"
]
},
"patterns": [
{
"pattern-regex": "^(.*)$\n"
},
{
"pattern-not-regex": "^\\n.*$\n"
},
{
"pattern-not-regex": "^#.*$\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.ci.security.bash_reverse_shell",
"languages": [
"generic"
],
"message": "Semgrep found a bash reverse shell",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"ci"
]
},
"pattern-either": [
{
"pattern": "sh -i >& /dev/udp/.../... 0>&1\n"
},
{
"pattern": "<...>/dev/tcp/.../...; sh <&... >&... 2>&\n"
},
{
"pattern": "<...>/dev/tcp/.../...; cat <&... | while read line; do $line 2>&... >&...;done\n"
},
{
"pattern": "sh -i ...<...> /dev/tcp/.../... ...<&... 1>&... 2>&\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.gradle.security.build-gradle-password-hardcoded",
"languages": [
"generic"
],
"message": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2020-top25": true,
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source_rule_url": "https://semgrep.dev/playground/r/qNU2d1G/achufistov6_personal_org.groovy-build-gradle-password-hardcoded",
"subcategory": [
"vuln"
],
"technology": [
"secrets"
],
"vulnerability_class": [
"Hard-coded Secrets"
]
},
"paths": {
"include": [
"*build.gradle"
]
},
"patterns": [
{
"pattern": "password = env[...] ?: \"$SECRET\"\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "{{(.*?)}}",
"replacement": "\"{{\\1}}\""
},
"id": "vendored-rules.generic.html-templates.security.unquoted-attribute-var",
"languages": [
"generic"
],
"message": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"
],
"subcategory": [
"audit"
],
"technology": [
"html-templates"
]
},
"paths": {
"include": [
"*.html",
"*.mustache",
"*.hbs"
]
},
"patterns": [
{
"pattern-inside": "<$TAG ...>"
},
{
"pattern-not-inside": "=\"...\""
},
{
"pattern-not-inside": "='...'"
},
{
"pattern": "{{ ... }}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.html-templates.security.var-in-href",
"languages": [
"generic"
],
"message": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (`href=\"/{{link}}\"`). You may also consider setting the Content Security Policy (CSP) header.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI",
"https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url",
"https://github.com/pugjs/pug/issues/2952",
"https://content-security-policy.com/"
],
"subcategory": [
"audit"
],
"technology": [
"html-templates"
]
},
"paths": {
"include": [
"*.html",
"*.mustache",
"*.hbs"
]
},
"patterns": [
{
"pattern-inside": "<a ...>"
},
{
"pattern-either": [
{
"pattern": "href = {{ ... }}"
},
{
"pattern": "href = \"{{ ... }}\""
},
{
"pattern": "href = '{{ ... }}'"
}
]
},
{
"pattern-not-inside": "href = {{ url_for(...) ... }}"
},
{
"pattern-not-inside": "href = \"{{ url_for(...) ... }}\""
},
{
"pattern-not-inside": "href = '{{ url_for(...) ... }}'"
},
{
"pattern-not-inside": "href = \"/{{ ... }}\""
},
{
"pattern-not-inside": "href = '/{{ ... }}'"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.html-templates.security.var-in-script-src",
"languages": [
"generic"
],
"message": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A",
"https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough",
"https://github.com/ESAPI/owasp-esapi-js"
],
"subcategory": [
"audit"
],
"technology": [
"html-templates"
]
},
"paths": {
"include": [
"*.mustache",
"*.hbs",
"*.html"
]
},
"patterns": [
{
"pattern-inside": "<script ...>"
},
{
"pattern-not-inside": "src = '...'"
},
{
"pattern-not-inside": "src = \"...\""
},
{
"pattern-not-inside": "nonce = '...'"
},
{
"pattern-not-inside": "nonce = \"...\""
},
{
"pattern": "{{ ... }}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.html-templates.security.var-in-script-tag",
"languages": [
"generic"
],
"message": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A",
"https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough",
"https://github.com/ESAPI/owasp-esapi-js"
],
"subcategory": [
"audit"
],
"technology": [
"html-templates"
]
},
"paths": {
"include": [
"*.mustache",
"*.hbs",
"*.html"
]
},
"patterns": [
{
"pattern-inside": "<script ...> ... </script>"
},
{
"pattern-not-inside": "<script ... $ATTR = \"...\" ...>"
},
{
"pattern-not-inside": "<script ... $ATTR = '...' ...>"
},
{
"pattern": "{{ ... }}"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "location\\s+([A-Za-z0-9/-_\\.]+)",
"replacement": "location \\1/"
},
"id": "vendored-rules.generic.nginx.security.alias-path-traversal",
"languages": [
"generic"
],
"message": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control",
"https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/",
"https://www.youtube.com/watch?v=CIhHpkybYsY",
"https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf"
],
"source-rule-url": "https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md",
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"patterns": [
{
"pattern": "location $...LOCATION {\n ...\n alias .../;\n ...\n}\n"
},
{
"metavariable-pattern": {
"metavariable": "$...LOCATION",
"pattern-regex": "^.*[^/]$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.dynamic-proxy-host",
"languages": [
"generic"
],
"message": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://nginx.org/en/docs/http/ngx_http_map_module.html"
],
"source-rule-url": "https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md",
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"pattern-either": [
{
"pattern": "proxy_pass $SCHEME://$$HOST ...;"
},
{
"pattern": "proxy_pass $$SCHEME://$$HOST ...;"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.dynamic-proxy-scheme",
"languages": [
"generic"
],
"message": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-16: CWE CATEGORY: Configuration"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"pattern": "proxy_pass $$SCHEME:// ...;",
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.header-injection",
"languages": [
"generic"
],
"message": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md",
"https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"pattern": "location ... <$VARIABLE> ... {\n ...\n add_header ... $$VARIABLE\n ...\n}\n",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.nginx.security.header-redefinition",
"languages": [
"generic"
],
"message": "The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-16: CWE CATEGORY: Configuration"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"patterns": [
{
"pattern-inside": "server {\n ...\n add_header ...;\n ...\n ...\n}\n"
},
{
"pattern-inside": "location ... {\n ...\n ...\n}\n"
},
{
"pattern": "add_header ...;"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.insecure-redirect",
"languages": [
"generic"
],
"message": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "rewrite ... redirect"
},
{
"pattern": "rewrite ... permanent"
}
]
},
{
"pattern-not-inside": "rewrite ... https ... $host ... redirect"
},
{
"pattern-not-inside": "rewrite ... https ... $host ... permanent"
},
{
"pattern-not-regex": "(?i)https:\\/\\/"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.insecure-ssl-version",
"languages": [
"generic"
],
"message": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.acunetix.com/blog/web-security-zone/hardening-nginx/",
"https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"patterns": [
{
"pattern-not": "ssl_protocols TLSv1.2 TLSv1.3;"
},
{
"pattern-not": "ssl_protocols TLSv1.3 TLSv1.2;"
},
{
"pattern-not": "ssl_protocols TLSv1.2;"
},
{
"pattern-not": "ssl_protocols TLSv1.3;"
},
{
"pattern": "ssl_protocols ...;"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.missing-internal",
"languages": [
"generic"
],
"message": "This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-16: CWE CATEGORY: Configuration"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md",
"https://nginx.org/en/docs/http/ngx_http_core_module.html#internal"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"options": {
"generic_ellipsis_max_span": 0,
"generic_engine": "aliengrep"
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"patterns": [
{
"pattern-inside": "location ... {\n ....\n ....\n}\n"
},
{
"pattern-not-inside": "location ... {\n ....\n internal;\n ....\n}\n"
},
{
"pattern": "proxy_pass $...URL;"
},
{
"metavariable-regex": {
"metavariable": "$...URL",
"regex": "(.*\\$.*)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.missing-ssl-version",
"languages": [
"generic"
],
"message": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.acunetix.com/blog/web-security-zone/hardening-nginx/",
"https://nginx.org/en/docs/http/configuring_https_servers.html"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"patterns": [
{
"pattern": "server { ... listen $PORT ssl; ... }"
},
{
"pattern-not-inside": "server { ... ssl_protocols ... }"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.possible-nginx-h2c-smuggling",
"languages": [
"generic"
],
"message": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*.conf",
"*.vhost",
"sites-available/*",
"sites-enabled/*"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "proxy_http_version 1.1 ...;\n...\nproxy_set_header Upgrade ...;\n...\nproxy_set_header Connection ...;\n"
},
{
"pattern": "proxy_set_header Upgrade ...;\n...\nproxy_set_header Connection ...;\n...\nproxy_http_version 1.1 ...;\n"
},
{
"pattern": "proxy_set_header Upgrade ...;\n...\nproxy_http_version 1.1 ...;\n...\nproxy_set_header Connection ...;\n"
}
]
},
{
"pattern-inside": "location ... {\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.nginx.security.request-host-used",
"languages": [
"generic"
],
"message": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-290: Authentication Bypass by Spoofing"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md",
"https://portswigger.net/web-security/host-header"
],
"subcategory": [
"audit"
],
"technology": [
"nginx"
]
},
"paths": {
"include": [
"*conf*",
"*nginx*",
"*vhost*",
"sites-available/*",
"sites-enabled/*"
]
},
"pattern-either": [
{
"pattern": "$http_host"
},
{
"pattern": "$host"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.adafruit-api-key",
"languages": [
"regex"
],
"message": "A gitleaks adafruit-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:adafruit)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.adobe-client-id",
"languages": [
"regex"
],
"message": "A gitleaks adobe-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:adobe)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.adobe-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks adobe-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b((p8e-)(?i)[a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.age-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.airtable-api-key",
"languages": [
"regex"
],
"message": "A gitleaks airtable-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:airtable)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{17})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.algolia-api-key",
"languages": [
"regex"
],
"message": "A gitleaks algolia-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:algolia)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.alibaba-access-key-id",
"languages": [
"regex"
],
"message": "A gitleaks alibaba-access-key-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b((LTAI)(?i)[a-z0-9]{20})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.alibaba-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks alibaba-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:alibaba)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{30})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.asana-client-id",
"languages": [
"regex"
],
"message": "A gitleaks asana-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:asana)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9]{16})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.asana-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks asana-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:asana)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.atlassian-api-token",
"languages": [
"regex"
],
"message": "A gitleaks atlassian-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:atlassian|confluence|jira)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{24})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.authress-service-client-access-key",
"languages": [
"regex"
],
"message": "A gitleaks authress-service-client-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\\.[a-z0-9]{4,6}\\.acc[_-][a-z0-9-]{10,32}\\.[a-z0-9+/_=-]{30,120})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.aws-access-token",
"languages": [
"regex"
],
"message": "A gitleaks aws-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.beamer-api-token",
"languages": [
"regex"
],
"message": "A gitleaks beamer-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:beamer)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(b_[a-z0-9=_\\-]{44})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.bitbucket-client-id",
"languages": [
"regex"
],
"message": "A gitleaks bitbucket-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:bitbucket)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.bitbucket-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks bitbucket-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:bitbucket)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.bittrex-access-key",
"languages": [
"regex"
],
"message": "A gitleaks bittrex-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:bittrex)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.bittrex-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks bittrex-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:bittrex)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.clojars-api-token",
"languages": [
"regex"
],
"message": "A gitleaks clojars-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(CLOJARS_)[a-z0-9]{60}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.cloudflare-api-key",
"languages": [
"regex"
],
"message": "A gitleaks cloudflare-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:cloudflare)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.cloudflare-global-api-key",
"languages": [
"regex"
],
"message": "A gitleaks cloudflare-global-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:cloudflare)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{37})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.cloudflare-origin-ca-key",
"languages": [
"regex"
],
"message": "A gitleaks cloudflare-origin-ca-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "\\b(v1\\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.codecov-access-token",
"languages": [
"regex"
],
"message": "A gitleaks codecov-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:codecov)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.coinbase-access-token",
"languages": [
"regex"
],
"message": "A gitleaks coinbase-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:coinbase)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.confluent-access-token",
"languages": [
"regex"
],
"message": "A gitleaks confluent-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:confluent)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{16})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.confluent-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks confluent-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:confluent)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.contentful-delivery-api-token",
"languages": [
"regex"
],
"message": "A gitleaks contentful-delivery-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:contentful)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{43})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.databricks-api-token",
"languages": [
"regex"
],
"message": "A gitleaks databricks-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(dapi[a-h0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.datadog-access-token",
"languages": [
"regex"
],
"message": "A gitleaks datadog-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:datadog)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.defined-networking-api-token",
"languages": [
"regex"
],
"message": "A gitleaks defined-networking-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:dnkey)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(dnkey-[a-z0-9=_\\-]{26}-[a-z0-9=_\\-]{52})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.digitalocean-access-token",
"languages": [
"regex"
],
"message": "A gitleaks digitalocean-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(doo_v1_[a-f0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.digitalocean-pat",
"languages": [
"regex"
],
"message": "A gitleaks digitalocean-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(dop_v1_[a-f0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.digitalocean-refresh-token",
"languages": [
"regex"
],
"message": "A gitleaks digitalocean-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(dor_v1_[a-f0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.discord-api-token",
"languages": [
"regex"
],
"message": "A gitleaks discord-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:discord)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.discord-client-id",
"languages": [
"regex"
],
"message": "A gitleaks discord-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:discord)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9]{18})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.discord-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks discord-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:discord)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.doppler-api-token",
"languages": [
"regex"
],
"message": "A gitleaks doppler-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(dp\\.pt\\.)(?i)[a-z0-9]{43}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.droneci-access-token",
"languages": [
"regex"
],
"message": "A gitleaks droneci-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:droneci)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.dropbox-api-token",
"languages": [
"regex"
],
"message": "A gitleaks dropbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:dropbox)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{15})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.dropbox-long-lived-api-token",
"languages": [
"regex"
],
"message": "A gitleaks dropbox-long-lived-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:dropbox)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\\-_=]{43})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.dropbox-short-lived-api-token",
"languages": [
"regex"
],
"message": "A gitleaks dropbox-short-lived-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:dropbox)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(sl\\.[a-z0-9\\-=_]{135})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.duffel-api-token",
"languages": [
"regex"
],
"message": "A gitleaks duffel-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "duffel_(test|live)_(?i)[a-z0-9_\\-=]{43}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.dynatrace-api-token",
"languages": [
"regex"
],
"message": "A gitleaks dynatrace-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "dt0c01\\.(?i)[a-z0-9]{24}\\.[a-z0-9]{64}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.easypost-api-token",
"languages": [
"regex"
],
"message": "A gitleaks easypost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "\\bEZAK(?i)[a-z0-9]{54}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.easypost-test-api-token",
"languages": [
"regex"
],
"message": "A gitleaks easypost-test-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "\\bEZTK(?i)[a-z0-9]{54}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.etsy-access-token",
"languages": [
"regex"
],
"message": "A gitleaks etsy-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:etsy)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{24})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.facebook-access-token",
"languages": [
"regex"
],
"message": "A gitleaks facebook-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(\\d{15,16}(\\||%)[0-9a-z\\-_]{27,40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.facebook-page-access-token",
"languages": [
"regex"
],
"message": "A gitleaks facebook-page-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(EAA[MC][a-z0-9]{20,})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.facebook-secret",
"languages": [
"regex"
],
"message": "A gitleaks facebook-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:facebook)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.facebook",
"languages": [
"regex"
],
"message": "A gitleaks facebook was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:facebook)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.fastly-api-token",
"languages": [
"regex"
],
"message": "A gitleaks fastly-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:fastly)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.finicity-api-token",
"languages": [
"regex"
],
"message": "A gitleaks finicity-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:finicity)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.finicity-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks finicity-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:finicity)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{20})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.finnhub-access-token",
"languages": [
"regex"
],
"message": "A gitleaks finnhub-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:finnhub)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{20})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.flickr-access-token",
"languages": [
"regex"
],
"message": "A gitleaks flickr-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:flickr)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.flutterwave-encryption-key",
"languages": [
"regex"
],
"message": "A gitleaks flutterwave-encryption-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "FLWSECK_TEST-(?i)[a-h0-9]{12}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.flutterwave-public-key",
"languages": [
"regex"
],
"message": "A gitleaks flutterwave-public-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "FLWPUBK_TEST-(?i)[a-h0-9]{32}-X"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.flutterwave-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks flutterwave-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "FLWSECK_TEST-(?i)[a-h0-9]{32}-X"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.frameio-api-token",
"languages": [
"regex"
],
"message": "A gitleaks frameio-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "fio-u-(?i)[a-z0-9\\-_=]{64}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.freshbooks-access-token",
"languages": [
"regex"
],
"message": "A gitleaks freshbooks-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:freshbooks)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.gcp-api-key",
"languages": [
"regex"
],
"message": "A gitleaks gcp-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(AIza[0-9A-Za-z\\\\-_]{35})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.generic-api-key",
"languages": [
"regex"
],
"message": "A gitleaks generic-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). This rule can introduce a lot of false positives, it is not recommended to be used in PR comments.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"paths": {
"exclude": [
"*.svg",
"*go.sum",
"*cargo.lock",
"*package.json",
"*package-lock.json",
"*bundle.js",
"*pnpm-lock*",
"*Podfile.lock",
"*/openssl/*.h",
"*.xcscmblueprint"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\\-_\\t.]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:=|\\|\\|:|<=|=>|:)(?:'|@\\\"|\\\"|\\s|=|\\x60){0,5}(?!([a-z]+\\.[a-zA-Z]+)|.*(\\d{4}-\\d{2}-\\d{2})|:*(?!(\"|'))[0-9A-Za-z]+\\.[0-9A-Za-z]+,|[A-Z]+_[A-Z]+_)(?P<CONTENT>[0-9a-z\\-_.=\\~@]{10,150})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$CONTENT"
}
},
{
"focus-metavariable": "$CONTENT"
},
{
"pattern-not-regex": ".*((?i)omitted|arn:aws|(?i)(pub.*key|public.*key)|(?i)clientToken|symbol|cache|author\\.).*"
},
{
"pattern-not-regex": "(\\d\\.\\d\\.\\d-}|([\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3}\\.[\\d]{1,3})|(\\w)\\1{5}|(?i)keywords|xxxx|eeeeeeee|0000|\\*\\*\\*|example|test|author=|author(\"|')|preview|[A-Z]+_KEY|[.]value|[.]key|-\\d\\.\\d\\.)"
},
{
"metavariable-regex": {
"metavariable": "$CONTENT",
"regex": "(?!(^0x0*|^pub)|.*\\.(bin|json|exe)$|.*(?i)(Client|Factory)$|(^__[A-Za-z]+__$)|^(12345|abcd)|^\\d+(\\.\\d+)?$)"
}
},
{
"pattern-not-regex": "(\\w|\\.)\\1{5}"
},
{
"metavariable-regex": {
"metavariable": "$CONTENT",
"regex": "(?!(?i).*(client|endpoint|vpn|_ec2_|aws_|authorize|author|define|config|credential|setting|sample|xxxxxx|000000|buffer|delete|aaaaaa|fewfwef|getenv|env_|system|example|ecdsa|sha256|sha1|sha2|md5|alert|wizard|target|onboard|welcome|page|exploit|experiment|expire|rabbitmq|scraper|widget|music|dns_|dns-|yahoo|want|json|action|script|fix_|fix-|develop|compas|stripe|service|master|metric|tech|gitignore|rich|open|stack|irc_|irc-|sublime|kohana|has_|has-|fabric|wordpres|role|osx_|osx-|boost|addres|queue|working|sandbox|internet|print|vision|tracking|being|generator|traffic|world|pull|rust|watcher|small|auth|full|hash|more|install|auto|complete|learn|paper|installer|research|acces|last|binding|spine|into|chat|algorithm|resource|uploader|video|maker|next|proc|lock|robot|snake|patch|matrix|drill|terminal|term|stuff|genetic|generic|identity|audit|pattern|audio|web_|web-|crud|problem|statu|cms-|cms_|arch|coffee|workflow|changelog|another|uiview|content|kitchen|gnu_|gnu-|gnu\\.|conf|couchdb|client|opencv|rendering|update|concept|varnish|gui_|gui-|gui\\.|version|shared|extra|product|still|not_|not-|not\\.|drop|ring|png_|png-|png\\.|actively|import|output|backup|start|embedded|registry|pool|semantic|instagram|bash|system|ninja|drupal|jquery|polyfill|physic|league|guide|pack|synopsi|sketch|injection|svg_|svg-|svg\\.|friendly|wave|convert|manage|camera|link|slide|timer|wrapper|gallery|url_|url-|url\\.|todomvc|requirej|party|http|payment|async|library|home|coco|gaia|display|universal|func|metadata|hipchat|under|room|config|personal|realtime|resume|database|testing|tiny|basic|forum|meetup|yet_|yet-|yet\\.|cento|dead|fluentd|editor|utilitie|run_|run-|run\\.|box_|box-|box\\.|bot_|bot-|bot\\.|making|sample|group|monitor|ajax|parallel|cassandra|ultimate|site|get_|get-|get\\.|gen_|gen-|gen\\.|gem_|gem-|gem\\.|extended|image|knife|asset|nested|zero|plugin|bracket|mule|mozilla|number|act_|act-|act\\.|map_|map-|map\\.|micro|debug|openshift|chart|expres|backend|task|source|translate|jbos|composer|sqlite|profile|mustache|mqtt|yeoman|have|builder|smart|like|oauth|school|guideline|captcha|filter|bitcoin|bridge|color|toolbox|discovery|new_|new-|new\\.|dashboard|when|setting|level|post|standard|port|platform|yui_|yui-|yui\\.|grunt|animation|haskell|icon|latex|cheat|lua_|lua-|lua\\.|gulp|case|author|without|simulator|wifi|directory|lisp|list|flat|adventure|story|storm|gpu_|gpu-|gpu\\.|store|caching|attention|solr|logger|demo|shortener|hadoop|finder|phone|pipeline|range|textmate|showcase|app_|app-|app\\.|idiomatic|edit|our_|our-|our\\.|out_|out-|out\\.|sentiment|linked|why_|why-|why\\.|local|cube|gmail|job_|job-|job\\.|rpc_|rpc-|rpc\\.|contest|tcp_|tcp-|tcp\\.|usage|buildout|weather|transfer|automated|sphinx|issue|sas_|sas-|sas\\.|parallax|jasmine|addon|machine|solution|dsl_|dsl-|dsl\\.|episode|menu|theme|best|adapter|debugger|chrome|tutorial|life|step|people|joomla|paypal|developer|solver|team|current|love|visual|date|data|canva|container|future|xml_|xml-|xml\\.|twig|nagio|spatial|original|sync|archived|refinery|science|mapping|gitlab|play|ext_|ext-|ext\\.|session|impact|set_|set-|set\\.|see_|see-|see\\.|migration|commit|community|shopify|what'|cucumber|statamic|mysql|location|tower|line|code|amqp|hello|send|index|high|notebook|alloy|python|field|document|soap|edition|email|php_|php-|php\\.|command|transport|official|upload|study|secure|angularj|akka|scalable|package|request|con_|con-|con\\.|flexible|security|comment|module|flask|graph|flash|apache|change|window|space|lambda|sheet|bookmark|carousel|friend|objective|jekyll|bootstrap|first|article|gwt_|gwt-|gwt\\.|classic|media|websocket|touch|desktop|real|read|recorder|moved|storage|validator|add-on|pusher|scs_|scs-|scs\\.|inline|asp_|asp-|asp\\.|timeline|base|encoding|ffmpeg|kindle|tinymce|pretty|jpa_|jpa-|jpa\\.|used|user|required|webhook|download|resque|espresso|cloud|mongo|benchmark|pure|cakephp|modx|mode|reactive|fuel|written|flickr|mail|brunch|meteor|dynamic|neo_|neo-|neo\\.|new_|new-|new\\.|net_|net-|net\\.|typo|type|keyboard|erlang|adobe|logging|ckeditor|message|iso_|iso-|iso\\.|hook|ldap|folder|reference|railscast|www_|www-|www\\.|tracker|azure|fork|form|digital|exporter|skin|string|template|designer|gollum|fluent|entity|language|alfred|summary|wiki|kernel|calendar|plupload|symfony|foundry|remote|talk|search|dev_|dev-|dev\\.|del_|del-|del\\.|token|idea|sencha|selector|interface|create|fun_|fun-|fun\\.|groovy|query|grail|red_|red-|red\\.|laravel|monkey|slack|supported|instant|value|center|latest|work|but_|but-|but\\.|bug_|bug-|bug\\.|virtual|tweet|statsd|studio|path|real-time|frontend|notifier|coding|tool|firmware|flow|random|mediawiki|bosh|been|beer|lightbox|theory|origin|redmine|hub_|hub-|hub\\.|require|pro_|pro-|pro\\.|ant_|ant-|ant\\.|any_|any-|any\\.|recipe|closure|mapper|event|todo|model|redi|provider|rvm_|rvm-|rvm\\.|program|memcached|rail|silex|foreman|activity|license|strategy|batch|streaming|fast|use_|use-|use\\.|usb_|usb-|usb\\.|impres|academy|slider|please|layer|cros|now_|now-|now\\.|miner|extension|own_|own-|own\\.|app_|app-|app\\.|debian|symphony|example|feature|serie|tree|project|runner|entry|leetcode|layout|webrtc|logic|login|worker|toolkit|mocha|support|back|inside|device|jenkin|contact|fake|awesome|ocaml|bit_|bit-|bit\\.|drive|screen|prototype|gist|binary|nosql|rest|overview|dart|dark|emac|mongoid|solarized|homepage|emulator|commander|django|yandex|gradle|xcode|writer|crm_|crm-|crm\\.|jade|startup|error|using|format|name|spring|parser|scratch|magic|try_|try-|try\\.|rack|directive|challenge|slim|counter|element|chosen|doc_|doc-|doc\\.|meta|should|button|packet|stream|hardware|android|infinite|password|software|ghost|xamarin|spec|chef|interview|hubot|mvc_|mvc-|mvc\\.|exercise|leaflet|launcher|air_|air-|air\\.|photo|board|boxen|way_|way-|way\\.|computing|welcome|notepad|portfolio|cat_|cat-|cat\\.|can_|can-|can\\.|magento|yaml|domain|card|yii_|yii-|yii\\.|checker|browser|upgrade|only|progres|aura|ruby_|ruby-|ruby\\.|polymer|util|lite|hackathon|rule|log_|log-|log\\.|opengl|stanford|skeleton|history|inspector|help|soon|selenium|lab_|lab-|lab\\.|scheme|schema|look|ready|leveldb|docker|game|minimal|logstash|messaging|within|heroku|mongodb|kata|suite|picker|win_|win-|win\\.|wip_|wip-|wip\\.|panel|started|starter|front-end|detector|deploy|editing|based|admin|capture|spree|page|bundle|goal|rpg_|rpg-|rpg\\.|setup|side|mean|reader|cookbook|mini|modern|seed|dom_|dom-|dom\\.|doc_|doc-|doc\\.|dot_|dot-|dot\\.|syntax|sugar|loader|website|make|kit_|kit-|kit\\.|protocol|human|daemon|golang|manager|countdown|connector|swagger|map_|map-|map\\.|mac_|mac-|mac\\.|man_|man-|man\\.|orm_|orm-|orm\\.|org_|org-|org\\.|little|zsh_|zsh-|zsh\\.|shop|show|workshop|money|grid|server|octopres|svn_|svn-|svn\\.|ember|embed|general|file|important|dropbox|portable|public|docpad|fish|sbt_|sbt-|sbt\\.|done|para|network|common|readme|popup|simple|purpose|mirror|single|cordova|exchange|object|design|gateway|account|lamp|intellij|math|mit_|mit-|mit\\.|control|enhanced|emitter|multi|add_|add-|add\\.|about|socket|preview|vagrant|cli_|cli-|cli\\.|powerful|top_|top-|top\\.|radio|watch|fluid|amazon|report|couchbase|automatic|detection|sprite|pyramid|portal|advanced|plu_|plu-|plu\\.|runtime|git_|git-|git\\.|uri_|uri-|uri\\.|haml|node|sql_|sql-|sql\\.|cool|core|obsolete|handler|iphone|extractor|array|copy|nlp_|nlp-|nlp\\.|reveal|pop_|pop-|pop\\.|engine|parse|check|html|nest|all_|all-|all\\.|chinese|buildpack|what|tag_|tag-|tag\\.|proxy|style|cookie|feed|restful|compiler|creating|prelude|context|java|rspec|mock|backbone|light|spotify|flex|related|shell|which|clas|webapp|swift|ansible|unity|console|tumblr|export|campfire|conway'|made|riak|hero|here|unix|unit|glas|smtp|how_|how-|how\\.|hot_|hot-|hot\\.|debug|release|diff|player|easy|right|old_|old-|old\\.|animate|time|push|explorer|course|training|nette|router|draft|structure|note|salt|where|spark|trello|power|method|social|via_|via-|via\\.|vim_|vim-|vim\\.|select|webkit|github|ftp_|ftp-|ftp\\.|creator|mongoose|led_|led-|led\\.|movie|currently|pdf_|pdf-|pdf\\.|load|markdown|phalcon|input|custom|atom|oracle|phonegap|ubuntu|great|rdf_|rdf-|rdf\\.|popcorn|firefox|zip_|zip-|zip\\.|cuda|dotfile|static|openwrt|viewer|powered|graphic|les_|les-|les\\.|doe_|doe-|doe\\.|maven|word|eclipse|lab_|lab-|lab\\.|hacking|steam|analytic|option|abstract|archive|reality|switcher|club|write|kafka|arduino|angular|online|title|don't|contao|notice|analyzer|learning|zend|external|staging|busines|tdd_|tdd-|tdd\\.|scanner|building|snippet|modular|bower|stm_|stm-|stm\\.|lib_|lib-|lib\\.|alpha|mobile|clean|linux|nginx|manifest|some|raspberry|gnome|ide_|ide-|ide\\.|block|statistic|info|drag|youtube|koan|facebook|paperclip|art_|art-|art\\.|quality|tab_|tab-|tab\\.|need|dojo|shield|computer|stat|state|twitter|utility|converter|hosting|devise|liferay|updated|force|tip_|tip-|tip\\.|behavior|active|call|answer|deck|better|principle|ches|bar_|bar-|bar\\.|reddit|three|haxe|just|plug-in|agile|manual|tetri|super|beta|parsing|doctrine|minecraft|useful|perl|sharing|agent|switch|view|dash|channel|repo|pebble|profiler|warning|cluster|running|markup|evented|mod_|mod-|mod\\.|share|csv_|csv-|csv\\.|response|good|house|connect|built|build|find|ipython|webgl|big_|big-|big\\.|google|scala|sdl_|sdl-|sdl\\.|sdk_|sdk-|sdk\\.|native|day_|day-|day\\.|puppet|text|routing|helper|linkedin|crawler|host|guard|merchant|poker|over|writing|free|classe|component|craft|nodej|phoenix|longer|quick|lazy|memory|clone|hacker|middleman|factory|motion|multiple|tornado|hack|ssh_|ssh-|ssh\\.|review|vimrc|driver|driven|blog|particle|table|intro|importer|thrift|xmpp|framework|refresh|react|font|librarie|variou|formatter|analysi|karma|scroll|tut_|tut-|tut\\.|apple|tag_|tag-|tag\\.|tab_|tab-|tab\\.|category|ionic|cache|homebrew|reverse|english|getting|shipping|clojure|boot|book|branch|combination|combo))"
}
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.github-app-token",
"languages": [
"regex"
],
"message": "A gitleaks github-app-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(ghu|ghs)_[0-9a-zA-Z]{36}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.github-fine-grained-pat",
"languages": [
"regex"
],
"message": "A gitleaks github-fine-grained-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "github_pat_[0-9a-zA-Z_]{82}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.github-oauth",
"languages": [
"regex"
],
"message": "A gitleaks github-oauth was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "gho_[0-9a-zA-Z]{36}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.github-pat",
"languages": [
"regex"
],
"message": "A gitleaks github-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "ghp_[0-9a-zA-Z]{36}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.github-refresh-token",
"languages": [
"regex"
],
"message": "A gitleaks github-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "ghr_[0-9a-zA-Z]{36}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.gitlab-pat",
"languages": [
"regex"
],
"message": "A gitleaks gitlab-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "glpat-[0-9a-zA-Z\\-\\_]{20}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.gitlab-ptt",
"languages": [
"regex"
],
"message": "A gitleaks gitlab-ptt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "glptt-[0-9a-f]{40}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.gitlab-rrt",
"languages": [
"regex"
],
"message": "A gitleaks gitlab-rrt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "GR1348941[0-9a-zA-Z\\-\\_]{20}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.gitter-access-token",
"languages": [
"regex"
],
"message": "A gitleaks gitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:gitter)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.gocardless-api-token",
"languages": [
"regex"
],
"message": "A gitleaks gocardless-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:gocardless)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(live_(?i)[a-z0-9\\-_=]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.grafana-api-key",
"languages": [
"regex"
],
"message": "A gitleaks grafana-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,2})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.grafana-cloud-api-token",
"languages": [
"regex"
],
"message": "A gitleaks grafana-cloud-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(glc_[A-Za-z0-9+/]{32,400}={0,2})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.grafana-service-account-token",
"languages": [
"regex"
],
"message": "A gitleaks grafana-service-account-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.harness-api-key",
"languages": [
"regex"
],
"message": "A gitleaks harness-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "((?:pat|sat)\\.[a-zA-Z0-9]{22}\\.[a-zA-Z0-9]{24}\\.[a-zA-Z0-9]{20})"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.hashicorp-tf-api-token",
"languages": [
"regex"
],
"message": "A gitleaks hashicorp-tf-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)[a-z0-9]{14}\\.atlasv1\\.[a-z0-9\\-_=]{60,70}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.hashicorp-tf-password",
"languages": [
"regex"
],
"message": "A gitleaks hashicorp-tf-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:administrator_login_password|password)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(\"[a-z0-9=_\\-]{8,20}\")(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.heroku-api-key",
"languages": [
"regex"
],
"message": "A gitleaks heroku-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:heroku)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.hubspot-api-key",
"languages": [
"regex"
],
"message": "A gitleaks hubspot-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:hubspot)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.huggingface-access-token",
"languages": [
"regex"
],
"message": "A gitleaks huggingface-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?:^|[\\\\'\"` >=:])(hf_[a-zA-Z]{34})(?:$|[\\\\'\"` <])"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.huggingface-organization-api-token",
"languages": [
"regex"
],
"message": "A gitleaks huggingface-organization-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?:^|[\\\\'\"` >=:\\(,)])(api_org_[a-zA-Z]{34})(?:$|[\\\\'\"` <\\),])"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.infracost-api-token",
"languages": [
"regex"
],
"message": "A gitleaks infracost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(ico-[a-zA-Z0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.intercom-api-key",
"languages": [
"regex"
],
"message": "A gitleaks intercom-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:intercom)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{60})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.intra42-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks intra42-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(s-s4t2(?:ud|af)-[abcdef0123456789]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.jfrog-api-key",
"languages": [
"regex"
],
"message": "A gitleaks jfrog-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{73})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.jfrog-identity-token",
"languages": [
"regex"
],
"message": "A gitleaks jfrog-identity-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.jwt-base64",
"languages": [
"regex"
],
"message": "A gitleaks jwt-base64 was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "\\bZXlK(?:(?P<alg>aGJHY2lPaU)|(?P<apu>aGNIVWlPaU)|(?P<apv>aGNIWWlPaU)|(?P<aud>aGRXUWlPaU)|(?P<b64>aU5qUWlP)|(?P<crit>amNtbDBJanBi)|(?P<cty>amRIa2lPaU)|(?P<epk>bGNHc2lPbn)|(?P<enc>bGJtTWlPaU)|(?P<jku>cWEzVWlPaU)|(?P<jwk>cWQyc2lPb)|(?P<iss>cGMzTWlPaU)|(?P<iv>cGRpSTZJ)|(?P<kid>cmFXUWlP)|(?P<key_ops>clpYbGZiM0J6SWpwY)|(?P<kty>cmRIa2lPaUp)|(?P<nonce>dWIyNWpaU0k2)|(?P<p2c>d01tTWlP)|(?P<p2s>d01uTWlPaU)|(?P<ppt>d2NIUWlPaU)|(?P<sub>emRXSWlPaU)|(?P<svt>emRuUWlP)|(?P<tag>MFlXY2lPaU)|(?P<typ>MGVYQWlPaUp)|(?P<url>MWNtd2l)|(?P<use>MWMyVWlPaUp)|(?P<ver>MlpYSWlPaU)|(?P<version>MlpYSnphVzl1SWpv)|(?P<x>NElqb2)|(?P<x5c>NE5XTWlP)|(?P<x5t>NE5YUWlPaU)|(?P<x5ts256>NE5YUWpVekkxTmlJNkl)|(?P<x5u>NE5YVWlPaU)|(?P<zip>NmFYQWlPaU))[a-zA-Z0-9\\/\\\\_+\\-\\r\\n]{40,}={0,2}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.jwt",
"languages": [
"regex"
],
"message": "A gitleaks jwt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "\\b(ey[a-zA-Z0-9]{17,}\\.ey[a-zA-Z0-9\\/\\\\_-]{17,}\\.(?:[a-zA-Z0-9\\/\\\\_-]{10,}={0,2})?)(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.kraken-access-token",
"languages": [
"regex"
],
"message": "A gitleaks kraken-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:kraken)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9\\/=_\\+\\-]{80,90})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.kucoin-access-token",
"languages": [
"regex"
],
"message": "A gitleaks kucoin-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:kucoin)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{24})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.kucoin-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks kucoin-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:kucoin)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.launchdarkly-access-token",
"languages": [
"regex"
],
"message": "A gitleaks launchdarkly-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:launchdarkly)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.linear-api-key",
"languages": [
"regex"
],
"message": "A gitleaks linear-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "lin_api_(?i)[a-z0-9]{40}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.linear-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks linear-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:linear)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.linkedin-client-id",
"languages": [
"regex"
],
"message": "A gitleaks linkedin-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:linkedin|linked-in)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{14})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.linkedin-client-secret",
"languages": [
"regex"
],
"message": "A gitleaks linkedin-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:linkedin|linked-in)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{16})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.lob-api-key",
"languages": [
"regex"
],
"message": "A gitleaks lob-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:lob)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}((live|test)_[a-f0-9]{35})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.lob-pub-api-key",
"languages": [
"regex"
],
"message": "A gitleaks lob-pub-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:lob)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}((test|live)_pub_[a-f0-9]{31})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.mailchimp-api-key",
"languages": [
"regex"
],
"message": "A gitleaks mailchimp-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:MailchimpSDK.initialize|mailchimp)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32}-us\\d\\d)(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.mailgun-private-api-token",
"languages": [
"regex"
],
"message": "A gitleaks mailgun-private-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:mailgun)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(key-[a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.mailgun-pub-key",
"languages": [
"regex"
],
"message": "A gitleaks mailgun-pub-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:mailgun)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(pubkey-[a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.mailgun-signing-key",
"languages": [
"regex"
],
"message": "A gitleaks mailgun-signing-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:mailgun)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.mapbox-api-token",
"languages": [
"regex"
],
"message": "A gitleaks mapbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:mapbox)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(pk\\.[a-z0-9]{60}\\.[a-z0-9]{22})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.mattermost-access-token",
"languages": [
"regex"
],
"message": "A gitleaks mattermost-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:mattermost)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{26})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.messagebird-api-token",
"languages": [
"regex"
],
"message": "A gitleaks messagebird-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{25})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.messagebird-client-id",
"languages": [
"regex"
],
"message": "A gitleaks messagebird-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.microsoft-teams-webhook",
"languages": [
"regex"
],
"message": "A gitleaks microsoft-teams-webhook was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "https:\\/\\/[a-z0-9]+\\.webhook\\.office\\.com\\/webhookb2\\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\\/IncomingWebhook\\/[a-z0-9]{32}\\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.netlify-access-token",
"languages": [
"regex"
],
"message": "A gitleaks netlify-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:netlify)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{40,46})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.new-relic-browser-api-token",
"languages": [
"regex"
],
"message": "A gitleaks new-relic-browser-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.new-relic-insert-key",
"languages": [
"regex"
],
"message": "A gitleaks new-relic-insert-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(NRII-[a-z0-9-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.new-relic-user-api-id",
"languages": [
"regex"
],
"message": "A gitleaks new-relic-user-api-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.new-relic-user-api-key",
"languages": [
"regex"
],
"message": "A gitleaks new-relic-user-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.npm-access-token",
"languages": [
"regex"
],
"message": "A gitleaks npm-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(npm_[a-z0-9]{36})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.nytimes-access-token",
"languages": [
"regex"
],
"message": "A gitleaks nytimes-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:nytimes|new-york-times,|newyorktimes)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.okta-access-token",
"languages": [
"regex"
],
"message": "A gitleaks okta-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:okta)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9=_\\-]{42})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.openai-api-key",
"languages": [
"regex"
],
"message": "A gitleaks openai-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.plaid-api-token",
"languages": [
"regex"
],
"message": "A gitleaks plaid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:plaid)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.plaid-client-id",
"languages": [
"regex"
],
"message": "A gitleaks plaid-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:plaid)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{24})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.plaid-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks plaid-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:plaid)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{30})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.planetscale-api-token",
"languages": [
"regex"
],
"message": "A gitleaks planetscale-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(pscale_tkn_(?i)[a-z0-9=\\-_\\.]{32,64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.planetscale-oauth-token",
"languages": [
"regex"
],
"message": "A gitleaks planetscale-oauth-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(pscale_oauth_(?i)[a-z0-9=\\-_\\.]{32,64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.planetscale-password",
"languages": [
"regex"
],
"message": "A gitleaks planetscale-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(pscale_pw_(?i)[a-z0-9=\\-_\\.]{32,64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.postman-api-token",
"languages": [
"regex"
],
"message": "A gitleaks postman-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(PMAK-(?i)[a-f0-9]{24}\\-[a-f0-9]{34})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.prefect-api-token",
"languages": [
"regex"
],
"message": "A gitleaks prefect-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(pnu_[a-z0-9]{36})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.private-key",
"languages": [
"regex"
],
"message": "A gitleaks private-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\\s\\S-]*KEY( BLOCK)?----"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.pulumi-api-token",
"languages": [
"regex"
],
"message": "A gitleaks pulumi-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(pul-[a-f0-9]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.pypi-upload-token",
"languages": [
"regex"
],
"message": "A gitleaks pypi-upload-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\\-_]{50,1000}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.rapidapi-access-token",
"languages": [
"regex"
],
"message": "A gitleaks rapidapi-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:rapidapi)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{50})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.readme-api-token",
"languages": [
"regex"
],
"message": "A gitleaks readme-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(rdme_[a-z0-9]{70})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.rubygems-api-token",
"languages": [
"regex"
],
"message": "A gitleaks rubygems-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(rubygems_[a-f0-9]{48})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.scalingo-api-token",
"languages": [
"regex"
],
"message": "A gitleaks scalingo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "\\b(tk-us-[a-zA-Z0-9-_]{48})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sendbird-access-id",
"languages": [
"regex"
],
"message": "A gitleaks sendbird-access-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:sendbird)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sendbird-access-token",
"languages": [
"regex"
],
"message": "A gitleaks sendbird-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:sendbird)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sendgrid-api-token",
"languages": [
"regex"
],
"message": "A gitleaks sendgrid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(SG\\.(?i)[a-z0-9=_\\-\\.]{66})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sendinblue-api-token",
"languages": [
"regex"
],
"message": "A gitleaks sendinblue-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(xkeysib-[a-f0-9]{64}\\-(?i)[a-z0-9]{16})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sentry-access-token",
"languages": [
"regex"
],
"message": "A gitleaks sentry-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:sentry)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.shippo-api-token",
"languages": [
"regex"
],
"message": "A gitleaks shippo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(shippo_(live|test)_[a-f0-9]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.shopify-access-token",
"languages": [
"regex"
],
"message": "A gitleaks shopify-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "shpat_[a-fA-F0-9]{32}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.shopify-custom-access-token",
"languages": [
"regex"
],
"message": "A gitleaks shopify-custom-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "shpca_[a-fA-F0-9]{32}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.shopify-private-app-access-token",
"languages": [
"regex"
],
"message": "A gitleaks shopify-private-app-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "shppa_[a-fA-F0-9]{32}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.shopify-shared-secret",
"languages": [
"regex"
],
"message": "A gitleaks shopify-shared-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "shpss_[a-fA-F0-9]{32}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sidekiq-secret",
"languages": [
"regex"
],
"message": "A gitleaks sidekiq-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sidekiq-sensitive-url",
"languages": [
"regex"
],
"message": "A gitleaks sidekiq-sensitive-url was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(http(?:s??):\\/\\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\\/|\\#|\\?|:]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-app-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-app-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(xapp-\\d-[A-Z0-9]+-\\d+-[a-z0-9]+)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-bot-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-bot-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(xoxb-[0-9]{10,13}\\-[0-9]{10,13}[a-zA-Z0-9-]*)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-config-access-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-config-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(xoxe.xox[bp]-\\d-[A-Z0-9]{163,166})"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-config-refresh-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-config-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(xoxe-\\d-[A-Z0-9]{146})"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-legacy-bot-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-legacy-bot-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(xoxb-[0-9]{8,14}\\-[a-zA-Z0-9]{18,26})"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-legacy-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-legacy-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(xox[os]-\\d+-\\d+-\\d+-[a-fA-F\\d]+)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-legacy-workspace-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-legacy-workspace-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(xox[ar]-(?:\\d-)?[0-9a-zA-Z]{8,48})"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-user-token",
"languages": [
"regex"
],
"message": "A gitleaks slack-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.slack-webhook-url",
"languages": [
"regex"
],
"message": "A gitleaks slack-webhook-url was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(https?:\\/\\/)?hooks.slack.com\\/(services|workflows)\\/[A-Za-z0-9+\\/]{43,46}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.snyk-api-token",
"languages": [
"regex"
],
"message": "A gitleaks snyk-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:snyk_token|snyk_key|snyk_api_token|snyk_api_key|snyk_oauth_token)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.square-access-token",
"languages": [
"regex"
],
"message": "A gitleaks square-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b((EAAA|sq0atp-)[0-9A-Za-z\\-_]{22,60})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.squarespace-access-token",
"languages": [
"regex"
],
"message": "A gitleaks squarespace-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:squarespace)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.stripe-access-token",
"languages": [
"regex"
],
"message": "A gitleaks stripe-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b((sk|rk)_(test|live|prod)_[0-9a-z]{10,99})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sumologic-access-id",
"languages": [
"regex"
],
"message": "A gitleaks sumologic-access-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i:(?:sumo)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3})(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(su[a-zA-Z0-9]{12})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.sumologic-access-token",
"languages": [
"regex"
],
"message": "A gitleaks sumologic-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:sumo)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{64})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.telegram-bot-api-token",
"languages": [
"regex"
],
"message": "A gitleaks telegram-bot-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i:(?:telegr)(?:[0-9a-z\\(-_\\t .\\\\]{0,40})(?:[\\s|']|[\\s|\"]){0,3})(?:=|\\|\\|:|<=|=>|:|\\?=|\\()(?:'|\\\"|\\s|=|\\x60){0,5}([0-9]{5,16}:A[a-z0-9_\\-]{34})(?:['|\\\"|\\n|\\r|\\s|\\x60|;|\\\\]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.travisci-access-token",
"languages": [
"regex"
],
"message": "A gitleaks travisci-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:travis)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{22})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.twilio-api-key",
"languages": [
"regex"
],
"message": "A gitleaks twilio-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "SK[0-9a-fA-F]{32}"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.twitch-api-token",
"languages": [
"regex"
],
"message": "A gitleaks twitch-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:twitch)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{30})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.twitter-access-secret",
"languages": [
"regex"
],
"message": "A gitleaks twitter-access-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:twitter)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{45})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.twitter-access-token",
"languages": [
"regex"
],
"message": "A gitleaks twitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:twitter)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.twitter-api-key",
"languages": [
"regex"
],
"message": "A gitleaks twitter-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:twitter)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{25})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.twitter-api-secret",
"languages": [
"regex"
],
"message": "A gitleaks twitter-api-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:twitter)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{50})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.twitter-bearer-token",
"languages": [
"regex"
],
"message": "A gitleaks twitter-bearer-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:twitter)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(A{22}[a-zA-Z0-9%]{80,100})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.typeform-api-token",
"languages": [
"regex"
],
"message": "A gitleaks typeform-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:typeform)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(tfp_[a-z0-9\\-_\\.=]{59})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.vault-batch-token",
"languages": [
"regex"
],
"message": "A gitleaks vault-batch-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(hvb\\.[a-z0-9_-]{138,212})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.vault-service-token",
"languages": [
"regex"
],
"message": "A gitleaks vault-service-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)\\b(hvs\\.[a-z0-9_-]{90,100})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.yandex-access-token",
"languages": [
"regex"
],
"message": "A gitleaks yandex-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:yandex)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(t1\\.[A-Z0-9a-z_-]+[=]{0,2}\\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.yandex-api-key",
"languages": [
"regex"
],
"message": "A gitleaks yandex-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:yandex)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(AQVN[A-Za-z0-9_\\-]{35,38})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.yandex-aws-access-token",
"languages": [
"regex"
],
"message": "A gitleaks yandex-aws-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:yandex)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}(YC[a-zA-Z0-9_\\-]{38})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.gitleaks.zendesk-secret-key",
"languages": [
"regex"
],
"message": "A gitleaks zendesk-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules",
"subcategory": [
"vuln"
],
"technology": [
"gitleaks"
]
},
"patterns": [
{
"pattern-regex": "(?i)(?:zendesk)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|>|:{1,3}=|\\|\\|:|<=|=>|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9]{40})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.generic.secrets.security.detected-amazon-mws-auth-token",
"languages": [
"regex"
],
"message": "Amazon MWS Auth Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"aws"
]
},
"pattern-regex": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-artifactory-password",
"languages": [
"regex"
],
"message": "Artifactory token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"artifactory"
]
},
"paths": {
"exclude": [
"*.svg",
"*go.sum",
"*package.json",
"*cargo.lock",
"*package-lock.json",
"*bundle.js",
"*pnpm-lock*",
"*Podfile.lock",
"*/openssl/*.h",
"*.xcscmblueprint"
]
},
"patterns": [
{
"pattern-regex": "(?<ITEM>\\bAP[\\dABCDEF][a-zA-Z0-9]{8,})"
},
{
"pattern-regex": ".*(?i)arti[-_]?factory.*"
},
{
"pattern-not-regex": ".*(?i)sha(1|2|3|118|256|512).*"
},
{
"pattern-not-regex": "(?i)-----\\s*?BEGIN[ A-Z0-9_-]*? KEY( BLOCK)?-----[\\s\\S]*?-----\\s*?END[ A-Z0-9_-]*?\\s*?-----"
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$ITEM"
}
},
{
"pattern-not-regex": "(\\w|\\.|\\*)\\1{4}"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-artifactory-token",
"languages": [
"regex"
],
"message": "Artifactory token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"artifactory"
]
},
"paths": {
"exclude": [
"*.svg",
"*go.sum",
"*package.json",
"*package-lock.json",
"*bundle.js",
"*pnpm-lock*",
"*Podfile.lock",
"*/openssl/*.h",
"*.xcscmblueprint",
"*cargo.lock"
]
},
"patterns": [
{
"pattern-regex": "\\bAKC[a-zA-Z0-9]{10,}\n"
},
{
"pattern-not-regex": "sha(128|256|512).*\n"
},
{
"pattern-not-regex": "(?s)---BEGIN.*---\\Z"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-aws-access-key-id-value",
"languages": [
"regex"
],
"message": "AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"aws"
]
},
"patterns": [
{
"pattern-regex": "\\b(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\\b"
},
{
"pattern-not-regex": "(?i)example|sample|test|fake"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-aws-account-id",
"languages": [
"generic"
],
"message": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"aws"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$ACCOUNT_ID = $SECRET\n"
},
{
"pattern": "$ACCOUNT_ID : $SECRET\n"
},
{
"pattern": "$ACCOUNT_ID => $SECRET\n"
},
{
"pattern": "$ACCOUNT_ID = \"$SECRET\"\n"
},
{
"pattern": "$ACCOUNT_ID : \"$SECRET\"\n"
},
{
"pattern": "$ACCOUNT_ID => \"$SECRET\"\n"
},
{
"pattern": "\"$ACCOUNT_ID\" = \"$SECRET\"\n"
},
{
"pattern": "\"$ACCOUNT_ID\" : \"$SECRET\"\n"
},
{
"pattern": "\"$ACCOUNT_ID\" => \"$SECRET\"\n"
}
]
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$SECRET"
}
},
{
"metavariable-regex": {
"metavariable": "$SECRET",
"regex": "^((?!(12345|0000).*)[0-9]{12})$"
}
},
{
"metavariable-regex": {
"metavariable": "$ACCOUNT_ID",
"regex": "(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?(\"|')?"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-aws-appsync-graphql-key",
"languages": [
"regex"
],
"message": "AWS AppSync GraphQL Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"appsync"
]
},
"pattern-regex": "da2-[a-z0-9]{26}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-aws-secret-access-key",
"languages": [
"regex"
],
"message": "AWS Secret Access Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"aws"
]
},
"patterns": [
{
"pattern-regex": "((\"|'|`)?((?i)aws)_?\\w*((?i)secret)_?\\w*(\"|'|`)?\\s{0,50}(:|=>|=)\\s{0,50}(\"|'|`)?[A-Za-z0-9/+=]{40}(\"|'|`)?)"
},
{
"pattern-not-regex": "(?i)example|sample|test|fake|xxxxxx"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-aws-session-token",
"languages": [
"regex"
],
"message": "AWS Session Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"aws"
]
},
"patterns": [
{
"pattern-regex": "((?i)AWS_SESSION_TOKEN)\\s*(:|=>|=)\\s*(?P<TOKEN>[A-Za-z0-9/+=]{16,})"
},
{
"pattern-not-regex": "(?i)example|sample|test|fake"
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$TOKEN"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-bcrypt-hash",
"languages": [
"regex"
],
"message": "bcrypt hash detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"secrets",
"bcrypt"
]
},
"pattern-regex": "\\$2[aby]?\\$[\\d]+\\$[./A-Za-z0-9]{53}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-codeclimate",
"languages": [
"regex"
],
"message": "CodeClimate detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"codeclimate"
]
},
"pattern-regex": "(?i)codeclima.{0,50}[\"|'|`]?[0-9a-f]{64}[\"|'|`]?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-etc-shadow",
"languages": [
"regex"
],
"message": "linux shadow file detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"secrets"
]
},
"patterns": [
{
"pattern-regex": "^(\\s*)(?P<ROOT>root:[x!*]*:[0-9]*:[0-9]*)"
},
{
"focus-metavariable": "$ROOT"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-facebook-access-token",
"languages": [
"regex"
],
"message": "Facebook Access Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"facebook"
]
},
"pattern-either": [
{
"pattern-regex": "EAACEdEose0cBA[0-9A-Za-z]+"
},
{
"pattern-regex": "EAAAACZAVC6ygB[0-9A-Za-z]+"
},
{
"pattern-regex": "EAAAAZAw4[0-9A-Za-z]+"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-facebook-oauth",
"languages": [
"regex"
],
"message": "Facebook OAuth detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"facebook"
]
},
"pattern-regex": "[fF][aA][cC][eE][bB][oO][oO][kK].*[tT][oO][kK][eE][nN].*['|\"]?[0-9a-f]{32}['|\"]?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-generic-api-key",
"languages": [
"regex"
],
"message": "Generic API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets"
]
},
"patterns": [
{
"pattern-regex": "[aA][pP][iI]_?[kK][eE][yY][=_:\\s-]+['|\"]?(?<SECRET>[0-9a-zA-Z]{32,45})['|\"]?"
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$SECRET"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-generic-secret",
"languages": [
"regex"
],
"message": "Generic Secret detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets"
]
},
"patterns": [
{
"pattern-regex": "[sS][eE][cC][rR][eE][tT][:= \\t]*['|\\\"]?(?<SECRET>[0-9a-zA-Z]{32,45})['|\\\"]?"
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$SECRET"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-github-token",
"languages": [
"generic"
],
"message": "GitHub Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.blog/changelog/2021-03-04-authentication-token-format-updates/",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"github"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$VAR = $SECRET\n"
},
{
"pattern": "$VAR: $SECRET\n"
},
{
"pattern": "$VAR = '$SECRET'\n"
},
{
"pattern": "$VAR: '$SECRET'\n"
},
{
"pattern": "'$VAR' = '$SECRET'\n"
},
{
"pattern": "'$VAR': '$SECRET'\n"
},
{
"pattern": "\"[hH][tT][tT][pP][sS]?://.*$SECRET.*\"\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SECRET",
"regex": "gh[pousr]_[A-Za-z0-9_]{36,251}"
}
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$SECRET"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-google-api-key",
"languages": [
"regex"
],
"message": "Google API Key Detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"google"
]
},
"patterns": [
{
"pattern-regex": "\\bAIzaSy[0-9A-Za-z-_]{33}\\b"
},
{
"pattern-not-regex": "\\bAIzaSy[0-9A-Za-z-_]{33}\\b[=]"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-google-cloud-api-key",
"languages": [
"regex"
],
"message": "Google Cloud API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"google-cloud"
]
},
"pattern-regex": "AIza[0-9A-Za-z\\\\-_]{35}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-google-gcm-service-account",
"languages": [
"regex"
],
"message": "Google (GCM) Service account detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"google-cloud"
]
},
"pattern-regex": "((\"|'|`)?type(\"|'|`)?\\s{0,50}(:|=>|=)\\s{0,50}(\"|'|`)?service_account(\"|'|`)?,?)",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-google-oauth-access-token",
"languages": [
"regex"
],
"message": "Google OAuth Access Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"google"
]
},
"pattern-regex": "ya29\\.[0-9A-Za-z\\-_]+",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-google-oauth-url",
"languages": [
"regex"
],
"message": "Google OAuth url detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"google"
]
},
"pattern-regex": "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-heroku-api-key",
"languages": [
"regex"
],
"message": "Heroku API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"heroku"
]
},
"pattern-regex": "[hH][eE][rR][oO][kK][uU].*[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-hockeyapp",
"languages": [
"regex"
],
"message": "HockeyApp detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"hockeyapp"
]
},
"pattern-regex": "(?i)hockey.{0,50}(\\\\\\\"|'|`)?[0-9a-f]{32}(\\\\\\\"|'|`)?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-jwt-token",
"languages": [
"regex"
],
"message": "JWT token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-321: Use of Hard-coded Cryptographic Key"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"
],
"source-rule-url": "https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"jwt"
]
},
"pattern-regex": "eyJ[A-Za-z0-9-_=]{14,}\\.[A-Za-z0-9-_=]{13,}\\.?[A-Za-z0-9-_.+/=]*?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-kolide-api-key",
"languages": [
"regex"
],
"message": "Kolide API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"secrets",
"kolide"
]
},
"pattern-regex": "k2sk_v[0-9]_[0-9a-zA-Z]{24}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-mailchimp-api-key",
"languages": [
"regex"
],
"message": "MailChimp API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"mailchimp"
]
},
"pattern-regex": "[0-9a-f]{32}-us[0-9]{1,2}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-mailgun-api-key",
"languages": [
"regex"
],
"message": "Mailgun API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"mailgun"
]
},
"pattern-regex": "key-[0-9a-zA-Z]{32}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-npm-registry-auth-token",
"languages": [
"generic"
],
"message": "NPM registry authentication token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"secrets",
"npm"
]
},
"paths": {
"include": [
"*npmrc*"
]
},
"patterns": [
{
"pattern": "$AUTHTOKEN = $VALUE"
},
{
"metavariable-regex": {
"metavariable": "$AUTHTOKEN",
"regex": "_(authToken|auth|password)"
}
},
{
"pattern-not": "$AUTHTOKEN = ${...}"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-onfido-live-api-token",
"languages": [
"regex"
],
"message": "Onfido live API Token detected",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://documentation.onfido.com/api/latest/#api-tokens"
],
"subcategory": [
"audit"
],
"technology": [
"secrets",
"onfido"
]
},
"pattern-regex": "(?:api_live(?:_[a-zA-Z]{2})?\\.[a-zA-Z0-9-_]{11}\\.[-_a-zA-Z0-9]{32})",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-outlook-team",
"languages": [
"regex"
],
"message": "Outlook Team detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"outlook"
]
},
"pattern-regex": "https://outlook\\.office\\.com/webhook/[0-9a-f-]{36}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-paypal-braintree-access-token",
"languages": [
"regex"
],
"message": "PayPal Braintree Access Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"paypal",
"braintree"
]
},
"pattern-regex": "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-z]{32}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-pgp-private-key-block",
"languages": [
"regex"
],
"message": "Something that looks like a PGP private key block is detected. This is a potential hardcoded secret that could be leaked if this code is committed. Instead, remove this code block from the commit.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets"
]
},
"pattern-regex": "-----BEGIN PGP PRIVATE KEY BLOCK-----",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-picatic-api-key",
"languages": [
"regex"
],
"message": "Picatic API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"picatic"
]
},
"pattern-regex": "sk_live_[0-9a-z]{32}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-private-key",
"languages": [
"generic"
],
"message": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "-----BEGIN $TYPE PRIVATE KEY----- $KEY"
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "(?i)([dr]sa|ec|openssh|encrypted)?"
}
}
]
},
{
"patterns": [
{
"pattern": "-----BEGIN PRIVATE KEY-----\n$KEY\n"
}
]
}
]
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$KEY"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-sauce-token",
"languages": [
"regex"
],
"message": "Sauce Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"sauce"
]
},
"pattern-regex": "(?i)sauce.{0,50}(\\\\\\\"|'|`)?[0-9a-f-]{36}(\\\\\\\"|'|`)?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-sendgrid-api-key",
"languages": [
"regex"
],
"message": "SendGrid API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/narendrakadali/gitrob/blob/master/rules/contentsignatures.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"sendgrid"
]
},
"pattern-regex": "SG\\.[a-zA-Z0-9]{22}\\.[a-zA-Z0-9-]{43}\\b",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-slack-token",
"languages": [
"regex"
],
"message": "Slack Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"slack"
]
},
"pattern-either": [
{
"pattern-regex": "(xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})"
},
{
"pattern-regex": "xox.-[0-9]{12}-[0-9]{12}-[0-9a-zA-Z]{24}"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-slack-webhook",
"languages": [
"regex"
],
"message": "Slack Webhook detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://api.slack.com/messaging/webhooks"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"slack"
]
},
"patterns": [
{
"pattern-regex": "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]{8,10}/B[a-zA-Z0-9_]{8,10}/[a-zA-Z0-9_]{24}"
},
{
"pattern-not": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-snyk-api-key",
"languages": [
"regex"
],
"message": "Snyk API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"secrets",
"snyk"
]
},
"pattern-regex": "(?i)snyk.{0,50}['|\"|`]?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"\\s]?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-softlayer-api-key",
"languages": [
"regex"
],
"message": "SoftLayer API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/softlayer.py",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"softlayer"
]
},
"pattern-regex": "(?i)softlayer.{0,50}[\"|'|`]?[a-z0-9]{64}[\"|'|`]?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-sonarqube-docs-api-key",
"languages": [
"regex"
],
"message": "SonarQube Docs API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"sonarqube"
]
},
"paths": {
"exclude": [
"*.svg",
"*go.sum",
"*cargo.lock",
"*package.json",
"*yarn.lock",
"*package-lock.json",
"*bundle.js",
"*pnpm-lock*",
"*Podfile.lock",
"*/openssl/*.h",
"*.xcscmblueprint"
]
},
"pattern-regex": "(?i)sonar.{0,50}(\\\\\\\"|'|`)?[0-9a-f]{40}(\\\\\\\"|'|`)?",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-square-access-token",
"languages": [
"regex"
],
"message": "Square Access Token detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"square"
]
},
"pattern-regex": "sq0atp-[0-9A-Za-z\\-_]{22}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-square-oauth-secret",
"languages": [
"regex"
],
"message": "Square OAuth Secret detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"square"
]
},
"pattern-regex": "sq0csp-[0-9A-Za-z\\\\\\-_]{43}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-ssh-password",
"languages": [
"regex"
],
"message": "SSH Password detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"ssh"
]
},
"pattern-regex": "sshpass -p\\s*['|\\\\\\\"][^%]",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-stripe-api-key",
"languages": [
"regex"
],
"message": "Stripe API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"stripe"
]
},
"pattern-regex": "sk_live_[0-9a-zA-Z]{24}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-stripe-restricted-api-key",
"languages": [
"regex"
],
"message": "Stripe Restricted API Key detected",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"stripe"
]
},
"pattern-regex": "rk_live_[0-9a-zA-Z]{24}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-telegram-bot-api-key",
"languages": [
"regex"
],
"message": "Telegram Bot API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"telegram"
]
},
"patterns": [
{
"pattern-regex": "[0-9]+:AA[0-9A-Za-z\\-_]{33}"
},
{
"pattern-not-regex": "go\\.mod.*"
},
{
"pattern-not-regex": "v[\\d]+\\.[\\d]+\\.[\\d]+.*"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-twilio-api-key",
"languages": [
"regex"
],
"message": "Twilio API Key detected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json",
"subcategory": [
"audit"
],
"technology": [
"secrets",
"twilio"
]
},
"pattern-regex": "SK[0-9a-fA-F]{32}",
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.detected-username-and-password-in-uri",
"languages": [
"generic"
],
"message": "Username and password in URI detected",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go"
],
"subcategory": [
"vuln"
],
"technology": [
"secrets"
]
},
"patterns": [
{
"pattern": "$PROTOCOL://$...USERNAME:$...PASSWORD@$END"
},
{
"metavariable-regex": {
"metavariable": "$...USERNAME",
"regex": "\\A({?)([A-Za-z])([A-Za-z0-9_-]){5,31}(}?)\\Z"
}
},
{
"metavariable-regex": {
"metavariable": "$...PASSWORD",
"regex": "(?!.*[\\s])(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~]){6,32}"
}
},
{
"metavariable-regex": {
"metavariable": "$PROTOCOL",
"regex": "(.*http.*)|(.*sql.*)|(.*ftp.*)|(.*smtp.*)"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.generic.secrets.security.google-maps-apikeyleak",
"languages": [
"generic"
],
"message": "Detects potential Google Maps API keys in code",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory"
],
"description": "Detects potential Google Maps API keys in code",
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A3:2017 Sensitive Data Exposure"
],
"references": [
"https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e"
],
"severity": "MEDIUM",
"subcategory": [
"audit"
],
"technology": [
"Google Maps"
]
},
"patterns": [
{
"pattern-regex": "^(AIza[0-9A-Za-z_-]{35}(?!\\S))$"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.generic.unicode.security.contains-bidirectional-characters",
"languages": [
"bash",
"c",
"csharp",
"go",
"java",
"js",
"json",
"kotlin",
"lua",
"ocaml",
"php",
"python",
"ruby",
"rust",
"scala",
"ts",
"yaml"
],
"message": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://trojansource.codes/"
],
"subcategory": [
"audit"
],
"technology": [
"unicode"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-regex": "\u202a"
},
{
"pattern-regex": "\u202b"
},
{
"pattern-regex": "\u202d"
},
{
"pattern-regex": "\u202e"
},
{
"pattern-regex": "\u2066"
},
{
"pattern-regex": "\u2067"
},
{
"pattern-regex": "\u2068"
},
{
"pattern-regex": "\u202c"
},
{
"pattern-regex": "\u2069"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.aws-lambda.security.database-sqli",
"languages": [
"go"
],
"message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://pkg.go.dev/database/sql#DB.Query"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"database",
"sql"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$DB.Exec($QUERY,...)"
},
{
"pattern": "$DB.ExecContent($QUERY,...)"
},
{
"pattern": "$DB.Query($QUERY,...)"
},
{
"pattern": "$DB.QueryContext($QUERY,...)"
},
{
"pattern": "$DB.QueryRow($QUERY,...)"
},
{
"pattern": "$DB.QueryRowContext($QUERY,...)"
}
]
},
{
"pattern-inside": "import \"database/sql\"\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "func $HANDLER($CTX $CTXTYPE, $EVENT $TYPE, ...) {...}\n...\nlambda.Start($HANDLER, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "func $HANDLER($EVENT $TYPE) {...}\n...\nlambda.Start($HANDLER, ...)\n"
},
{
"pattern-not-inside": "func $HANDLER($EVENT context.Context) {...}\n...\nlambda.Start($HANDLER, ...)\n"
}
]
}
]
},
{
"focus-metavariable": "$EVENT"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.aws-lambda.security.tainted-sql-string",
"languages": [
"go"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "strconv.Atoi(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(\\s*select|\\s*delete|\\s*insert|\\s*create|\\s*update|\\s*alter|\\s*drop).*"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "fmt.Fprintf($F, \"$SQLSTR\", ...)"
},
{
"pattern": "fmt.Sprintf(\"$SQLSTR\", ...)"
},
{
"pattern": "fmt.Printf(\"$SQLSTR\", ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "\\s*(?i)(select|delete|insert|create|update|alter|drop)\\b.*%(v|s|q).*"
}
}
]
}
]
},
{
"pattern-not-inside": "log.$PRINT(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "func $HANDLER($CTX $CTXTYPE, $EVENT $TYPE, ...) {...}\n...\nlambda.Start($HANDLER, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "func $HANDLER($EVENT $TYPE) {...}\n...\nlambda.Start($HANDLER, ...)\n"
},
{
"pattern-not-inside": "func $HANDLER($EVENT context.Context) {...}\n...\nlambda.Start($HANDLER, ...)\n"
}
]
}
]
},
{
"focus-metavariable": "$EVENT"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.gorilla.security.audit.handler-assignment-from-multiple-sources",
"languages": [
"go"
],
"message": "Variable $VAR is assigned from two different sources: '$Y' and '$R'. Make sure this is intended, as this could cause logic bugs if they are treated as they are the same object.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-289: Authentication Bypass by Alternate Name"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/289.html"
],
"subcategory": [
"audit"
],
"technology": [
"gorilla"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$Y, err := store.Get(...)\n...\n$VAR := $Y.Values[...]\n...\n$VAR = $R\n"
},
{
"focus-metavariable": "$R"
}
]
},
{
"patterns": [
{
"pattern": "$Y, err := store.Get(...)\n...\nvar $VAR $INT = $Y.Values[\"...\"].($INT)\n...\n$VAR = $R\n"
},
{
"focus-metavariable": "$R"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "func $HANDLER(..., $R *http.Request, ...) {\n ...\n}\n"
},
{
"focus-metavariable": "$R"
},
{
"pattern-either": [
{
"pattern": "$R.query"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(HttpOnly\\s*:\\s+)false",
"replacement": "\\1true"
},
"id": "vendored-rules.go.gorilla.security.audit.session-cookie-missing-httponly",
"languages": [
"go"
],
"message": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69"
],
"subcategory": [
"audit"
],
"technology": [
"gorilla"
]
},
"patterns": [
{
"pattern-not-inside": "&sessions.Options{\n ...,\n HttpOnly: true,\n ...,\n}\n"
},
{
"pattern": "&sessions.Options{\n ...,\n}\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(Secure\\s*:\\s+)false",
"replacement": "\\1true"
},
"id": "vendored-rules.go.gorilla.security.audit.session-cookie-missing-secure",
"languages": [
"go"
],
"message": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69"
],
"subcategory": [
"audit"
],
"technology": [
"gorilla"
]
},
"patterns": [
{
"pattern-not-inside": "&sessions.Options{\n ...,\n Secure: true,\n ...,\n}\n"
},
{
"pattern": "&sessions.Options{\n ...,\n}\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(SameSite\\s*:\\s+)http.SameSiteNoneMode",
"replacement": "\\1http.SameSiteDefaultMode"
},
"id": "vendored-rules.go.gorilla.security.audit.session-cookie-samesitenone",
"languages": [
"go"
],
"message": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1275: Sensitive Cookie with Improper SameSite Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://pkg.go.dev/github.com/gorilla/sessions#Options"
],
"subcategory": [
"audit"
],
"technology": [
"gorilla"
]
},
"patterns": [
{
"pattern-inside": "&sessions.Options{\n ...,\n SameSite: http.SameSiteNoneMode,\n ...,\n}\n"
},
{
"pattern": "&sessions.Options{\n ...,\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.gorilla.security.audit.websocket-missing-origin-check",
"languages": [
"go"
],
"message": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://pkg.go.dev/github.com/gorilla/websocket#Upgrader"
],
"subcategory": [
"audit"
],
"technology": [
"gorilla"
]
},
"patterns": [
{
"pattern-inside": "import (\"github.com/gorilla/websocket\")\n...\n"
},
{
"patterns": [
{
"pattern-not-inside": "$UPGRADER = websocket.Upgrader{..., CheckOrigin: $FN ,...}\n...\n"
},
{
"pattern-not-inside": "$UPGRADER.CheckOrigin = $FN2\n...\n"
},
{
"pattern": "$UPGRADER.Upgrade(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.gorm.security.audit.gorm-dangerous-method-usage",
"languages": [
"go"
],
"message": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach).",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://gorm.io/docs/security.html#SQL-injection-Methods",
"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"gorm"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "strconv.Atoi(...)"
},
{
"pattern": "($X: bool)\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "import (\"gorm.io/gorm\")\n...\n"
},
{
"patterns": [
{
"pattern-inside": "func $VAL(..., $GORM *gorm.DB,... ) {\n ...\n}\n"
},
{
"pattern-either": [
{
"pattern": "$GORM. ... .$METHOD($VALUE)\n"
},
{
"pattern": "$DB := $GORM. ... .$ANYTHING(...)\n...\n$DB. ... .$METHOD($VALUE)\n"
}
]
}
]
},
{
"focus-metavariable": "$VALUE"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(Order|Exec|Raw|Group|Having|Distinct|Select|Pluck)$"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "($REQUEST : http.Request).$ANYTHING\n"
},
{
"pattern": "($REQUEST : *http.Request).$ANYTHING\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ANYTHING",
"regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$"
}
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*)WithInsecure\\(.*?\\)",
"replacement": "\\1WithTransportCredentials(credentials.NewTLS(<your_tls_config_here>))"
},
"id": "vendored-rules.go.grpc.security.grpc-client-insecure-connection",
"languages": [
"go"
],
"message": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-300: Channel Accessible by Non-Endpoint"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption"
],
"subcategory": [
"audit"
],
"technology": [
"grpc"
]
},
"pattern": "$GRPC.Dial($ADDR, ..., $GRPC.WithInsecure(...), ...)",
"severity": "ERROR"
},
{
"id": "vendored-rules.go.grpc.security.grpc-server-insecure-connection",
"languages": [
"go"
],
"message": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-300: Channel Accessible by Non-Endpoint"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption"
],
"subcategory": [
"audit"
],
"technology": [
"grpc"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "grpc.NewServer($OPT, ...)",
"requires": "OPTIONS and not CREDS"
},
{
"pattern": "grpc.NewServer()",
"requires": "EMPTY_CONSTRUCTOR"
}
],
"pattern-sources": [
{
"label": "OPTIONS",
"pattern": "grpc.ServerOption{ ... }"
},
{
"label": "CREDS",
"pattern": "grpc.Creds(...)"
},
{
"label": "EMPTY_CONSTRUCTOR",
"pattern": "grpc.NewServer()"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.jwt-go.security.jwt-go-none-algorithm",
"languages": [
"go"
],
"message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import \"github.com/golang-jwt/jwt\"\n...\n"
},
{
"pattern-inside": "import \"github.com/dgrijalva/jwt-go\"\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "jwt.SigningMethodNone\n"
},
{
"pattern": "jwt.UnsafeAllowNoneSignatureType"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.jwt-go.security.hardcoded-jwt-key",
"languages": [
"go"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"jwt",
"secrets"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$TOKEN.SignedString($F)\n"
}
]
},
{
"focus-metavariable": "$F"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "[]byte(\"$F\")\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.jwt-go.security.audit.jwt-go-parse-unverified",
"languages": [
"go"
],
"message": "Detected the decoding of a JWT token without a verify step. Don't use `ParseUnverified` unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-345: Insufficient Verification of Data Authenticity"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "import \"github.com/dgrijalva/jwt-go\"\n...\n"
},
{
"pattern": "$JWT.ParseUnverified(...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.bad-tmp-file-creation",
"languages": [
"go"
],
"message": "File creation in shared tmp directory without using ioutil.Tempfile",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-377: Insecure Temporary File"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://github.com/securego/gosec",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern-either": [
{
"pattern": "ioutil.WriteFile(\"=~//tmp/.*$/\", ...)"
},
{
"pattern": "os.Create(\"=~//tmp/.*$/\", ...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*)(Copy|CopyBuffer)\\((.*?),(.*?)(\\)|,.*\\))",
"replacement": "\\1CopyN(\\3, \\4, 1024*1024*256)"
},
"id": "vendored-rules.go.lang.security.potential-dos-via-decompression-bomb",
"languages": [
"go"
],
"message": "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. ",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-400: Uncontrolled Resource Consumption"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://golang.org/pkg/io/#CopyN",
"https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go"
],
"source-rule-url": "https://github.com/securego/gosec",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "io.Copy(...)"
},
{
"pattern": "io.CopyBuffer(...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "gzip.NewReader(...)\n...\n"
},
{
"pattern-inside": "zlib.NewReader(...)\n...\n"
},
{
"pattern-inside": "zlib.NewReaderDict(...)\n...\n"
},
{
"pattern-inside": "bzip2.NewReader(...)\n...\n"
},
{
"pattern-inside": "flate.NewReader(...)\n...\n"
},
{
"pattern-inside": "flate.NewReaderDict(...)\n...\n"
},
{
"pattern-inside": "lzw.NewReader(...)\n...\n"
},
{
"pattern-inside": "tar.NewReader(...)\n...\n"
},
{
"pattern-inside": "zip.NewReader(...)\n...\n"
},
{
"pattern-inside": "zip.OpenReader(...)\n...\n"
}
]
}
],
"severity": "WARNING"
},
{
"fix": "filepath.FromSlash(filepath.Clean(\"/\"+strings.Trim($...INNER, \"/\")))",
"id": "vendored-rules.go.lang.security.filepath-clean-misuse",
"languages": [
"go"
],
"message": "`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean(\"/\"+strings.Trim(req.URL.Path, \"/\")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://pkg.go.dev/path#Clean",
"http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html",
"https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/",
"https://dzx.cz/2021/04/02/go_path_traversal/",
"https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "\"/\" + ...\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "filepath.Clean($...INNER)"
},
{
"pattern": "path.Clean($...INNER)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "($REQUEST : *http.Request).$ANYTHING\n"
},
{
"pattern": "($REQUEST : http.Request).$ANYTHING\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ANYTHING",
"regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$"
}
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.reverseproxy-director",
"languages": [
"go"
],
"message": "ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-115: Misinterpretation of Input"
],
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://github.com/golang/go/issues/50580"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import \"net/http/httputil\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "$PROXY.Director = $FUNC"
},
{
"patterns": [
{
"pattern-inside": "httputil.ReverseProxy{\n ...\n}\n"
},
{
"pattern": "Director: $FUNC\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.shared-url-struct-mutation",
"languages": [
"go"
],
"message": "Shared URL struct may have been accidentally mutated. Ensure that this behavior is intended.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-436: Interpretation Conflict"
],
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://github.com/golang/go/issues/63777"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import \"net/url\"\n...\n"
},
{
"pattern-not-inside": "... = url.Parse(...)\n...\n"
},
{
"pattern-not-inside": "... = url.ParseRequestURI(...)\n...\n"
},
{
"pattern-not-inside": "... = url.URL{...}\n...\n"
},
{
"pattern-not-inside": "var $URL *$X.URL\n...\n"
},
{
"pattern-either": [
{
"pattern": "$URL.RawQuery = ..."
},
{
"pattern": "$URL.Path = ..."
},
{
"pattern": "$URL.RawPath = ..."
},
{
"pattern": "$URL.Fragment = ..."
},
{
"pattern": "$URL.RawFragment = ..."
},
{
"pattern": "$URL.Scheme = ..."
},
{
"pattern": "$URL.Opaque = ..."
},
{
"pattern": "$URL.Host = ..."
},
{
"pattern": "$URL.User = ..."
}
]
},
{
"metavariable-pattern": {
"metavariable": "$URL",
"patterns": [
{
"pattern-not": "$X.$Y"
},
{
"pattern-not": "$X[...]"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.path-traversal-inside-zip-extraction",
"languages": [
"go"
],
"message": "File traversal when extracting zip archive",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source_rule_url": "https://github.com/securego/gosec/issues/205",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern": "reader, $ERR := zip.OpenReader($ARCHIVE)\n...\nfor _, $FILE := range reader.File {\n ...\n path := filepath.Join($TARGET, $FILE.Name)\n ...\n}\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.dangerous-command-write",
"languages": [
"go"
],
"message": "Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern": "$CW.Write($BYTE)\n"
},
{
"pattern-inside": "$CW,$ERR := $CMD.StdinPipe()\n...\n"
},
{
"pattern-not": "$CW.Write(\"...\")\n"
},
{
"pattern-not": "$CW.Write([]byte(\"...\"))\n"
},
{
"pattern-not": "$CW.Write([]byte(\"...\"+\"...\"))\n"
},
{
"pattern-not-inside": "$BYTE = []byte(\"...\");\n...\n"
},
{
"pattern-not-inside": "$BYTE = []byte(\"...\"+\"...\");\n...\n"
},
{
"pattern-inside": "import \"os/exec\"\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.dangerous-exec-cmd",
"languages": [
"go"
],
"message": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "exec.Cmd {...,Path: $CMD,...}\n"
},
{
"pattern-not": "exec.Cmd {...,Path: \"...\",...}\n"
},
{
"pattern-not-inside": "$CMD,$ERR := exec.LookPath(\"...\");\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n"
}
]
},
{
"patterns": [
{
"pattern": "exec.Cmd {...,Args: $ARGS,...}\n"
},
{
"pattern-not": "exec.Cmd {...,Args: []string{...},...}\n"
},
{
"pattern-not-inside": "$ARGS = []string{\"...\",...};\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n$ARGS = []string{$CMD,...};\n...\n"
},
{
"pattern-not-inside": "$CMD = exec.LookPath(\"...\");\n...\n$ARGS = []string{$CMD,...};\n...\n"
}
]
},
{
"patterns": [
{
"pattern": "exec.Cmd {...,Args: []string{$CMD,...},...}\n"
},
{
"pattern-not": "exec.Cmd {...,Args: []string{\"...\",...},...}\n"
},
{
"pattern-not-inside": "$CMD,$ERR := exec.LookPath(\"...\");\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "exec.Cmd {...,Args: []string{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$EXE,...},...}\n"
},
{
"patterns": [
{
"pattern": "exec.Cmd {...,Args: []string{$CMD,\"-c\",$EXE,...},...}\n"
},
{
"pattern-inside": "$CMD,$ERR := exec.LookPath(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\");\n...\n"
}
]
}
]
},
{
"pattern-not": "exec.Cmd {...,Args: []string{\"...\",\"...\",\"...\",...},...}\n"
},
{
"pattern-not-inside": "$EXE = \"...\";\n...\n"
}
]
}
]
},
{
"pattern-inside": "import \"os/exec\"\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.dangerous-exec-command",
"languages": [
"go"
],
"message": "Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "exec.Command($CMD,...)\n"
},
{
"pattern": "exec.CommandContext($CTX,$CMD,...)\n"
}
]
},
{
"pattern-not": "exec.Command(\"...\",...)\n"
},
{
"pattern-not": "exec.CommandContext($CTX,\"...\",...)\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "exec.Command(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$CMD,...)\n"
},
{
"pattern": "exec.CommandContext($CTX,\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$CMD,...)\n"
}
]
},
{
"pattern-not": "exec.Command(\"...\",\"...\",\"...\",...)\n"
},
{
"pattern-not": "exec.CommandContext($CTX,\"...\",\"...\",\"...\",...)\n"
}
]
},
{
"pattern-either": [
{
"pattern": "exec.Command(\"=~/\\/bin\\/env/\",\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$CMD,...)\n"
},
{
"pattern": "exec.CommandContext($CTX,\"=~/\\/bin\\/env/\",\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$CMD,...)\n"
}
]
}
]
},
{
"pattern-inside": "import \"os/exec\"\n...\n"
},
{
"pattern-not-inside": "$CMD,$ERR := exec.LookPath(\"...\");\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.dangerous-syscall-exec",
"languages": [
"go"
],
"message": "Detected non-static command inside Exec. Audit the input to 'syscall.Exec'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "syscall.$METHOD($BIN,...)\n"
},
{
"pattern-not": "syscall.$METHOD(\"...\",...)\n"
},
{
"pattern-not-inside": "$BIN,$ERR := exec.LookPath(\"...\");\n...\n"
},
{
"pattern-not-inside": "$BIN = \"...\";\n...\n"
}
]
},
{
"patterns": [
{
"pattern": "syscall.$METHOD($BIN,$ARGS,...)\n"
},
{
"pattern-not": "syscall.$METHOD($BIN,[]string{\"...\",...},...)\n"
},
{
"pattern-not-inside": "$ARGS := []string{\"...\",...};\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n$ARGS = []string{$CMD,...};\n...\n"
},
{
"pattern-not-inside": "$CMD,$ERR := exec.LookPath(\"...\");\n...\n$ARGS = []string{$CMD,...};\n...\n"
}
]
},
{
"patterns": [
{
"pattern": "syscall.$METHOD($BIN,[]string{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$EXE,...},...)\n"
},
{
"pattern-not": "syscall.$METHOD($BIN,[]string{\"...\",\"...\",\"...\",...},...)\n"
}
]
},
{
"patterns": [
{
"pattern": "syscall.$METHOD($BIN,$ARGS,...)\n"
},
{
"pattern-either": [
{
"pattern-inside": "$ARGS := []string{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$EXE,...};\n...\n"
},
{
"pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\";\n...\n$ARGS = []string{$CMD,\"-c\",$EXE,...};\n...\n"
},
{
"pattern-inside": "$CMD,$ERR := exec.LookPath(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\");\n...\n$ARGS = []string{$CMD,\"-c\",$EXE,...};\n...\n"
}
]
},
{
"pattern-not-inside": "$ARGS := []string{\"...\",\"...\",\"...\",...};\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n$ARGS = []string{$CMD,\"...\",\"...\",...};\n...\n"
},
{
"pattern-not-inside": "$CMD,$ERR := exec.LookPath(\"...\");\n...\n$ARGS = []string{$CMD,\"...\",\"...\",...};\n...\n"
}
]
}
]
},
{
"pattern-inside": "import \"syscall\"\n...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(Exec|ForkExec)"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.md5-used-as-password",
"languages": [
"go"
],
"message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html",
"https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords",
"https://github.com/returntocorp/semgrep-rules/issues/1609",
"https://pkg.go.dev/golang.org/x/crypto/bcrypt"
],
"subcategory": [
"vuln"
],
"technology": [
"md5"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FUNCTION(...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNCTION",
"regex": "(?i)(.*password.*)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "md5.New"
},
{
"pattern": "md5.Sum"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.reflect-makefunc",
"languages": [
"go"
],
"message": "'reflect.MakeFunc' detected. This will sidestep protections that are normally afforded by Go's type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern": "reflect.MakeFunc(...)",
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.unsafe-reflect-by-name",
"languages": [
"go"
],
"message": "If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SMTH.MethodByName($NAME,...)\n"
},
{
"pattern": "$SMTH.FieldByName($NAME,...)\n"
}
]
},
{
"pattern-not": "$SMTH.MethodByName(\"...\",...)\n"
},
{
"pattern-not": "$SMTH.FieldByName(\"...\",...)\n"
},
{
"pattern-inside": "import \"reflect\"\n...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.use-of-unsafe-block",
"languages": [
"go"
],
"message": "Using the unsafe package in Go gives you low-level memory management and many of the strengths of the C language, but also steps around the type safety of Go and can lead to buffer overflows and possible arbitrary code execution by an attacker. Only use this package if you absolutely know what you're doing.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-242: Use of Inherently Dangerous Function"
],
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/242.html"
],
"source_rule_url": "https://github.com/securego/gosec/blob/master/rules/unsafe.go",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern": "unsafe.$FUNC(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.crypto.insecure-module-used",
"languages": [
"go"
],
"message": "The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://godoc.org/golang.org/x/crypto/sha3"
],
"source-rule-url": "https://github.com/securego/gosec",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "import \"net/http/cgi\"\n...\n"
},
{
"pattern": "cgi.$FUNC(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.crypto.avoid-ssh-insecure-ignore-host-key",
"languages": [
"go"
],
"message": "Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-322: Key Exchange without Entity Authentication"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/",
"https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d"
],
"source-rule-url": "https://github.com/securego/gosec",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern": "ssh.InsecureIgnoreHostKey()",
"severity": "WARNING"
},
{
"fix": "crypto/rand\n",
"id": "vendored-rules.go.lang.security.audit.crypto.math-random-used",
"languages": [
"go"
],
"message": "Do not use `math/rand`. Use `crypto/rand` instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "import $RAND \"$MATH\"\n"
},
{
"pattern": "import \"$MATH\"\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$MATH",
"regex": "^(math/rand(\\/v[0-9]+)*)$"
}
},
{
"pattern-either": [
{
"pattern-inside": "...\nrand.$FUNC(...)\n"
},
{
"pattern-inside": "...\n$RAND.$FUNC(...)\n"
}
]
},
{
"focus-metavariable": [
"$MATH"
]
}
],
"severity": "WARNING"
},
{
"fix": "tls.Config{ $...CONF, MinVersion: tls.VersionTLS13 }\n",
"id": "vendored-rules.go.lang.security.audit.crypto.missing-ssl-minversion",
"languages": [
"go"
],
"message": "`MinVersion` is missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "LOW",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://golang.org/doc/go1.14#crypto/tls",
"https://golang.org/pkg/crypto/tls/#:~:text=MinVersion",
"https://www.us-cert.gov/ncas/alerts/TA14-290A"
],
"source-rule-url": "https://github.com/securego/gosec/blob/master/rules/tls_config.go",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern": "tls.Config{ $...CONF }\n"
},
{
"pattern-not": "tls.Config{..., MinVersion: ..., ...}\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "VersionSSL30",
"replacement": "VersionTLS13"
},
"id": "vendored-rules.go.lang.security.audit.crypto.ssl-v3-is-insecure",
"languages": [
"go"
],
"message": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "LOW",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://golang.org/doc/go1.14#crypto/tls",
"https://www.us-cert.gov/ncas/alerts/TA14-290A"
],
"source-rule-url": "https://github.com/securego/gosec/blob/master/rules/tls_config.go",
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"pattern": "tls.Config{..., MinVersion: $TLS.VersionSSL30, ...}",
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.crypto.tls-with-insecure-cipher",
"languages": [
"go"
],
"message": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://golang.org/pkg/crypto/tls/#InsecureCipherSuites"
],
"source-rule-url": "https://github.com/securego/gosec/blob/master/rules/tls.go",
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"pattern-either": [
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_RC4_128_SHA, ...}}\n"
},
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}}\n"
},
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_AES_128_CBC_SHA256, ...}}\n"
},
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}}\n"
},
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}}\n"
},
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}}\n"
},
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}}\n"
},
{
"pattern": "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_RSA_WITH_RC4_128_SHA, ...}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_RSA_WITH_AES_128_CBC_SHA256, ...}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}\n"
},
{
"pattern": "tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.crypto.use-of-md5",
"languages": [
"go"
],
"message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://github.com/securego/gosec#available-rules",
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import \"crypto/md5\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "md5.New()\n"
},
{
"pattern": "md5.Sum(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.crypto.use-of-sha1",
"languages": [
"go"
],
"message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://github.com/securego/gosec#available-rules",
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import \"crypto/sha1\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "sha1.New()\n"
},
{
"pattern": "sha1.Sum(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.crypto.use-of-DES",
"languages": [
"go"
],
"message": "Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://github.com/securego/gosec#available-rules",
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import \"crypto/des\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "des.NewTripleDESCipher(...)\n"
},
{
"pattern": "des.NewCipher(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.crypto.use-of-rc4",
"languages": [
"go"
],
"message": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://github.com/securego/gosec#available-rules",
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import \"crypto/rc4\"\n...\n"
},
{
"pattern": "rc4.NewCipher(...)"
}
],
"severity": "WARNING"
},
{
"fix": "2048\n",
"id": "vendored-rules.go.lang.security.audit.crypto.use-of-weak-rsa-key",
"languages": [
"go"
],
"message": "RSA keys should be at least 2048 bits",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms"
],
"source-rule-url": "https://github.com/securego/gosec/blob/master/rules/rsa.go",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "rsa.GenerateKey(..., $BITS)\n"
},
{
"pattern": "rsa.GenerateMultiPrimeKey(..., $BITS)\n"
}
]
},
{
"metavariable-comparison": {
"comparison": "$BITS < 2048",
"metavariable": "$BITS"
}
},
{
"focus-metavariable": [
"$BITS"
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.database.string-formatted-query",
"languages": [
"go"
],
"message": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://github.com/securego/gosec",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"metavariable-regex": {
"metavariable": "$OBJ",
"regex": "(?i).*(db|database)"
}
},
{
"pattern-not-inside": "$VAR = \"...\" + \"...\"\n...\n$OBJ.$SINK(..., $VAR, ...)\n"
},
{
"pattern-not": "$OBJ.Exec(\"...\")"
},
{
"pattern-not": "$OBJ.ExecContext($CTX, \"...\")"
},
{
"pattern-not": "$OBJ.Query(\"...\")"
},
{
"pattern-not": "$OBJ.QueryContext($CTX, \"...\")"
},
{
"pattern-not": "$OBJ.QueryRow(\"...\")"
},
{
"pattern-not": "$OBJ.QueryRow($CTX, \"...\")"
},
{
"pattern-not": "$OBJ.QueryRowContext($CTX, \"...\")"
},
{
"pattern-either": [
{
"pattern": "$OBJ.Exec($X + ...)"
},
{
"pattern": "$OBJ.ExecContext($CTX, $X + ...)"
},
{
"pattern": "$OBJ.Query($X + ...)"
},
{
"pattern": "$OBJ.QueryContext($CTX, $X + ...)"
},
{
"pattern": "$OBJ.QueryRow($X + ...)"
},
{
"pattern": "$OBJ.QueryRow($CTX, $X + ...)"
},
{
"pattern": "$OBJ.QueryRowContext($CTX, $X + ...)"
},
{
"pattern": "$OBJ.Exec(fmt.$P(\"...\", ...))"
},
{
"pattern": "$OBJ.ExecContext($CTX, fmt.$P(\"...\", ...))"
},
{
"pattern": "$OBJ.Query(fmt.$P(\"...\", ...))"
},
{
"pattern": "$OBJ.QueryContext($CTX, fmt.$P(\"...\", ...))"
},
{
"pattern": "$OBJ.QueryRow(fmt.$P(\"...\", ...))"
},
{
"pattern": "$OBJ.QueryRow($CTX, fmt.$U(\"...\", ...))"
},
{
"pattern": "$OBJ.QueryRowContext($CTX, fmt.$P(\"...\", ...))"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$QUERY = fmt.Fprintf($F, \"$SQLSTR\", ...)"
},
{
"pattern": "$QUERY = fmt.Sprintf(\"$SQLSTR\", ...)"
},
{
"pattern": "$QUERY = fmt.Printf(\"$SQLSTR\", ...)"
},
{
"pattern": "$QUERY = $X + ..."
}
]
},
{
"pattern-either": [
{
"pattern-inside": "func $FUNC(...) {\n ...\n $OBJ.Query($QUERY, ...)\n ...\n}\n"
},
{
"pattern-inside": "func $FUNC(...) {\n ...\n $OBJ.ExecContext($CTX, $QUERY, ...)\n ...\n}\n"
},
{
"pattern-inside": "func $FUNC(...) {\n ...\n $OBJ.Exec($QUERY, ...)\n ...\n}\n"
},
{
"pattern-inside": "func $FUNC(...) {\n ...\n $OBJ.QueryRow($CTX, $QUERY)\n ...\n}\n"
},
{
"pattern-inside": "func $FUNC(...) {\n ...\n $OBJ.QueryRow($QUERY)\n ...\n}\n"
},
{
"pattern-inside": "func $FUNC(...) {\n ...\n $OBJ.QueryContext($CTX, $QUERY)\n ...\n}\n"
},
{
"pattern-inside": "func $FUNC(...) {\n ...\n $OBJ.QueryRowContext($CTX, $QUERY, ...)\n ...\n}\n"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.avoid-bind-to-all-interfaces",
"languages": [
"go"
],
"message": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://github.com/securego/gosec",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern-either": [
{
"pattern": "tls.Listen($NETWORK, \"=~/^0.0.0.0:.*$/\", ...)"
},
{
"pattern": "net.Listen($NETWORK, \"=~/^0.0.0.0:.*$/\", ...)"
},
{
"pattern": "tls.Listen($NETWORK, \"=~/^:.*$/\", ...)"
},
{
"pattern": "net.Listen($NETWORK, \"=~/^:.*$/\", ...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(HttpOnly\\s*:\\s+)false",
"replacement": "\\1true"
},
"id": "vendored-rules.go.lang.security.audit.net.cookie-missing-httponly",
"languages": [
"go"
],
"message": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go",
"https://golang.org/src/net/http/cookie.go"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-not-inside": "http.Cookie{\n ...,\n HttpOnly: true,\n ...,\n}\n"
},
{
"pattern": "http.Cookie{\n ...,\n}\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(Secure\\s*:\\s+)false",
"replacement": "\\1true"
},
"id": "vendored-rules.go.lang.security.audit.net.cookie-missing-secure",
"languages": [
"go"
],
"message": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go",
"https://golang.org/src/net/http/cookie.go"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-not-inside": "http.Cookie{\n ...,\n Secure: true,\n ...,\n}\n"
},
{
"pattern": "http.Cookie{\n ...,\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.dynamic-httptrace-clienttrace",
"languages": [
"go"
],
"message": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/returntocorp/semgrep-rules/issues/518"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-not-inside": "package $PACKAGE\n...\n&httptrace.ClientTrace { ... }\n...\n"
},
{
"pattern": "httptrace.WithClientTrace($ANY, $TRACE)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.formatted-template-string",
"languages": [
"go"
],
"message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/pkg/html/template/#HTML"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-not": "template.HTML(\"...\" + \"...\")"
},
{
"pattern-either": [
{
"pattern": "template.HTML($T + $X, ...)"
},
{
"pattern": "template.HTML(fmt.$P(\"...\", ...), ...)"
},
{
"pattern": "$T = \"...\"\n...\n$T = $FXN(..., $T, ...)\n...\ntemplate.HTML($T, ...)\n"
},
{
"pattern": "$T = fmt.$P(\"...\", ...)\n...\ntemplate.HTML($T, ...)\n"
},
{
"pattern": "$T, $ERR = fmt.$P(\"...\", ...)\n...\ntemplate.HTML($T, ...)\n"
},
{
"pattern": "$T = $X + $Y\n...\ntemplate.HTML($T, ...)\n"
},
{
"pattern": "$T = \"...\"\n...\n$OTHER, $ERR = fmt.$P(..., $T, ...)\n...\ntemplate.HTML($OTHER, ...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.fs-directory-listing",
"languages": [
"go"
],
"message": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-548: Exposure of Information Through Directory Listing"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/OWASP/Go-SCP",
"https://cwe.mitre.org/data/definitions/548.html"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$FS := http.FileServer(...)\n...\n"
},
{
"pattern-either": [
{
"pattern": "http.ListenAndServe(..., $FS)\n"
},
{
"pattern": "http.ListenAndServeTLS(..., $FS)\n"
},
{
"pattern": "http.Handle(..., $FS)\n"
},
{
"pattern": "http.HandleFunc(..., $FS)\n"
}
]
}
]
},
{
"patterns": [
{
"pattern": "http.$FN(..., http.FileServer(...))\n"
},
{
"metavariable-regex": {
"metavariable": "$FN",
"regex": "(ListenAndServe|ListenAndServeTLS|Handle|HandleFunc)"
}
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.pprof-debug-exposure",
"languages": [
"go"
],
"message": "The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": "A06:2017 - Security Misconfiguration",
"references": [
"https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/"
],
"source-rule-url": "https://github.com/securego/gosec#available-rules",
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import _ \"net/http/pprof\"\n...\n"
},
{
"pattern-inside": "func $ANY(...) {\n ...\n}\n"
},
{
"pattern-not-inside": "$MUX = http.NewServeMux(...)\n...\nhttp.ListenAndServe($ADDR, $MUX)\n"
},
{
"pattern-not": "http.ListenAndServe(\"=~/^localhost.*/\", ...)"
},
{
"pattern-not": "http.ListenAndServe(\"=~/^127[.]0[.]0[.]1.*/\", ...)"
},
{
"pattern": "http.ListenAndServe(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.unescaped-data-in-htmlattr",
"languages": [
"go"
],
"message": "Found a formatted template string passed to 'template. HTMLAttr()'. 'template.HTMLAttr()' does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/pkg/html/template/#HTMLAttr"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern-either": [
{
"pattern": "template.HTMLAttr($T + $X, ...)"
},
{
"pattern": "template.HTMLAttr(fmt.$P(\"...\", ...), ...)"
},
{
"pattern": "$T = \"...\"\n...\n$T = $FXN(..., $T, ...)\n...\ntemplate.HTMLAttr($T, ...)\n"
},
{
"pattern": "$T = fmt.$P(\"...\", ...)\n...\ntemplate.HTMLAttr($T, ...)\n"
},
{
"pattern": "$T, $ERR = fmt.$P(\"...\", ...)\n...\ntemplate.HTMLAttr($T, ...)\n"
},
{
"pattern": "$T = $X + $Y\n...\ntemplate.HTMLAttr($T, ...)\n"
},
{
"pattern": "$T = \"...\"\n...\n$OTHER, $ERR = fmt.$P(..., $T, ...)\n...\ntemplate.HTMLAttr($OTHER, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.unescaped-data-in-js",
"languages": [
"go"
],
"message": "Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/pkg/html/template/#JS"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern-either": [
{
"pattern": "template.JS($T + $X, ...)"
},
{
"pattern": "template.JS(fmt.$P(\"...\", ...), ...)"
},
{
"pattern": "$T = \"...\"\n...\n$T = $FXN(..., $T, ...)\n...\ntemplate.JS($T, ...)\n"
},
{
"pattern": "$T = fmt.$P(\"...\", ...)\n...\ntemplate.JS($T, ...)\n"
},
{
"pattern": "$T, $ERR = fmt.$P(\"...\", ...)\n...\ntemplate.JS($T, ...)\n"
},
{
"pattern": "$T = $X + $Y\n...\ntemplate.JS($T, ...)\n"
},
{
"pattern": "$T = \"...\"\n...\n$OTHER, $ERR = fmt.$P(..., $T, ...)\n...\ntemplate.JS($OTHER, ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.unescaped-data-in-url",
"languages": [
"go"
],
"message": "Found a formatted template string passed to 'template.URL()'. 'template.URL()' does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/pkg/html/template/#URL"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern-either": [
{
"pattern": "template.URL($T + $X, ...)"
},
{
"pattern": "template.URL(fmt.$P(\"...\", ...), ...)"
},
{
"pattern": "$T = \"...\"\n...\n$T = $FXN(..., $T, ...)\n...\ntemplate.URL($T, ...)\n"
},
{
"pattern": "$T = fmt.$P(\"...\", ...)\n...\ntemplate.URL($T, ...)\n"
},
{
"pattern": "$T, $ERR = fmt.$P(\"...\", ...)\n...\ntemplate.URL($T, ...)\n"
},
{
"pattern": "$T = $X + $Y\n...\ntemplate.URL($T, ...)\n"
},
{
"pattern": "$T = \"...\"\n...\n$OTHER, $ERR = fmt.$P(..., $T, ...)\n...\ntemplate.URL($OTHER, ...)"
}
],
"severity": "WARNING"
},
{
"fix": "http.ListenAndServeTLS($ADDR, certFile, keyFile, $HANDLER)",
"id": "vendored-rules.go.lang.security.audit.net.use-tls",
"languages": [
"go"
],
"message": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://golang.org/pkg/net/http/#ListenAndServeTLS"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"pattern": "http.ListenAndServe($ADDR, $HANDLER)",
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf",
"languages": [
"go"
],
"message": "Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "func $FUNC(..., $W http.ResponseWriter, ...) {\n ...\n var $TEMPLATE = \"...\"\n ...\n $W.Write([]byte(fmt.$PRINTF($TEMPLATE, ...)), ...)\n ...\n}\n"
},
{
"pattern-either": [
{
"pattern": "$PARAMS = r.URL.Query()\n...\n$DATA, $ERR := $PARAMS[...]\n...\n$INTERM = $ANYTHING(..., $DATA, ...)\n...\n$W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...)))\n"
},
{
"pattern": "$PARAMS = r.URL.Query()\n...\n$DATA, $ERR := $PARAMS[...]\n...\n$INTERM = $DATA[...]\n...\n$W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...)))\n"
},
{
"pattern": "$DATA, $ERR := r.URL.Query()[...]\n...\n$INTERM = $DATA[...]\n...\n$W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...)))\n"
},
{
"pattern": "$DATA, $ERR := r.URL.Query()[...]\n...\n$INTERM = $ANYTHING(..., $DATA, ...)\n...\n$W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...)))\n"
},
{
"pattern": "$PARAMS = r.URL.Query()\n...\n$DATA, $ERR := $PARAMS[...]\n...\n$W.Write([]byte(fmt.$PRINTF(..., $DATA, ...)))\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.sqli.gosql-sqli",
"languages": [
"go"
],
"message": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/pkg/database/sql/"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$DB.$METHOD(...,$QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = fmt.Sprintf(\"...\", $PARAM1, ...)\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
}
]
},
{
"pattern": "$DB.$METHOD(..., $X + $Y, ...)"
},
{
"pattern": "$DB.$METHOD(..., fmt.Sprintf(\"...\", $PARAM1, ...), ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$DB, ... = sql.Open(...)\n...\n"
},
{
"pattern-inside": "func $FUNCNAME(..., $DB *sql.DB, ...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$DB.$METHOD(..., \"...\" + \"...\", ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(Exec|ExecContent|Query|QueryContext|QueryRow|QueryRowContext)$"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.sqli.pg-orm-sqli",
"languages": [
"go"
],
"message": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://pg.uptrace.dev/queries/"
],
"subcategory": [
"vuln"
],
"technology": [
"go-pg"
]
},
"patterns": [
{
"pattern-inside": "import (\n ...\n \"$IMPORT\"\n)\n...\n"
},
{
"metavariable-regex": {
"metavariable": "$IMPORT",
"regex": ".*go-pg"
}
},
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$DB.$METHOD(...,$QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = fmt.Sprintf(\"...\", $PARAM1, ...)\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
}
]
},
{
"pattern": "$DB.$INTFUNC1(...).$METHOD(..., $X + $Y, ...).$INTFUNC2(...)\n"
},
{
"pattern": "$DB.$METHOD(..., fmt.Sprintf(\"...\", $PARAM1, ...), ...)\n"
},
{
"pattern-inside": "$DB = pg.Connect(...)\n...\n"
},
{
"pattern-inside": "func $FUNCNAME(..., $DB *pg.DB, ...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "$QUERY = fmt.Sprintf(\"...\", ...,\"...\", ...)\n...\n"
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not": "$DB.$METHOD(...,\"...\",...)"
},
{
"pattern-not": "$DB.$INTFUNC1(...).$METHOD(..., \"...\", ...).$INTFUNC2(...)\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n"
},
{
"pattern-not": "\"...\"\n"
},
{
"pattern-not": "path.Join(...)"
},
{
"pattern-not": "filepath.Join(...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(Where|WhereOr|Join|GroupExpr|OrderExpr|ColumnExpr)$"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.sqli.pg-sqli",
"languages": [
"go"
],
"message": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://pg.uptrace.dev/",
"https://pkg.go.dev/github.com/go-pg/pg/v10"
],
"subcategory": [
"vuln"
],
"technology": [
"go-pg"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$DB.$METHOD(...,$QUERY,...)\n"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = fmt.Sprintf(\"...\", $PARAM1, ...)\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
}
]
},
{
"pattern": "$DB.$METHOD(..., $X + $Y, ...)"
},
{
"pattern": "$DB.$METHOD(..., fmt.Sprintf(\"...\", $PARAM1, ...), ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$DB = pg.Connect(...)\n...\n"
},
{
"pattern-inside": "func $FUNCNAME(..., $DB *pg.DB, ...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$DB.$METHOD(..., \"...\" + \"...\", ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(Exec|ExecContext|ExecOne|ExecOneContext|Query|QueryOne|QueryContext|QueryOneContext)$"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.audit.sqli.pgx-sqli",
"languages": [
"go"
],
"message": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/jackc/pgx",
"https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool"
],
"subcategory": [
"vuln"
],
"technology": [
"pgx"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$DB.$METHOD(...,$QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = fmt.Sprintf(\"...\", $PARAM1, ...)\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
}
]
},
{
"pattern": "$DB.$METHOD(..., $X + $Y, ...)"
},
{
"pattern": "$DB.$METHOD(..., fmt.Sprintf(\"...\", $PARAM1, ...), ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$DB, ... = pgx.Connect(...)\n...\n"
},
{
"pattern-inside": "$DB, ... = pgx.NewConnPool(...)\n...\n"
},
{
"pattern-inside": "$DB, ... = pgx.ConnectConfig(...)\n...\n"
},
{
"pattern-inside": "func $FUNCNAME(..., $DB *pgx.Conn, ...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$DB.$METHOD(..., \"...\" + \"...\", ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(Exec|ExecEx|Query|QueryEx|QueryRow|QueryRowEx)$"
}
}
],
"severity": "ERROR"
},
{
"fix": "html/template\n",
"id": "vendored-rules.go.lang.security.audit.xss.import-text-template",
"languages": [
"go"
],
"message": "When working with web applications that involve rendering user-generated content, it's important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the `text/template` package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it's recommended to use the `html/template` package instead, which provides built-in functionality for HTML escaping. By using `html/template` to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.veracode.com/blog/secure-development/use-golang-these-mistakes-could-compromise-your-apps-security"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern": "import \"$IMPORT\"\n"
},
{
"metavariable-regex": {
"metavariable": "$IMPORT",
"regex": "^(text/template)$"
}
},
{
"focus-metavariable": "$IMPORT"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xss.no-direct-write-to-responsewriter",
"languages": [
"go"
],
"message": "Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "func $HANDLER(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
},
{
"pattern-inside": "func $HANDLER(..., $WRITER *http.ResponseWriter, ...) {\n ...\n}\n"
},
{
"pattern-inside": "func(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$WRITER.Write(...)"
},
{
"pattern": "(*$WRITER).Write(...)"
}
]
},
{
"pattern-not": "$WRITER.Write([]byte(\"...\"))"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xss.no-fprintf-to-responsewriter",
"languages": [
"go"
],
"message": "Detected 'Fprintf' or similar writing to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "func $HANDLER(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
},
{
"pattern-inside": "func(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "fmt.$PRINTF($WRITER, \"...\")"
},
{
"pattern": "fmt.$PRINTF($WRITER, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xss.no-interpolation-in-tag",
"languages": [
"generic"
],
"message": "Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/golang/go/issues/19669",
"https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/"
],
"subcategory": [
"audit"
],
"technology": [
"generic"
]
},
"paths": {
"include": [
"*.html",
"*.thtml",
"*.gohtml",
"*.tmpl",
"*.tpl"
]
},
"pattern": "<{{ ... }} ... >",
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xss.no-interpolation-js-template-string",
"languages": [
"generic"
],
"message": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/golang/go/issues/9200#issuecomment-66100328",
"https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/"
],
"subcategory": [
"audit"
],
"technology": [
"generic"
]
},
"paths": {
"include": [
"*.html",
"*.thtml",
"*.gohtml",
"*.tmpl",
"*.tpl"
]
},
"patterns": [
{
"pattern-inside": "<script ...> ... ... ... ... ... </script>"
},
{
"pattern": "` ... {{ ... }} ...`"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xss.no-io-writestring-to-responsewriter",
"languages": [
"go"
],
"message": "Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/",
"https://golang.org/pkg/io/#WriteString"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "func $HANDLER(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
},
{
"pattern-inside": "func(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "io.WriteString($WRITER, \"...\")"
},
{
"pattern": "io.WriteString($WRITER, $STRING)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xss.no-printf-in-responsewriter",
"languages": [
"go"
],
"message": "Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "func $HANDLER(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
},
{
"pattern-inside": "func(..., $WRITER http.ResponseWriter, ...) {\n ...\n}\n"
}
]
},
{
"pattern": "$WRITER.Write(<... fmt.$PRINTF(...) ...>, ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xss.unsafe-template-type",
"languages": [
"go"
],
"message": "Semgrep could not determine that the argument to 'template.HTML()' is a constant. 'template.HTML()' and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use 'template.Execute()'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/pkg/html/template/#HTML",
"https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33"
],
"subcategory": [
"audit"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-not": "template.$ANY(\"...\" + \"...\")"
},
{
"pattern-not": "template.$ANY(\"...\")"
},
{
"pattern-either": [
{
"pattern": "template.HTML(...)"
},
{
"pattern": "template.CSS(...)"
},
{
"pattern": "template.HTMLAttr(...)"
},
{
"pattern": "template.JS(...)"
},
{
"pattern": "template.JSStr(...)"
},
{
"pattern": "template.Srcset(...)"
},
{
"pattern": "template.URL(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.audit.xxe.parsing-external-entities-enabled",
"languages": [
"go"
],
"message": "Detected enabling of \"XMLParseNoEnt\", which allows parsing of external entities and can lead to XXE if user controlled data is parsed by the library. Instead, do not enable \"XMLParseNoEnt\" or be sure to adequately sanitize user-controlled data when it is being parsed by this library.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://knowledge-base.secureflag.com/vulnerabilities/xml_injection/xml_entity_expansion_go_lang.html",
"https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing"
],
"subcategory": [
"audit"
],
"technology": [
"libxml2"
]
},
"patterns": [
{
"pattern-inside": "import (\"github.com/lestrrat-go/libxml2/parser\")\n...\n"
},
{
"pattern": "$PARSER := parser.New(parser.XMLParseNoEnt)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.injection.open-redirect",
"languages": [
"go"
],
"message": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"description": "An HTTP redirect was found to be crafted from user-input leading to an open redirect vulnerability",
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"references": [
"https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern": "http.Redirect($W, $REQ, $URL, ...)"
},
{
"focus-metavariable": "$URL"
}
],
"requires": "INPUT and not CLEAN"
}
],
"pattern-sources": [
{
"label": "INPUT",
"patterns": [
{
"pattern-either": [
{
"pattern": "($REQUEST : *http.Request).$ANYTHING\n"
},
{
"pattern": "($REQUEST : http.Request).$ANYTHING\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ANYTHING",
"regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$"
}
}
]
},
{
"label": "CLEAN",
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$URLSTR\" + $INPUT\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "fmt.Fprintf($F, \"$URLSTR\", $INPUT, ...)"
},
{
"pattern": "fmt.Sprintf(\"$URLSTR\", $INPUT, ...)"
},
{
"pattern": "fmt.Printf(\"$URLSTR\", $INPUT, ...)"
}
]
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*//[a-zA-Z0-10]+\\..*"
}
}
],
"requires": "INPUT"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.injection.raw-html-format",
"languages": [
"go"
],
"message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "html.EscapeString(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "fmt.Printf(\"$HTMLSTR\", ...)"
},
{
"pattern": "fmt.Sprintf(\"$HTMLSTR\", ...)"
},
{
"pattern": "fmt.Fprintf($W, \"$HTMLSTR\", ...)"
},
{
"pattern": "\"$HTMLSTR\" + ..."
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$HTMLSTR",
"pattern": "<$TAG ..."
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "($REQUEST : *http.Request).$ANYTHING\n"
},
{
"pattern": "($REQUEST : http.Request).$ANYTHING\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ANYTHING",
"regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.lang.security.injection.tainted-sql-string",
"languages": [
"go"
],
"message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/doc/database/sql-injection",
"https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "strconv.Atoi(...)"
},
{
"pattern": "($X: bool)\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"patterns": [
{
"pattern-inside": "$VAR = \"$SQLSTR\";\n...\n"
},
{
"pattern": "$VAR += ..."
}
]
},
{
"patterns": [
{
"pattern-inside": "var $SB strings.Builder\n...\n"
},
{
"pattern-inside": "$SB.WriteString(\"$SQLSTR\")\n...\n$SB.String(...)\n"
},
{
"pattern": "$SB.WriteString(...)\n"
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(select|delete|insert|create|update|alter|drop).*"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "fmt.Fprintf($F, \"$SQLSTR\", ...)"
},
{
"pattern": "fmt.Sprintf(\"$SQLSTR\", ...)"
},
{
"pattern": "fmt.Printf(\"$SQLSTR\", ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "\\s*(?i)(select|delete|insert|create|update|alter|drop)\\b.*%(v|s|q).*"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "($REQUEST : *http.Request).$ANYTHING\n"
},
{
"pattern": "($REQUEST : http.Request).$ANYTHING\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ANYTHING",
"regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$"
}
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.lang.security.injection.tainted-url-host",
"languages": [
"go"
],
"message": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://goteleport.com/blog/ssrf-attacks/"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$CLIENT := &http.Client{...}\n...\n"
},
{
"pattern": "$CLIENT.$METHOD($URL, ...)"
}
]
},
{
"pattern": "http.$METHOD($URL, ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(Get|Head|Post|PostForm)$"
}
}
]
},
{
"patterns": [
{
"pattern": "http.NewRequest(\"$METHOD\", $URL, ...)\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(GET|HEAD|POST|POSTFORM)$"
}
}
]
}
]
},
{
"focus-metavariable": "$URL"
}
],
"requires": "INPUT and not CLEAN"
}
],
"pattern-sources": [
{
"label": "INPUT",
"patterns": [
{
"pattern-either": [
{
"pattern": "($REQUEST : *http.Request).$ANYTHING\n"
},
{
"pattern": "($REQUEST : http.Request).$ANYTHING\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ANYTHING",
"regex": "^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$"
}
}
]
},
{
"label": "CLEAN",
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$URLSTR\" + $INPUT\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "fmt.Fprintf($F, \"$URLSTR\", $INPUT, ...)"
},
{
"pattern": "fmt.Sprintf(\"$URLSTR\", $INPUT, ...)"
},
{
"pattern": "fmt.Printf(\"$URLSTR\", $INPUT, ...)"
}
]
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*//[a-zA-Z0-10]+\\..*"
}
}
],
"requires": "INPUT"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.otto.security.audit.dangerous-execution",
"languages": [
"go"
],
"message": "Detected non-static script inside otto VM. Audit the input to 'VM.Run'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"otto",
"vm"
]
},
"patterns": [
{
"pattern-inside": "$VM = otto.New(...)\n...\n"
},
{
"pattern-not": "$VM.Run(\"...\", ...)"
},
{
"pattern": "$VM.Run(...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.go.template.security.go-insecure-templates",
"languages": [
"go"
],
"message": "usage of insecure template types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://golang.org/pkg/html/template/#HTML",
"https://twitter.com/empijei/status/1275177219011350528"
],
"subcategory": [
"audit"
],
"technology": [
"template"
]
},
"patterns": [
{
"pattern-inside": "import \"html/template\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "var $VAR template.HTML = $EXP"
},
{
"pattern": "var $VAR template.CSS = $EXP"
},
{
"pattern": "var $VAR template.HTMLAttr = $EXP"
},
{
"pattern": "var $VAR template.JS = $EXP"
},
{
"pattern": "var $VAR template.JSStr = $EXP"
},
{
"pattern": "var $VAR template.Srcset = $EXP"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.go.template.security.go-ssti",
"languages": [
"go"
],
"message": "A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. When using \"html/template\" always check that user inputs are validated and sanitized before included within the template.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://www.onsecurity.io/blog/go-ssti-method-research/",
"http://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
]
},
"patterns": [
{
"pattern-inside": "import (\"html/template\")\n...\n"
},
{
"pattern": "$TEMPLATE = fmt.Sprintf(\"...\", $ARG, ...)"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "func $FN(..., $REQ *http.Request, ...){\n...\n}\n"
},
{
"pattern-inside": "func $FN(..., $REQ http.Request, ...){\n...\n}\n"
},
{
"pattern-inside": "func(..., $REQ *http.Request, ...){\n...\n}\n"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$ARG := $REQ.URL.Query().Get(...)\n...\n$T, $ERR := $TMPL.Parse($TEMPLATE)\n"
},
{
"pattern-inside": "$ARG := $REQ.Form.Get(...)\n...\n$T, $ERR := $TMPL.Parse($TEMPLATE)\n"
},
{
"pattern-inside": "$ARG := $REQ.PostForm.Get(...)\n...\n$T, $ERR := $TMPL.Parse($TEMPLATE)\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.html.security.plaintext-http-link",
"languages": [
"html"
],
"message": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/319.html"
],
"subcategory": [
"vuln"
],
"technology": [
"html"
]
},
"patterns": [
{
"pattern": "<a href=\"$URL\">...</a>"
},
{
"metavariable-regex": {
"metavariable": "$URL",
"regex": "^(?i)http://"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.html.security.audit.eval-detected",
"languages": [
"html"
],
"message": "Detected the use of eval(...). This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Follow OWASP best practices to ensure you handle XSS within a JavaScript context correct, and consider using safer APIs to evaluate user-input such as JSON.parse(...). ",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection",
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"patterns": [
{
"pattern-inside": "<script ...>$...A</script>\n"
},
{
"metavariable-pattern": {
"language": "javascript",
"metavariable": "$...A",
"patterns": [
{
"pattern-either": [
{
"pattern": "$X(...)"
}
]
},
{
"pattern-not": "$X(\"...\")"
},
{
"metavariable-regex": {
"metavariable": "$X",
"regex": "^(eval)$"
}
},
{
"focus-metavariable": "$X"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.html.security.audit.insecure-document-method",
"languages": [
"html"
],
"message": "Detected the use of an inner/outerHTML assignment. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use a dangerous web API, consider using a sanitization library such as DOMPurify to sanitize the HTML before it is assigned.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"patterns": [
{
"pattern-inside": "<script ...>$...A</script>\n"
},
{
"metavariable-pattern": {
"language": "javascript",
"metavariable": "$...A",
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$X. ... .innerHTML = ..."
},
{
"pattern": "$X. ... .outerHTML = ..."
}
]
},
{
"pattern-not": "$X. ... .$V = \"...\""
}
]
}
]
},
{
"focus-metavariable": "$X"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.html.security.audit.missing-integrity",
"languages": [
"generic"
],
"message": "This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-353: Missing Support for Integrity Check"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"html"
]
},
"paths": {
"include": [
"*.html"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "<script $...A >...</script>"
},
{
"pattern": "<link $...A >"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$...A",
"patterns": [
{
"pattern-either": [
{
"pattern": "src='... :// ...'"
},
{
"pattern": "src=\"... :// ...\""
},
{
"pattern": "href='... :// ...'"
},
{
"pattern": "href=\"... :// ...\""
},
{
"pattern": "src='//...'"
},
{
"pattern": "src=\"//...\""
},
{
"pattern": "href='//...'"
},
{
"pattern": "href=\"//...\""
}
]
},
{
"pattern-not-regex": "(?is).*integrity="
},
{
"pattern-not-regex": "(google-analytics\\.com|fonts\\.googleapis\\.com|fonts\\.gstatic\\.com|googletagmanager\\.com)"
},
{
"pattern-not-regex": ".*rel\\s*=\\s*['\"]?preconnect.*"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.android.security.exported_activity",
"languages": [
"generic"
],
"message": "The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-926: Improper Export of Android Application Components"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A5:2021 Security Misconfiguration"
],
"references": [
"https://cwe.mitre.org/data/definitions/926.html"
],
"subcategory": [
"vuln"
],
"technology": [
"Android"
]
},
"paths": {
"exclude": [
"sources/",
"classes3.dex",
"*.so"
],
"include": [
"*AndroidManifest.xml"
]
},
"patterns": [
{
"pattern-not-inside": "<activity ... android:exported=\"false\" ... />"
},
{
"pattern-inside": "<activity ... /> \n"
},
{
"pattern-either": [
{
"pattern": "<activity ... android:exported=\"true\" ... />\n"
},
{
"pattern": "<activity ... <intent-filter> ... />\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.aws-lambda.security.tainted-sql-string",
"languages": [
"java"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"pattern": "\"$SQLSTR\".concat(...)\n"
},
{
"patterns": [
{
"pattern-inside": "StringBuilder $SB = new StringBuilder(\"$SQLSTR\");\n...\n"
},
{
"pattern": "$SB.append(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VAR = \"$SQLSTR\";\n...\n"
},
{
"pattern": "$VAR += ..."
}
]
},
{
"pattern": "String.format(\"$SQLSTR\", ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b"
}
},
{
"pattern-not-inside": "System.out.$PRINTLN(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$EVENT"
},
{
"pattern-either": [
{
"pattern": "$HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n"
},
{
"pattern": "$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.aws-lambda.security.tainted-sqli",
"languages": [
"java"
],
"message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"sql",
"java",
"aws-lambda"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(java.sql.CallableStatement $STMT) = ...; \n"
},
{
"pattern": "(java.sql.Statement $STMT) = ...;\n"
},
{
"pattern": "(java.sql.PreparedStatement $STMT) = ...;\n"
},
{
"pattern": "$VAR = $CONN.prepareStatement(...)\n"
},
{
"pattern": "$PATH.queryForObject(...);\n"
},
{
"pattern": "(java.util.Map<String, Object> $STMT) = $PATH.queryForMap(...);\n"
},
{
"pattern": "(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...;\n"
},
{
"patterns": [
{
"pattern-inside": "(String $SQL) = \"$SQLSTR\" + ...;\n...\n"
},
{
"pattern": "$PATH.$SQLCMD(..., $SQL, ...);"
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)"
}
},
{
"metavariable-regex": {
"metavariable": "$SQLCMD",
"regex": "(execute|query|executeUpdate|batchUpdate)"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$EVENT"
},
{
"pattern-either": [
{
"pattern": "$HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n"
},
{
"pattern": "$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) {\n ...\n}\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.java-jwt.security.java-jwt-hardcoded-secret",
"languages": [
"java"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"secrets",
"jwt"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "(Algorithm $ALG) = $ALGO.$HMAC(\"$Y\");\n"
},
{
"pattern": "$SECRET = \"$Y\";\n...\n(Algorithm $ALG) = $ALGO.$HMAC($SECRET);\n"
},
{
"pattern": "class $CLASS {\n ...\n $TYPE $SECRET = \"$Y\";\n ...\n $RETURNTYPE $FUNC (...) {\n ...\n (Algorithm $ALG) = $ALGO.$HMAC($SECRET);\n ...\n }\n ...\n}\n"
}
]
},
{
"focus-metavariable": "$Y"
},
{
"metavariable-regex": {
"metavariable": "$HMAC",
"regex": "(HMAC384|HMAC256|HMAC512)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.java-jwt.security.java-jwt-none-alg",
"languages": [
"java"
],
"message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"vuln"
],
"technology": [
"jwt"
]
},
"pattern-either": [
{
"pattern": "$JWT.sign(com.auth0.jwt.algorithms.Algorithm.none());\n"
},
{
"pattern": "$NONE = com.auth0.jwt.algorithms.Algorithm.none();\n...\n$JWT.sign($NONE);\n"
},
{
"pattern": "class $CLASS {\n ...\n $TYPE $NONE = com.auth0.jwt.algorithms.Algorithm.none();\n ...\n $RETURNTYPE $FUNC (...) {\n ...\n $JWT.sign($NONE);\n ...\n }\n ...\n}"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.java-jwt.security.audit.java-jwt-decode-without-verify",
"languages": [
"java"
],
"message": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-345: Insufficient Verification of Data Authenticity"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"vuln"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern": "com.auth0.jwt.JWT.decode(...);\n"
},
{
"pattern-not-inside": "class $CLASS {\n ...\n $RETURNTYPE $FUNC (...) {\n ...\n $VERIFIER.verify(...);\n ...\n }\n}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.jax-rs.security.insecure-resteasy-deserialization",
"languages": [
"java"
],
"message": "When a Restful webservice endpoint is configured to use wildcard mediaType {*/*} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://access.redhat.com/blogs/766093/posts/3162112"
],
"subcategory": [
"audit"
],
"technology": [
"jax-rs"
]
},
"pattern-either": [
{
"pattern": "@Consumes({\"application/x-java-serialized-object\"})\n"
},
{
"pattern": "@Consumes({\"*/*\"})\n"
},
{
"pattern": "@Consumes(\"*/*\")\n"
},
{
"pattern": "@Consumes({MediaType.WILDCARD_TYPE})\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.jax-rs.security.default-resteasy-provider-abuse",
"languages": [
"java"
],
"message": "When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution. Instead, add a @Consumes annotation to the function or class.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://access.redhat.com/blogs/766093/posts/3162112"
],
"subcategory": [
"audit"
],
"technology": [
"jax-rs"
]
},
"patterns": [
{
"pattern": "@Path(\"...\")\npublic $RETURNTYPE $METHOD(...) { ...}\n"
},
{
"pattern-not-inside": "@GET\npublic $RETURNTYPE $METHOD(...) { ...}\n"
},
{
"pattern-not-inside": "@Path(\"...\")\n@Consumes(...)\npublic $RETURNTYPE $METHOD(...) { ...}\n"
},
{
"pattern-not-inside": "@Consumes(...)\npublic class $CLASSNAME { ... }\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.jax-rs.security.jax-rs-path-traversal",
"languages": [
"java"
],
"message": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.owasp.org/index.php/Path_Traversal"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN",
"subcategory": [
"vuln"
],
"technology": [
"jax-rs"
]
},
"pattern-either": [
{
"pattern": "$RETURNTYPE $FUNC (..., @PathParam(...) $TYPE $VAR, ...) {\n ...\n new File(..., $VAR, ...);\n ...\n}\n"
},
{
"pattern": "$RETURNTYPE $FUNC (..., @javax.ws.rs.PathParam(...) $TYPE $VAR, ...) {\n ...\n new File(..., $VAR, ...);\n ...\n}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.jboss.security.seam-log-injection",
"languages": [
"java"
],
"message": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION",
"subcategory": [
"audit"
],
"technology": [
"jboss"
]
},
"patterns": [
{
"pattern": "$LOG.$INFO($X + $Y,...)\n"
},
{
"pattern-either": [
{
"pattern-inside": "import org.jboss.seam.log.Log;\n...\n"
},
{
"pattern-inside": "org.jboss.seam.log.Log $LOG = ...;\n...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$INFO",
"regex": "(debug|error|fatal|info|trace|warn)"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.jboss.security.find-sql-string-concatenation",
"languages": [
"java"
],
"message": "In $METHOD, $X is used to construct a SQL query via string concatenation.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"jboss"
]
},
"pattern-either": [
{
"pattern": "$RETURN $METHOD(...,String $X,...){\n ...\n Session $SESSION = ...;\n ...\n String $QUERY = ... + $X + ...;\n ...\n PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);\n ...\n ResultSet $RESULT = $PS.executeQuery();\n ...\n}\n"
},
{
"pattern": "$RETURN $METHOD(...,String $X,...){\n ...\n String $QUERY = ... + $X + ...;\n ...\n Session $SESSION = ...;\n ...\n PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);\n ...\n ResultSet $RESULT = $PS.executeQuery();\n ...\n}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.jjwt.security.jjwt-none-alg",
"languages": [
"java"
],
"message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.",
"metadata": {
"asvs": {
"control_id": "3.5.3 Insecue Stateless Session Tokens",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern": "io.jsonwebtoken.Jwts.builder();\n"
},
{
"pattern-not-inside": "$RETURNTYPE $FUNC(...) {\n ...\n $JWTS.signWith(...);\n ...\n}"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.do-privileged-use",
"languages": [
"java"
],
"message": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-269: Improper Privilege Management"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html",
"https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation",
"http://phrack.org/papers/escaping_the_java_sandbox.html"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-inside": "import java.security.*;\n...\n"
},
{
"pattern-either": [
{
"pattern": "AccessController.doPrivileged(...);"
},
{
"pattern": "class $ACTION implements PrivilegedAction<Void> { ... }"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.httpservlet-path-traversal",
"languages": [
"java"
],
"message": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.owasp.org/index.php/Path_Traversal"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "org.apache.commons.io.FilenameUtils.getName(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(java.io.File $FILE) = ...\n"
},
{
"pattern": "(java.io.FileOutputStream $FOS) = ...\n"
},
{
"pattern": "new java.io.FileInputStream(...)\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(HttpServletRequest $REQ)\n"
},
{
"patterns": [
{
"pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n"
},
{
"pattern": "$COOKIE.getValue(...)\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "$TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(...);\n...\n"
},
{
"pattern": "$PARAM = $VALS[$INDEX];\n"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.insecure-jms-deserialization",
"languages": [
"java"
],
"message": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.",
"metadata": {
"asvs": {
"control_id": "5.5.3 Insecue Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-inside": "public class $JMS_LISTENER implements MessageListener {\n ...\n public void onMessage(Message $JMS_MSG) {\n ...\n }\n}\n"
},
{
"pattern-either": [
{
"pattern-inside": "$X = $Y.getObject(...);"
},
{
"pattern-inside": "$X = ($Z) $Y.getObject(...);"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.jackson-unsafe-deserialization",
"languages": [
"java"
],
"message": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A8:2017 Insecure Deserialization",
"A8:2021 Software and Data Integrity Failures"
],
"references": [
"https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038",
"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/"
],
"subcategory": [
"audit"
],
"technology": [
"jackson"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "ObjectMapper $OM = new ObjectMapper(...);\n...\n"
},
{
"pattern-inside": "$OM.enableDefaultTyping();\n...\n"
},
{
"pattern": "$OM.readValue($JSON, ...);"
}
]
},
{
"patterns": [
{
"pattern-inside": "class $CLASS {\n ...\n @JsonTypeInfo(use = Id.CLASS,...)\n $TYPE $VAR;\n ...\n}\n"
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "(Object|Serializable|Comparable)"
}
},
{
"pattern": "$OM.readValue($JSON, $CLASS.class);"
}
]
},
{
"patterns": [
{
"pattern-inside": "class $CLASS {\n ...\n ObjectMapper $OM;\n ...\n $INITMETHODTYPE $INITMETHOD(...) {\n ...\n $OM = new ObjectMapper();\n ...\n $OM.enableDefaultTyping();\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "$METHODTYPE $METHOD(...) {\n ... \n}\n"
},
{
"pattern": "$OM.readValue($JSON, ...);"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.servletresponse-writer-xss",
"languages": [
"java"
],
"message": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-inside": "$TYPE $FUNC(..., HttpServletResponse $RESP, ...) { ... }"
},
{
"pattern-inside": "$VAR = $REQ.getParameter(...); ..."
},
{
"pattern-either": [
{
"pattern": "$RESP.getWriter(...).write(..., $VAR, ...);"
},
{
"pattern": "$WRITER = $RESP.getWriter(...);\n...\n$WRITER.write(..., $VAR, ...);\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.use-snakeyaml-constructor",
"languages": [
"java"
],
"message": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability"
],
"subcategory": [
"audit"
],
"technology": [
"snakeyaml"
]
},
"patterns": [
{
"pattern": "$Y = new org.yaml.snakeyaml.Yaml();\n...\n$Y.load(...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.xmlinputfactory-external-entities-enabled",
"languages": [
"java"
],
"message": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(\"javax.xml.stream.isSupportingExternalEntities\", true);"
},
{
"pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, true);"
},
{
"pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(\"javax.xml.stream.isSupportingExternalEntities\", Boolean.TRUE);"
},
{
"pattern": "(javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, Boolean.TRUE);"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.xmlinputfactory-possible-xxe",
"languages": [
"java"
],
"message": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf",
"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", false);\n ...\n}\n"
},
{
"pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);\n ...\n}\n"
},
{
"pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", Boolean.FALSE);\n ...\n}\n"
},
{
"pattern-not-inside": "$METHOD(...) {\n ...\n $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);\n ...\n}\n"
},
{
"pattern-either": [
{
"pattern": "javax.xml.stream.XMLInputFactory.newFactory(...)"
},
{
"pattern": "new XMLInputFactory(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.anonymous-ldap-bind",
"languages": [
"java"
],
"message": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-287: Improper Authentication"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern": "$ENV.put($CTX.SECURITY_AUTHENTICATION, \"none\");\n...\n$DCTX = new InitialDirContext($ENV, ...);\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.bad-hexa-conversion",
"languages": [
"java"
],
"message": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-704: Incorrect Type Conversion or Cast"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://cwe.mitre.org/data/definitions/704.html"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern": "$X $METHOD(...) {\n ...\n MessageDigest $MD = ...;\n ...\n $MD.digest(...);\n ...\n Integer.toHexString(...);\n}",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.blowfish-insufficient-key-size",
"languages": [
"java"
],
"message": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern": "$KEYGEN = KeyGenerator.getInstance(\"Blowfish\");\n...\n$KEYGEN.init($SIZE);\n"
},
{
"metavariable-comparison": {
"comparison": "$SIZE < 128",
"metavariable": "$SIZE"
}
}
],
"severity": "WARNING"
},
{
"fix": "\"AES/GCM/NoPadding\"\n",
"id": "vendored-rules.java.lang.security.audit.cbc-padding-oracle",
"languages": [
"java"
],
"message": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://capec.mitre.org/data/definitions/463.html",
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes",
"https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-inside": "Cipher.getInstance(\"=~/.*\\/CBC\\/PKCS5Padding/\")"
},
{
"pattern": "\"=~/.*\\/CBC\\/PKCS5Padding/\"\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.command-injection-formatted-runtime-call",
"languages": [
"java"
],
"message": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"metavariable-pattern": {
"metavariable": "$RUNTIME",
"patterns": [
{
"pattern-either": [
{
"pattern": "(java.lang.Runtime $R)"
},
{
"pattern": "java.lang.Runtime.getRuntime(...)"
}
]
}
]
}
},
{
"pattern-either": [
{
"pattern": "$RUNTIME.exec($X + $Y);"
},
{
"pattern": "$RUNTIME.exec(String.format(...));"
},
{
"pattern": "$RUNTIME.loadLibrary($X + $Y);"
},
{
"pattern": "$RUNTIME.loadLibrary(String.format(...));"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RUNTIME.exec(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $ARG,...)\n"
},
{
"pattern": "$RUNTIME.exec(Arrays.asList(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...),...)\n"
},
{
"pattern": "$RUNTIME.exec(new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...},...)\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RUNTIME.exec($CMD,\"-c\",$ARG,...)\n"
},
{
"pattern": "$RUNTIME.exec(Arrays.asList($CMD,\"-c\",$ARG,...),...)\n"
},
{
"pattern": "$RUNTIME.exec(new String[]{$CMD,\"-c\",$ARG,...},...)\n"
}
]
},
{
"pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\";\n...\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RUNTIME.exec($CMD, $EXECUTE, $ARG, ...)\n"
}
]
},
{
"pattern-inside": "$CMD = new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", ...};\n...\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RUNTIME.exec(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", $BASH, $ARG,...)\n"
},
{
"pattern": "$RUNTIME.exec(Arrays.asList(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",$BASH,$ARG,...),...)\n"
},
{
"pattern": "$RUNTIME.exec(new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",$BASH,$ARG,...},...)\n"
}
]
},
{
"pattern-inside": "$BASH = new String[]{\"=~/(-c)/\", ...};\n...\n"
}
]
}
]
},
{
"pattern-not-inside": "$ARG = \"...\";\n...\n"
},
{
"pattern-not": "$RUNTIME.exec(\"...\",\"...\",\"...\",...)\n"
},
{
"pattern-not": "$RUNTIME.exec(new String[]{\"...\",\"...\",\"...\",...},...)\n"
},
{
"pattern-not": "$RUNTIME.exec(Arrays.asList(\"...\",\"...\",\"...\",...),...)\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.audit.command-injection-process-builder",
"languages": [
"java"
],
"message": "A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "new ProcessBuilder($CMD,...)\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n"
},
{
"pattern-not-inside": "$CMD = Arrays.asList(\"...\",...);\n...\n"
},
{
"pattern-not-inside": "$CMD = new String[]{\"...\",...};\n...\n"
},
{
"pattern-not": "new ProcessBuilder(\"...\",...)\n"
},
{
"pattern-not": "new ProcessBuilder(new String[]{\"...\",...},...)\n"
},
{
"pattern-not": "new ProcessBuilder(Arrays.asList(\"...\",...),...)\n"
}
]
},
{
"patterns": [
{
"pattern": "$PB.command($CMD,...)\n"
},
{
"pattern-inside": "$TYPE $PB = new ProcessBuilder(...);\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\";\n...\n"
},
{
"pattern-not-inside": "$CMD = Arrays.asList(\"...\",...);\n...\n"
},
{
"pattern-not-inside": "$CMD = new String[]{\"...\",...};\n...\n"
},
{
"pattern-not": "$PB.command(\"...\",...)\n"
},
{
"pattern-not": "$PB.command(new String[]{\"...\",...},...)\n"
},
{
"pattern-not": "$PB.command(Arrays.asList(\"...\",...),...)\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new ProcessBuilder(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...)\n"
},
{
"pattern": "new ProcessBuilder(\"cmd\",\"/c\",$ARG,...)\n"
},
{
"pattern": "new ProcessBuilder(Arrays.asList(\"cmd\",\"/c\",$ARG,...),...)\n"
},
{
"pattern": "new ProcessBuilder(new String[]{\"cmd\",\"/c\",$ARG,...},...)\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new ProcessBuilder($CMD,\"/c\",$ARG,...)\n"
},
{
"pattern": "new ProcessBuilder(Arrays.asList($CMD,\"/c\",$ARG,...),...)\n"
},
{
"pattern": "new ProcessBuilder(new String[]{$CMD,\"/c\",$ARG,...},...)\n"
}
]
},
{
"pattern-inside": "$CMD = \"cmd\";\n...\n"
}
]
}
]
},
{
"pattern-not-inside": "$ARG = \"...\";\n...\n"
},
{
"pattern-not": "new ProcessBuilder(\"...\",\"...\",\"...\",...)\n"
},
{
"pattern-not": "new ProcessBuilder(new String[]{\"...\",\"...\",\"...\",...},...)\n"
},
{
"pattern-not": "new ProcessBuilder(Arrays.asList(\"...\",\"...\",\"...\",...),...)\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$PB.command(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...)\n"
},
{
"pattern": "$PB.command(\"cmd\",\"/c\",$ARG,...)\n"
},
{
"pattern": "$PB.command(Arrays.asList(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...),...)\n"
},
{
"pattern": "$PB.command(Arrays.asList(\"cmd\",\"/c\",$ARG,...),...)\n"
},
{
"pattern": "$PB.command(new String[]{\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$ARG,...},...)\n"
},
{
"pattern": "$PB.command(new String[]{\"cmd\",\"/c\",$ARG,...},...)\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$PB.command($CMD,\"-c\",$ARG,...)\n"
},
{
"pattern": "$PB.command(Arrays.asList($CMD,\"-c\",$ARG,...),...)\n"
},
{
"pattern": "$PB.command(new String[]{$CMD,\"-c\",$ARG,...},...)\n"
}
]
},
{
"pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\";\n...\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$PB.command($CMD,\"/c\",$ARG,...)\n"
},
{
"pattern": "$PB.command(Arrays.asList($CMD,\"/c\",$ARG,...),...)\n"
},
{
"pattern": "$PB.command(new String[]{$CMD,\"/c\",$ARG,...},...)\n"
}
]
},
{
"pattern-inside": "$CMD = \"cmd\";\n...\n"
}
]
}
]
},
{
"pattern-inside": "$TYPE $PB = new ProcessBuilder(...);\n...\n"
},
{
"pattern-not-inside": "$ARG = \"...\";\n...\n"
},
{
"pattern-not": "$PB.command(\"...\",\"...\",\"...\",...)\n"
},
{
"pattern-not": "$PB.command(new String[]{\"...\",\"...\",\"...\",...},...)\n"
},
{
"pattern-not": "$PB.command(Arrays.asList(\"...\",\"...\",\"...\",...),...)\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.audit.cookie-missing-httponly",
"languages": [
"java"
],
"message": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'",
"metadata": {
"asvs": {
"control_id": "3.4.2 Missing Cookie Attribute",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-not-inside": "$COOKIE.setValue(\"\"); ..."
},
{
"pattern-either": [
{
"pattern": "$COOKIE.setHttpOnly(false);"
},
{
"patterns": [
{
"pattern-not-inside": "$COOKIE.setHttpOnly(...); ..."
},
{
"pattern-not-inside": "$COOKIE = ResponseCookie.from(...). ...; ..."
},
{
"pattern": "$RESPONSE.addCookie($COOKIE);"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.cookie-missing-secure-flag",
"languages": [
"java"
],
"message": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'",
"metadata": {
"asvs": {
"control_id": "3.4.1 Missing Cookie Attribute",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-not-inside": "$COOKIE.setValue(\"\"); ..."
},
{
"pattern-either": [
{
"pattern": "$COOKIE.setSecure(false);"
},
{
"patterns": [
{
"pattern-not-inside": "$COOKIE.setSecure(...); ..."
},
{
"pattern-not-inside": "$COOKIE = ResponseCookie.from(...). ...; ..."
},
{
"pattern": "$RESPONSE.addCookie($COOKIE);"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crlf-injection-logs",
"languages": [
"java"
],
"message": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "class $CLASS {\n ...\n Logger $LOG = ...;\n ...\n}\n"
},
{
"pattern-either": [
{
"pattern-inside": "$X $METHOD(...,HttpServletRequest $REQ,...) {\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...,ServletRequest $REQ,...) {\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n HttpServletRequest $REQ = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n ServletRequest $REQ = ...;\n ...\n}\n"
}
]
}
]
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n Logger $LOG = ...;\n ...\n HttpServletRequest $REQ = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n Logger $LOG = ...;\n ...\n ServletRequest $REQ = ...;\n ...\n}\n"
}
]
},
{
"pattern-either": [
{
"pattern": "String $VAL = $REQ.getParameter(...);\n...\n$LOG.$LEVEL(<... $VAL ...>);\n"
},
{
"pattern": "String $VAL = $REQ.getParameter(...);\n...\n$LOG.log($LEVEL,<... $VAL ...>);\n"
},
{
"pattern": "$LOG.$LEVEL(<... $REQ.getParameter(...) ...>);\n"
},
{
"pattern": "$LOG.log($LEVEL,<... $REQ.getParameter(...) ...>);\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.dangerous-groovy-shell",
"languages": [
"java"
],
"message": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL",
"subcategory": [
"audit"
],
"technology": [
"groovy"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SHELL.parse(...)\n"
},
{
"pattern": "$SHELL.evaluate(...)\n"
},
{
"pattern": "$SHELL.parseClass(...)\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "groovy.lang.GroovyShell $SHELL = ...;\n...\n"
},
{
"pattern-inside": "groovy.lang.GroovyClassLoader $SHELL = ...;\n...\n"
}
]
},
{
"pattern-not": "$SHELL.parse(\"...\",...)\n"
},
{
"pattern-not": "$SHELL.evaluate(\"...\",...)\n"
},
{
"pattern-not": "$SHELL.parseClass(\"...\",...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.el-injection",
"languages": [
"java"
],
"message": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "class $CLASS {\n ...\n ExpressionFactory $EF;\n ...\n $X $METHOD(...) {\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n"
},
{
"pattern": "class $CLASS {\n ...\n ExpressionFactory $EF = ...;\n ...\n $X $METHOD(...) {\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ExpressionFactory $EF = ...;\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ExpressionFactory $EF,...) {\n ...\n $EF.createValueExpression($CTX,$INPUT,...);\n ...\n}\n"
},
{
"pattern": "class $CLASS {\n ...\n ExpressionFactory $EF;\n ...\n $X $METHOD(...) {\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n"
},
{
"pattern": "class $CLASS {\n ...\n ExpressionFactory $EF = ...;\n ...\n $X $METHOD(...) {\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n }\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ExpressionFactory $EF = ...;\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ExpressionFactory $EF,...) {\n ...\n $EF.createMethodExpression($CTX,$INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(String $INPUT, ...) {\n ...\n $OBJECT.buildConstraintViolationWithTemplate($INPUT, ...);\n ...\n}\n"
}
]
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $EF.createValueExpression($CTX,\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $EF.createValueExpression($CTX,$S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $EF.createMethodExpression($CTX,\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $EF.createMethodExpression($CTX,$S,...);\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.formatted-sql-string",
"languages": [
"java"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"asvs": {
"control_id": "5.3.5 Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html",
"https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps",
"https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"mode": "taint",
"options": {
"taint_assume_safe_booleans": true,
"taint_assume_safe_numbers": true
},
"pattern-propagators": [
{
"from": "$X",
"pattern": "(StringBuffer $S).append($X)",
"to": "$S"
},
{
"from": "$X",
"pattern": "(StringBuilder $S).append($X)",
"to": "$S"
}
],
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "(CriteriaBuilder $CB).$ANY(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-not": "$S.$SQLFUNC(<... \"=~/.*TABLE *$/\" ...>)"
},
{
"pattern-not": "$S.$SQLFUNC(<... \"=~/.*TABLE %s$/\" ...>)"
},
{
"pattern-either": [
{
"pattern": "(Statement $S).$SQLFUNC(...)"
},
{
"pattern": "(PreparedStatement $P).$SQLFUNC(...)"
},
{
"pattern": "(Connection $C).createStatement(...).$SQLFUNC(...)"
},
{
"pattern": "(Connection $C).prepareStatement(...).$SQLFUNC(...)"
},
{
"pattern": "(EntityManager $EM).$SQLFUNC(...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLFUNC",
"regex": "execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare"
}
}
],
"requires": "CONCAT"
}
],
"pattern-sources": [
{
"label": "INPUT",
"patterns": [
{
"pattern-either": [
{
"pattern": "(HttpServletRequest $REQ)\n"
},
{
"patterns": [
{
"pattern-inside": "$ANNOT $FUNC (..., $INPUT, ...) {\n ...\n}\n"
},
{
"pattern": "(String $INPUT)"
}
]
}
]
},
{
"focus-metavariable": "$INPUT"
}
]
},
{
"label": "CONCAT",
"patterns": [
{
"pattern-either": [
{
"pattern": "$X + $INPUT"
},
{
"pattern": "$X += $INPUT"
},
{
"pattern": "$STRB.append($INPUT)"
},
{
"pattern": "String.format(..., $INPUT, ...)"
},
{
"pattern": "String.join(..., $INPUT, ...)"
},
{
"pattern": "(String $STR).concat($INPUT)"
},
{
"pattern": "$INPUT.concat(...)"
},
{
"pattern": "new $STRB(..., $INPUT, ...)"
}
]
}
],
"requires": "INPUT"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.audit.http-response-splitting",
"languages": [
"java"
],
"message": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.owasp.org/index.php/HTTP_Response_Splitting"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "$VAR = $REQ.getParameter(...);\n...\n$COOKIE = new Cookie(..., $VAR, ...);\n...\n$RESP.addCookie($COOKIE, ...);\n"
},
{
"patterns": [
{
"pattern-inside": "$RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) {\n ...\n}\n"
},
{
"pattern": "$COOKIE = new Cookie(..., $VAR, ...);\n...\n$RESP.addCookie($COOKIE, ...);\n"
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.java.lang.security.audit.insecure-smtp-connection",
"languages": [
"java"
],
"message": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-297: Improper Validation of Certificate with Host Mismatch"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-not-inside": "$EMAIL.setSSLCheckServerIdentity(true);\n...\n"
},
{
"pattern-inside": "$EMAIL = new SimpleEmail(...);\n...\n"
},
{
"pattern": "$EMAIL.send(...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.java-reverse-shell",
"languages": [
"java"
],
"message": "Semgrep found potential reverse shell behavior",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "Socket $S=new Socket(...);\n...\nInputStream $SI = $S.getInputStream();\n...\nwhile(!$S.isClosed())\n{\n ...\n while($SI.available()>0)$PO.write($SI.read());\n ...\n $SO.flush();\n ...\n}\n"
}
]
},
{
"pattern-inside": "Process $P=new ProcessBuilder(...).redirectErrorStream(true).start();\n...\n$P.destroy();\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.jdbc-sql-formatted-string",
"languages": [
"java"
],
"message": "Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: 'jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);'",
"metadata": {
"asvs": {
"control_id": "5.3.5 Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC",
"subcategory": [
"audit"
],
"technology": [
"jdbc"
]
},
"patterns": [
{
"pattern-inside": "$JDBC = new JdbcTemplate(...);\n...\n"
},
{
"pattern-either": [
{
"pattern": "$JDBC.queryForObject($STR + $VAR, ...);"
},
{
"pattern": "$JDBC.queryForObject(String.format(...), ...);"
},
{
"pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.queryForObject($Q, ...);\n"
},
{
"pattern": "String $Q = String.format(...);\n...\n$JDBC.queryForObject($Q, ...);\n"
},
{
"pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.queryForObject($Q, ...);\n"
},
{
"pattern": "$JDBC.queryForList($STR + $VAR);"
},
{
"pattern": "$JDBC.queryForList(String.format(...));"
},
{
"pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.queryForList($Q);\n"
},
{
"pattern": "String $Q = String.format(...);\n...\n$JDBC.queryForList($Q);\n"
},
{
"pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.queryForList($Q, ...);\n"
},
{
"pattern": "$JDBC.update($STR + $VAR);"
},
{
"pattern": "$JDBC.update(String.format(...));"
},
{
"pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.update($Q);\n"
},
{
"pattern": "String $Q = String.format(...);\n...\n$JDBC.update($Q);\n"
},
{
"pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.update($Q, ...);\n"
},
{
"pattern": "$JDBC.execute($STR + $VAR);"
},
{
"pattern": "$JDBC.execute(String.format(...));"
},
{
"pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.execute($Q);\n"
},
{
"pattern": "String $Q = String.format(...);\n...\n$JDBC.execute($Q);\n"
},
{
"pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.execute($Q, ...);\n"
},
{
"pattern": "$JDBC.insert($STR + $VAR);"
},
{
"pattern": "$JDBC.insert(String.format(...));"
},
{
"pattern": "String $Q = $STR + $VAR;\n...\n$JDBC.insert($Q);\n"
},
{
"pattern": "String $Q = String.format(...);\n...\n$JDBC.insert($Q);\n"
},
{
"pattern": "StringBuilder $Q = new StringBuilder(...);\n...\n$Q.append($STR + $VAR);\n...\n$JDBC.insert($Q, ...);\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.ldap-entry-poisoning",
"languages": [
"java"
],
"message": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.",
"metadata": {
"asvs": {
"control_id": "5.3.7 Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf",
"https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "new SearchControls($S, $CL, $TL, $AT, true, $DEREF)\n"
},
{
"pattern": "SearchControls $VAR = new SearchControls();\n...\n$VAR.setReturningObjFlag(true);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.ldap-injection",
"languages": [
"java"
],
"message": "Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.",
"metadata": {
"asvs": {
"control_id": "5.3.7 Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$X $METHOD(...) {\n ...\n InitialDirContext $CTX = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n DirContext $CTX = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n InitialLdapContext $CTX = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n LdapContext $CTX = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n LdapCtx $CTX = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n EventDirContext $CTX = ...;\n ...\n}\n"
}
]
},
{
"pattern": "$X $METHOD(...) {\n ...\n $CTX.search($Y,$INPUT,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $CTX.search($Y,\"...\",...);\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.md5-used-as-password",
"languages": [
"java"
],
"message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html",
"https://github.com/returntocorp/semgrep-rules/issues/1609",
"https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory",
"https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"md5"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$MODEL.$METHOD(...);"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(?i)(.*password.*)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "$TYPE $MD = MessageDigest.getInstance(\"MD5\");\n...\n"
},
{
"pattern": "$MD.digest(...);"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.object-deserialization",
"languages": [
"java"
],
"message": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://www.owasp.org/index.php/Deserialization_of_untrusted_data",
"https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern": "new ObjectInputStream(...);",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.ognl-injection",
"languages": [
"java"
],
"message": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION",
"subcategory": [
"audit"
],
"technology": [
"ognl"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.getValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlReflectionProvider $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.getValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ReflectionProvider $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.translateVariablesCollection($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.shallBeIncluded($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,TextParseUtil $P,...) {\n ...\n $P.commaDelimitedStringToSet($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,TextParser $P,...) {\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlTextParser $P,...) {\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.getValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.callMethod($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlUtil $P,...) {\n ...\n $P.compile($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,VelocityStrutsUtil $P,...) {\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.isTrue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.findString($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.findValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.getText($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,StrutsUtil $P,...) {\n ...\n $P.makeSelectList($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,OgnlTool $P,...) {\n ...\n $P.findValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.findString($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.findValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ValueStack $P,...) {\n ...\n $P.setParameter($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.getValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlReflectionProvider $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getGetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getSetMethod($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getField($T, $INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.getValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ReflectionProvider $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.translateVariablesCollection($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.shallBeIncluded($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n TextParseUtil $P = ...;\n ...\n $P.commaDelimitedStringToSet($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n TextParser $P = ...;\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlTextParser $P = ...;\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.setProperties($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.setProperty($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.getValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.callMethod($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlUtil $P = ...;\n ...\n $P.compile($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n VelocityStrutsUtil $P = ...;\n ...\n $P.evaluate($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.isTrue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.findString($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.findValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.getText($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.translateVariables($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n StrutsUtil $P = ...;\n ...\n $P.makeSelectList($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n OgnlTool $P = ...;\n ...\n $P.findValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.findString($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.findValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.setValue($INPUT,...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n ValueStack $P = ...;\n ...\n $P.setParameter($INPUT,...);\n ...\n}\n"
}
]
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.getGetMethod($T,\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.getSetMethod($T,\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.getField($T,\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.setProperties(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.setProperty(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.getValue(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.setValue(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.translateVariables(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.translateVariablesCollection(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.shallBeIncluded(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.commaDelimitedStringToSet(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.evaluate(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.callMethod(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.compile(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.isTrue(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.findString(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.findValue(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.getText(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.makeSelectList(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $P.setParameter(\"...\",...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getGetMethod($T,$S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getSetMethod($T,$S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getField($T,$S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setProperties($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setProperty($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getValue($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setValue($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.translateVariables($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.translateVariablesCollection($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.shallBeIncluded($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.commaDelimitedStringToSet($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.evaluate($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.callMethod($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.compile($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.isTrue($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.findString($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.findValue($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.getText($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.makeSelectList($S,...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $P.setParameter($S,...);\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.overly-permissive-file-permission",
"languages": [
"java"
],
"message": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-276: Incorrect Default Permissions"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString(\"=~/(^......r..$)|(^.......w.$)|(^........x$)/\"));"
},
{
"pattern": "$TYPE $P = java.nio.file.attribute.PosixFilePermissions.fromString(\"=~/(^......r..$)|(^.......w.$)|(^........x$)/\");\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);\n"
},
{
"pattern": "$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ);\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);\n"
},
{
"pattern": "$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE);\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);\n"
},
{
"pattern": "$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE);\n...\njava.nio.file.Files.setPosixFilePermissions($FILE, $P);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.permissive-cors",
"languages": [
"java"
],
"message": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.",
"metadata": {
"asvs": {
"control_id": "14.4.8 Permissive CORS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements",
"section": "V14: Configuration Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-183: Permissive List of Allowed Inputs"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "HttpServletResponse $RES = ...;\n...\n$RES.addHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n"
},
{
"pattern": "HttpServletResponse $RES = ...;\n...\n$RES.setHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n"
},
{
"pattern": "ServerHttpResponse $RES = ...;\n...\n$RES.getHeaders().add(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n"
},
{
"pattern": "HttpHeaders $HEADERS = ...;\n...\n$HEADERS.set(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n"
},
{
"pattern": "ServerWebExchange $SWE = ...;\n...\n$SWE.getResponse().getHeaders().add(\"Access-Control-Allow-Origin\", \"*\");\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.addHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.setHeader(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ServerHttpResponse $RES,...) {\n ...\n $RES.getHeaders().add(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,ServerWebExchange $SWE,...) {\n ...\n $SWE.getResponse().getHeaders().add(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\");\n ...\n}\n"
},
{
"pattern": "ResponseEntity.$RES().header(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\")"
},
{
"pattern": "ServerResponse.$RES().header(\"=~/access-control-allow-origin/i\", \"=~/^\\*|null$/i\")"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.script-engine-injection",
"languages": [
"java"
],
"message": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $CLASS {\n ...\n ScriptEngine $SE;\n ...\n}\n"
},
{
"pattern-inside": "class $CLASS {\n ...\n ScriptEngine $SE = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n ScriptEngine $SE = ...;\n ...\n}\n"
}
]
},
{
"pattern": "$X $METHOD(...) {\n ...\n $SE.eval(...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $SE.eval(\"...\");\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $SE.eval($S);\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.tainted-cmd-from-http-request",
"languages": [
"java"
],
"message": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(ProcessBuilder $PB) = ...;\n"
},
{
"patterns": [
{
"pattern": "(Process $P) = ...;\n"
},
{
"pattern-not": "(Process $P) = (java.lang.Runtime $R).exec(...);\n"
}
]
},
{
"patterns": [
{
"pattern": "(java.lang.Runtime $R).exec($CMD, ...);"
},
{
"focus-metavariable": "$CMD"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder $PB) = ...;\n...\n$PB.command($ARGLIST);\n"
},
{
"pattern-inside": "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder $PB) = ...;\n"
},
{
"pattern-inside": "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(Process $P) = ...;\n"
}
]
},
{
"pattern": "$ARGLIST.add(...);\n"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(HttpServletRequest $REQ)\n"
},
{
"patterns": [
{
"pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n"
},
{
"pattern": "$COOKIE.getValue(...)\n"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.audit.tainted-env-from-http-request",
"languages": [
"java"
],
"message": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-454: External Initialization of Trusted Variables or Data Stores"
],
"cwe2021-top25": false,
"cwe2022-top25": false,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "(java.lang.Runtime $R).exec($CMD, $ENV_ARGS, ...);"
},
{
"focus-metavariable": "$ENV_ARGS"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(HttpServletRequest $REQ)\n"
},
{
"patterns": [
{
"pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n"
},
{
"pattern": "$COOKIE.getValue(...)\n"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.audit.tainted-ldapi-from-http-request",
"languages": [
"java"
],
"message": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(javax.naming.directory.InitialDirContext $IDC).search(...)\n"
},
{
"pattern": "(javax.naming.directory.DirContext $CTX).search(...)\n"
}
]
},
{
"pattern-not": "(javax.naming.directory.InitialDirContext $IDC).search($Y, \"...\", ...)\n"
},
{
"pattern-not": "(javax.naming.directory.DirContext $CTX).search($Y, \"...\", ...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "(HttpServletRequest $REQ)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.tainted-session-from-http-request",
"languages": [
"java"
],
"message": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-501: Trust Boundary Violation"
],
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern": "(HttpServletRequest $REQ).getSession().$FUNC($NAME, $VALUE);"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "^(putValue|setAttribute)$"
}
},
{
"focus-metavariable": "$VALUE"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "(HttpServletRequest $REQ).$FUNC(...)\n"
},
{
"pattern-not": "(HttpServletRequest $REQ).getSession()\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);\n...\nfor (javax.servlet.http.Cookie $COOKIE: $COOKIES) {\n ...\n}\n"
},
{
"pattern": "$COOKIE.getValue(...)\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "$TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(... );\n...\n"
},
{
"pattern": "$PARAM = $VALS[$INDEX];\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "$HEADERS = (HttpServletRequest $REQ).getHeaders(...);\n...\n$PARAM = $HEADERS.$FUNC(...);\n...\n"
},
{
"pattern": "java.net.URLDecoder.decode($PARAM, ...)\n"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.tainted-xpath-from-http-request",
"languages": [
"java"
],
"message": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(javax.xml.xpath.XPath $XP).evaluate(...)\n"
},
{
"pattern": "(javax.xml.xpath.XPath $XP).compile(...).evaluate(...)\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "(HttpServletRequest $REQ).$FUNC(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.unsafe-reflection",
"languages": [
"java"
],
"message": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern": "Class.forName($CLASS,...)\n"
},
{
"pattern-not": "Class.forName(\"...\",...)\n"
},
{
"pattern-not-inside": "$CLASS = \"...\";\n...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.unvalidated-redirect",
"languages": [
"java"
],
"message": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.",
"metadata": {
"asvs": {
"control_id": "5.1.5 Open Redirect",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "LOW",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {\n ...\n $RES.sendRedirect($URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {\n ...\n $RES.sendRedirect($URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.sendRedirect($URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.sendRedirect($URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,String $URL,...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.sendRedirect($URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n $RES.sendRedirect($REQ.getParameter(...));\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n $RES.sendRedirect($REQ.getParameter(...));\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n String $URL = $REQ.getParameter(...);\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,String $URL,...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.addHeader(\"Location\",$URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {\n ...\n $RES.addHeader(\"Location\",$REQ.getParameter(...));\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {\n ...\n $RES.addHeader(\"Location\",$REQ.getParameter(...));\n ...\n}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.url-rewriting",
"languages": [
"java"
],
"message": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeURL(...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeUrl(...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeRedirectURL(...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,HttpServletResponse $RES,...) {\n ...\n $RES.encodeRedirectUrl(...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeURL(...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeUrl(...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeRedirectURL(...);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...) {\n ...\n HttpServletResponse $RES = ...;\n ...\n $RES.encodeRedirectUrl(...);\n ...\n}"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*?)\\.getInstance\\(.*?\\)",
"replacement": "\\1.getInstance(\"TLSv1.2\")"
},
"id": "vendored-rules.java.lang.security.audit.weak-ssl-context",
"languages": [
"java"
],
"message": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/html/rfc7568",
"https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html"
],
"source_rule_url": "https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-not": "SSLContext.getInstance(\"TLSv1.3\")"
},
{
"pattern-not": "SSLContext.getInstance(\"TLSv1.2\")"
},
{
"pattern": "SSLContext.getInstance(\"...\")"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.xml-decoder",
"languages": [
"java"
],
"message": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#XML_DECODER",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern": "$X $METHOD(...) {\n ...\n new XMLDecoder(...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n new XMLDecoder(\"...\");\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $STR = \"...\";\n ...\n new XMLDecoder($STR);\n ...\n}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.xssrequestwrapper-is-insecure",
"languages": [
"java"
],
"message": "It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "class XSSRequestWrapper extends HttpServletRequestWrapper {\n ...\n}\n"
},
{
"pattern": "$P = $X.compile(\"</script>\", $X.CASE_INSENSITIVE);\n$V = $P.matcher(...).replaceAll(\"\");"
}
],
"severity": "WARNING"
},
{
"fix": "\"AES/GCM/NoPadding\"\n",
"id": "vendored-rules.java.lang.security.audit.crypto.des-is-deprecated",
"languages": [
"java",
"kt"
],
"message": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard",
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#DES_USAGE",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$CIPHER.getInstance(\"=~/DES/.*/\")"
},
{
"pattern-inside": "$CIPHER.getInstance(\"DES\")"
}
]
},
{
"pattern-either": [
{
"pattern": "\"=~/DES/.*/\"\n"
},
{
"pattern": "\"DES\"\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.desede-is-deprecated",
"languages": [
"java",
"kt"
],
"message": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$CIPHER.getInstance(\"=~/DESede.*/\")\n"
},
{
"pattern": "$CRYPTO.KeyGenerator.getInstance(\"DES\")\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.ecb-cipher",
"languages": [
"java"
],
"message": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::mode::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern": "Cipher $VAR = $CIPHER.getInstance($MODE);\n"
},
{
"metavariable-regex": {
"metavariable": "$MODE",
"regex": ".*ECB.*"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.gcm-detection",
"languages": [
"java"
],
"message": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-323: Reusing a Nonce, Key Pair in Encryption"
],
"functional-categories": [
"crypto::search::randomness::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/323.html"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$METHOD.getInstance(\"AES/GCM/NoPadding\",...);"
},
{
"pattern": "new GCMParameterSpec(...);"
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.gcm-nonce-reuse",
"languages": [
"java"
],
"message": "GCM IV/nonce is reused: encryption can be totally useless",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-323: Reusing a Nonce, Key Pair in Encryption"
],
"functional-categories": [
"crypto::search::randomness::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://www.youtube.com/watch?v=r1awgAl90wM",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "new GCMParameterSpec(..., \"...\".getBytes(...), ...);"
},
{
"pattern": "byte[] $NONCE = \"...\".getBytes(...); ... new GCMParameterSpec(..., $NONCE, ...);"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.no-null-cipher",
"languages": [
"java"
],
"message": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "new NullCipher(...);"
},
{
"pattern": "new javax.crypto.NullCipher(...);"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.no-static-initialization-vector",
"languages": [
"java"
],
"message": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-329: Generation of Predictable IV with CBC Mode"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/329.html"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#STATIC_IV",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "byte[] $IV = {\n ...\n};\n...\nnew IvParameterSpec($IV, ...);\n"
},
{
"pattern": "class $CLASS {\n byte[] $IV = {\n ...\n };\n ...\n $METHOD(...) {\n ...\n new IvParameterSpec($IV, ...);\n ...\n }\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.rsa-no-padding",
"languages": [
"java",
"kt"
],
"message": "Using RSA without OAEP mode weakens the encryption.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::mode::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING",
"subcategory": [
"vuln"
],
"technology": [
"java",
"kotlin"
]
},
"pattern": "$CIPHER.getInstance(\"=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/\")",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.unencrypted-socket",
"languages": [
"java"
],
"message": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"functional-categories": [
"net::search::crypto-config::java.net"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "new ServerSocket(...)"
},
{
"pattern": "new Socket(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-aes-ecb",
"languages": [
"java"
],
"message": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::mode::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures",
"https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern": "$CIPHER.getInstance(\"=~/AES/ECB.*/\")",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-blowfish",
"languages": [
"java"
],
"message": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures",
"https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern": "$CIPHER.getInstance(\"Blowfish\")",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-default-aes",
"languages": [
"java"
],
"message": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::mode::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures",
"https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import javax;\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "javax.crypto.Cipher.getInstance(\"AES\")"
},
{
"pattern": "(javax.crypto.Cipher $CIPHER).getInstance(\"AES\")"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import javax.*;\n...\n"
},
{
"pattern-inside": "import javax.crypto;\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "crypto.Cipher.getInstance(\"AES\")"
},
{
"pattern": "(crypto.Cipher $CIPHER).getInstance(\"AES\")"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import javax.crypto.*;\n...\n"
},
{
"pattern-inside": "import javax.crypto.Cipher;\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "Cipher.getInstance(\"AES\")"
},
{
"pattern": "(Cipher $CIPHER).getInstance(\"AES\")"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix": "getSha512Digest\n",
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-md5-digest-utils",
"languages": [
"java"
],
"message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"functional-categories": [
"crypto::search::hash-algorithm::org.apache.commons"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern": "$DU.$GET_ALGO().digest(...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$GET_ALGO",
"pattern": "getMd5Digest"
}
},
{
"metavariable-pattern": {
"metavariable": "$DU",
"pattern": "DigestUtils"
}
},
{
"focus-metavariable": "$GET_ALGO"
}
],
"severity": "WARNING"
},
{
"fix": "\"SHA-512\"\n",
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-md5",
"languages": [
"java"
],
"message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"functional-categories": [
"crypto::search::hash-algorithm::java.security"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern": "java.security.MessageDigest.getInstance($ALGO, ...);\n"
},
{
"metavariable-regex": {
"metavariable": "$ALGO",
"regex": "(.MD5.)"
}
},
{
"focus-metavariable": "$ALGO"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-rc2",
"languages": [
"java"
],
"message": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures",
"https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern": "$CIPHER.getInstance(\"RC2\")",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-rc4",
"languages": [
"java"
],
"message": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures",
"https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern": "$CIPHER.getInstance(\"RC4\")",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-sha1",
"languages": [
"java"
],
"message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"functional-categories": [
"crypto::search::hash-algorithm::javax.crypto"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "java.security.MessageDigest.getInstance(\"$ALGO\", ...);\n"
},
{
"metavariable-regex": {
"metavariable": "$ALGO",
"regex": "(SHA1|SHA-1)"
}
}
]
},
{
"pattern": "$DU.getSha1Digest().digest(...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.weak-random",
"languages": [
"java"
],
"message": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-330: Use of Insufficiently Random Values"
],
"functional-categories": [
"crypto::search::randomness::java.security"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "new java.util.Random(...).$FUNC(...)\n"
},
{
"pattern": "java.lang.Math.random(...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.use-of-weak-rsa-key",
"languages": [
"java"
],
"message": "RSA keys should be at least 2048 bits based on NIST recommendation.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::key-length::java.security"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE",
"subcategory": [
"vuln"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern": "KeyPairGenerator $KEY = $G.getInstance(\"RSA\");\n...\n$KEY.initialize($BITS);\n"
},
{
"metavariable-comparison": {
"comparison": "$BITS < 2048",
"metavariable": "$BITS"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests",
"languages": [
"java"
],
"message": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");",
"metadata": {
"asvs": {
"control_id": "6.2.2 Insecure Custom Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern": "class $CLASS extends MessageDigest {\n ...\n}",
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "DefaultHttpClient",
"replacement": "HttpClientBuilder"
},
"id": "vendored-rules.java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated",
"languages": [
"java"
],
"message": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.",
"metadata": {
"asvs": {
"control_id": "9.1.3 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern": "new DefaultHttpClient(...);",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.ssl.insecure-hostname-verifier",
"languages": [
"java"
],
"message": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.",
"metadata": {
"asvs": {
"control_id": "9.2.1 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"pattern": "class $CLASS implements HostnameVerifier {\n ...\n public boolean verify(...) { return true; }\n}\n"
},
{
"pattern": "new HostnameVerifier(...){\n public boolean verify(...) {\n return true;\n }\n}"
},
{
"pattern": "import org.apache.http.conn.ssl.NoopHostnameVerifier;"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.crypto.ssl.insecure-trust-manager",
"languages": [
"java"
],
"message": "Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.",
"metadata": {
"asvs": {
"control_id": "9.2.1 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER",
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $CLASS implements X509TrustManager {\n ...\n}\n"
},
{
"pattern-inside": "new X509TrustManager() {\n ...\n}\n"
},
{
"pattern-inside": "class $CLASS implements X509ExtendedTrustManager {\n ...\n}\n"
},
{
"pattern-inside": "new X509ExtendedTrustManager() {\n ...\n}\n"
}
]
},
{
"pattern-not": "public void checkClientTrusted(...) { $SOMETHING; }"
},
{
"pattern-not": "public void checkServerTrusted(...) { $SOMETHING; }"
},
{
"pattern-either": [
{
"pattern": "public void checkClientTrusted(...) {}"
},
{
"pattern": "public void checkServerTrusted(...) {}"
},
{
"pattern": "public X509Certificate[] getAcceptedIssuers(...) { return null; }"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.sqli.hibernate-sqli",
"languages": [
"java"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"asvs": {
"control_id": "5.3.5 Insecure Custom Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE",
"subcategory": [
"audit"
],
"technology": [
"hibernate"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "org.hibernate.criterion.Restrictions.sqlRestriction($SQL,...)"
}
]
},
{
"pattern": "org.hibernate.criterion.Restrictions.sqlRestriction(String.format(...),...)"
},
{
"patterns": [
{
"pattern": "org.hibernate.criterion.Restrictions.sqlRestriction($X + $Y,...)"
},
{
"pattern-not": "org.hibernate.criterion.Restrictions.sqlRestriction(\"...\" + \"...\",...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$SESSION.$METHOD($SQL,...)"
}
]
},
{
"pattern": "$SESSION.$METHOD(String.format(...),...);\n"
},
{
"pattern": "$SESSION.$METHOD($X + $Y,...);\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "org.hibernate.Session $SESSION = ...;\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,org.hibernate.Session $SESSION,...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$SESSION.$METHOD(\"...\" + \"...\",...);\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(createQuery|createSQLQuery)$"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.sqli.jdbc-sqli",
"languages": [
"java"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"jdbc"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$S.$METHOD($SQL,...)"
}
]
},
{
"pattern": "$S.$METHOD(String.format(...),...);\n"
},
{
"pattern": "$S.$METHOD($X + $Y,...);\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "java.sql.Statement $S = ...;\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,java.sql.Statement $S,...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$S.$METHOD(\"...\" + \"...\",...);\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(executeQuery|execute|executeUpdate|executeLargeUpdate|addBatch|nativeSQL)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.sqli.jdo-sqli",
"languages": [
"java"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"java"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$Q.$METHOD($SQL,...)"
}
]
},
{
"pattern": "$Q.$METHOD(String.format(...),...);\n"
},
{
"pattern": "$Q.$METHOD($X + $Y,...);\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "javax.jdo.Query $Q = ...;\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,javax.jdo.Query $Q,...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$Q.$METHOD(\"...\" + \"...\",...);\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(setFilter|setGrouping)$"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$PM.newQuery(...,$SQL,...)"
}
]
},
{
"pattern": "$PM.newQuery(...,String.format(...),...);\n"
},
{
"pattern": "$PM.newQuery(...,$X + $Y,...);\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "javax.jdo.PersistenceManager $PM = ...;\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,javax.jdo.PersistenceManager $PM,...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$PM.newQuery(...,\"...\" + \"...\",...);\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.sqli.jpa-sqli",
"languages": [
"java"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"jpa"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$EM.$METHOD($SQL,...)"
}
]
},
{
"pattern": "$EM.$METHOD(String.format(...),...);\n"
},
{
"pattern": "$EM.$METHOD($X + $Y,...);\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "EntityManager $EM = ...;\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,EntityManager $EM,...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$EM.$METHOD(\"...\" + \"...\",...);\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(createQuery|createNativeQuery)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.sqli.tainted-sql-from-http-request",
"languages": [
"java"
],
"message": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html",
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"sql",
"java",
"servlets",
"spring"
]
},
"mode": "taint",
"options": {
"taint_assume_safe_booleans": true,
"taint_assume_safe_numbers": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(java.sql.CallableStatement $STMT) = ...; \n"
},
{
"pattern": "(java.sql.Statement $STMT) = ...;\n...\n$OUTPUT = $STMT.$FUNC(...);\n"
},
{
"pattern": "(java.sql.PreparedStatement $STMT) = ...;\n"
},
{
"pattern": "$VAR = $CONN.prepareStatement(...)\n"
},
{
"pattern": "$PATH.queryForObject(...);\n"
},
{
"pattern": "(java.util.Map<String, Object> $STMT) = $PATH.queryForMap(...);\n"
},
{
"pattern": "(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...;\n"
},
{
"pattern": "(org.springframework.jdbc.core.JdbcTemplate $TEMPL).batchUpdate(...)\n"
},
{
"patterns": [
{
"pattern-inside": "(String $SQL) = \"$SQLSTR\" + ...;\n...\n"
},
{
"pattern": "$PATH.$SQLCMD(..., $SQL, ...);"
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)"
}
},
{
"metavariable-regex": {
"metavariable": "$SQLCMD",
"regex": "(execute|query|executeUpdate|batchUpdate)"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(HttpServletRequest $REQ).$REQFUNC(...)\n"
},
{
"pattern": "(ServletRequest $REQ).$REQFUNC(...) \n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$REQFUNC",
"regex": "(getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString)"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.sqli.turbine-sqli",
"languages": [
"java"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"turbine"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$PEER.executeQuery($SQL,...)"
}
]
},
{
"pattern": "$PEER.executeQuery(String.format(...),...)\n"
},
{
"pattern": "$PEER.executeQuery($X + $Y,...)\n"
}
]
},
{
"pattern-not": "$PEER.executeQuery(\"...\" + \"...\",...)\n"
},
{
"metavariable-regex": {
"metavariable": "$PEER",
"regex": "(BasePeer|GroupPeer)"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$VAL $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$P.executeQuery($SQL,...)"
}
]
},
{
"pattern": "$P.executeQuery(String.format(...),...)\n"
},
{
"pattern": "$P.executeQuery($X + $Y,...)\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "BasePeer $P = ...;\n...\n"
},
{
"pattern-inside": "GroupPeer $P = ...;\n...\n"
},
{
"pattern-inside": "$VAL $FUNC(...,GroupPeer $P,...) {\n ...\n}\n"
},
{
"pattern-inside": "$VAL $FUNC(...,BasePeer $P,...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$P.executeQuery(\"...\" + \"...\",...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.sqli.vertx-sqli",
"languages": [
"java"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"vertx"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "String $SQL = $X + $Y;\n...\n"
},
{
"pattern-inside": "String $SQL = String.format(...);\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,String $SQL,...) {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "String $SQL = \"...\" + \"...\";\n...\n"
},
{
"pattern": "$SC.$METHOD($SQL,...)"
}
]
},
{
"pattern": "$SC.$METHOD(String.format(...),...);\n"
},
{
"pattern": "$SC.$METHOD($X + $Y,...);\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "SqlClient $SC = ...;\n...\n"
},
{
"pattern-inside": "SqlConnection $SC = ...;\n...\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,SqlClient $SC,...) {\n ...\n}\n"
},
{
"pattern-inside": "$TYPE $FUNC(...,SqlConnection $SC,...) {\n ...\n}\n"
}
]
},
{
"pattern-not": "$SC.$METHOD(\"...\" + \"...\",...);\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(query|preparedQuery|prepare)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.xss.jsf.autoescape-disabled",
"languages": [
"regex"
],
"message": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": "A07:2017 - Cross-Site Scripting (XSS)",
"references": [
"https://stackoverflow.com/a/7442668"
],
"subcategory": [
"audit"
],
"technology": [
"jsf"
]
},
"paths": {
"include": [
"*.html",
"*.xhtml"
]
},
"pattern-regex": ".*escape.*?=.*?false.*",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.xss.jsp.no-scriptlets",
"languages": [
"regex"
],
"message": "JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/a/3180202",
"https://stackoverflow.com/a/4948856"
],
"subcategory": [
"audit"
],
"technology": [
"jsp"
]
},
"paths": {
"include": [
"*.jsp"
]
},
"pattern-regex": "\\<\\%[^\\@].*",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.xss.jsp.use-escapexml",
"languages": [
"regex"
],
"message": "Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm",
"https://stackoverflow.com/a/4948856",
"https://stackoverflow.com/a/3180202"
],
"subcategory": [
"audit"
],
"technology": [
"jsp"
]
},
"paths": {
"include": [
"*.jsp"
]
},
"pattern-regex": "\\$\\{(?!.*escapeXml).*\\}",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.xss.jsp.use-jstl-escaping",
"languages": [
"regex"
],
"message": "Detected an Expression Language segment in a tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'out' tag from the JSTL taglib to escape this expression. See https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm",
"https://stackoverflow.com/a/4948856",
"https://stackoverflow.com/a/3180202"
],
"subcategory": [
"audit"
],
"technology": [
"jsp"
]
},
"paths": {
"include": [
"*.jsp"
]
},
"pattern-regex": "<(?![A-Za-z0-9]+:out).*?\\$\\{.*?\\}.*>",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false",
"languages": [
"java"
],
"message": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://blog.sonarsource.com/secure-xml-processor",
"https://xerces.apache.org/xerces2-j/features.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"xml"
]
},
"patterns": [
{
"pattern": "$DBFACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", false);"
},
{
"pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n}\n"
},
{
"pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $DBF.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n}\n"
},
{
"pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\");\n ...\n}\n"
},
{
"pattern-not-inside": "$RETURNTYPE $METHOD(...){\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\");\n ...\n $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n}\n"
}
],
"severity": "ERROR"
},
{
"fix": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n$FACTORY.newDocumentBuilder();\n",
"id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing",
"languages": [
"java"
],
"message": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://blog.sonarsource.com/secure-xml-processor",
"https://xerces.apache.org/xerces2-j/features.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"xml"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"by-side-effect": true,
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n"
},
{
"pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n"
},
{
"pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n"
}
]
},
{
"focus-metavariable": "$FACTORY"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\",\n true);\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\",false);\n ...\n }\n ...\n}\n"
}
]
},
{
"pattern": "$M($X)"
},
{
"focus-metavariable": "$X"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FACTORY.newDocumentBuilder();"
}
]
}
],
"pattern-sources": [
{
"by-side-effect": true,
"patterns": [
{
"pattern-either": [
{
"pattern": "$FACTORY = DocumentBuilderFactory.newInstance();\n"
},
{
"patterns": [
{
"pattern": "$FACTORY"
},
{
"pattern-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = DocumentBuilderFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"fix": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);",
"id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true",
"languages": [
"java"
],
"message": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://blog.sonarsource.com/secure-xml-processor"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"xml"
]
},
"pattern": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", true);",
"severity": "ERROR"
},
{
"fix": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);",
"id": "vendored-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true",
"languages": [
"java"
],
"message": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://blog.sonarsource.com/secure-xml-processor"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"xml"
]
},
"pattern": "$DBFACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", true);",
"severity": "ERROR"
},
{
"fix": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n$FACTORY.newSAXParser();\n",
"id": "vendored-rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing",
"languages": [
"java"
],
"message": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://blog.sonarsource.com/secure-xml-processor",
"https://xerces.apache.org/xerces2-j/features.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"xml"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"by-side-effect": true,
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n"
},
{
"pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n"
},
{
"pattern": "$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n...\n$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n"
}
]
},
{
"focus-metavariable": "$FACTORY"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\",\n true);\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\",false);\n ...\n }\n ...\n}\n"
}
]
},
{
"pattern": "$M($X)"
},
{
"focus-metavariable": "$X"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FACTORY.newSAXParser();"
}
]
}
],
"pattern-sources": [
{
"by-side-effect": true,
"patterns": [
{
"pattern-either": [
{
"pattern": "$FACTORY = SAXParserFactory.newInstance();\n"
},
{
"patterns": [
{
"pattern": "$FACTORY"
},
{
"pattern-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = SAXParserFactory.newInstance();\n static {\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n ...\n $FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n ...\n }\n ...\n}\n"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"fix": "$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"); $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n$FACTORY.newTransformer(...);\n",
"id": "vendored-rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled",
"languages": [
"java"
],
"message": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://semgrep.dev/blog/2022/xml-security-in-java",
"https://semgrep.dev/docs/cheat-sheets/java-xxe/",
"https://blog.sonarsource.com/secure-xml-processor",
"https://xerces.apache.org/xerces2-j/features.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"xml"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"by-side-effect": true,
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\"); ...\n$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n"
},
{
"pattern": "$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n...\n$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n"
},
{
"pattern": "$FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\"); ...\n$FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n"
},
{
"pattern": "$FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n...\n$FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n"
}
]
},
{
"focus-metavariable": "$FACTORY"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n }\n ...\n}\n"
},
{
"pattern-inside": "class $C {\n ...\n $T $M(...) {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n }\n ...\n}\n"
}
]
},
{
"pattern": "$M($X)"
},
{
"focus-metavariable": "$X"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FACTORY.newTransformer(...);"
}
]
}
],
"pattern-sources": [
{
"by-side-effect": true,
"patterns": [
{
"pattern-either": [
{
"pattern": "$FACTORY = TransformerFactory.newInstance();\n"
},
{
"patterns": [
{
"pattern": "$FACTORY"
},
{
"pattern-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, \"\");\n ...\n $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\");\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "class $C {\n ...\n $V $FACTORY = TransformerFactory.newInstance();\n static {\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalStylesheet.*/\", \"\");\n ...\n $FACTORY.setAttribute(\"=~/.*accessExternalDTD.*/\", \"\");\n ...\n }\n ...\n}\n"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.mongodb.security.injection.audit.mongodb-nosqli",
"languages": [
"java"
],
"message": "Detected non-constant data passed into a NoSQL query using the 'where' evaluation operator. If this data can be controlled by an external user, this is a NoSQL injection. Ensure data passed to the NoSQL query is not user controllable, or properly sanitize the data. Ideally, avoid using the 'where' operator at all and instead use the helper methods provided by com.mongodb.client.model.Filters with comparative operators such as eq, ne, lt, gt, etc.",
"metadata": {
"asvs": {
"control_id": "5.3.4 Injection Prevention",
"control_url": "https://github.com/OWASP/ASVS/blob/master/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "5"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection",
"https://www.mongodb.com/docs/manual/tutorial/query-documents/",
"https://www.mongodb.com/docs/manual/reference/operator/query/where/"
],
"subcategory": [
"audit"
],
"technology": [
"nosql",
"mongodb"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "(com.mongodb.BasicDBObject $QUERY).put(\"$where\", $INPUT);"
},
{
"pattern": "(HashMap<String, String> $MAP).put(\"$where\", $INPUT);\n...\n(com.mongodb.BasicDBObject $QUERY).putAll($MAP);\n"
},
{
"pattern": "(com.mongodb.BasicDBObject $QUERY).append(\"$where\", $INPUT);"
},
{
"pattern": "new com.mongodb.BasicDBObject(\"$where\", $INPUT);"
},
{
"pattern": "(HashMap<String, String> $MAP).put(\"$where\", $INPUT);\n...\nnew com.mongodb.BasicDBObject($MAP);\n"
},
{
"pattern": "(HashMap<String, String> $MAP).put(\"$where\", $INPUT);\n...\nString json = new JSONObject($MAP).toString();\n...\n(com.mongodb.BasicDBObject $QUERY).parse((String $JSON));\n"
},
{
"pattern": "com.mongodb.BasicDBObjectBuilder.start().add(\"$where\", $INPUT);"
},
{
"pattern": "com.mongodb.BasicDBObjectBuilder.start().append(\"$where\", $INPUT);"
},
{
"pattern": "com.mongodb.BasicDBObjectBuilder.start(\"$where\", $INPUT);"
},
{
"pattern": "(HashMap<String, String> $MAP).put(\"$where\", $INPUT);\n...\ncom.mongodb.BasicDBObjectBuilder.start($MAP);\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$INPUT",
"patterns": [
{
"pattern": "...\n"
},
{
"pattern-not": "\"...\"\n"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.rmi.security.server-dangerous-class-deserialization",
"languages": [
"java"
],
"message": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/"
],
"subcategory": [
"audit"
],
"technology": [
"rmi"
]
},
"patterns": [
{
"pattern": "interface $INTERFACE extends Remote {\n $RETURNTYPE $METHOD($CLASS $PARAM) throws RemoteException;\n}\n"
},
{
"metavariable-regex": {
"metavariable": "$CLASS",
"regex": "(?!int|boolean|short|long|byte|char|float|double)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.rmi.security.server-dangerous-object-deserialization",
"languages": [
"java"
],
"message": "Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://frohoff.github.io/appseccali-marshalling-pickles/",
"https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi",
"https://youtu.be/t_aw1mDNhzI",
"https://github.com/qtc-de/remote-method-guesser",
"https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331"
],
"subcategory": [
"audit"
],
"technology": [
"rmi"
]
},
"patterns": [
{
"pattern": "interface $INTERFACE extends Remote {\n $RETURNTYPE $METHOD($PARAMTYPE $PARAM) throws RemoteException;\n}\n"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$PARAMTYPE",
"patterns": [
{
"pattern-not": "String"
},
{
"pattern-not": "java.lang.String"
},
{
"pattern-not": "boolean"
},
{
"pattern-not": "Boolean"
},
{
"pattern-not": "java.lang.Boolean"
},
{
"pattern-not": "byte"
},
{
"pattern-not": "Byte"
},
{
"pattern-not": "java.lang.Byte"
},
{
"pattern-not": "char"
},
{
"pattern-not": "Character"
},
{
"pattern-not": "java.lang.Character"
},
{
"pattern-not": "double"
},
{
"pattern-not": "Double"
},
{
"pattern-not": "java.lang.Double"
},
{
"pattern-not": "float"
},
{
"pattern-not": "Float"
},
{
"pattern-not": "java.lang.Float"
},
{
"pattern-not": "int"
},
{
"pattern-not": "Integer"
},
{
"pattern-not": "java.lang.Integer"
},
{
"pattern-not": "long"
},
{
"pattern-not": "Long"
},
{
"pattern-not": "java.lang.Long"
},
{
"pattern-not": "short"
},
{
"pattern-not": "Short"
},
{
"pattern-not": "java.lang.Short"
}
]
}
}
],
"severity": "ERROR"
},
{
"fix": "$COOKIE = new Cookie($...ARGS);\n$COOKIE.setSecure(true);\n",
"id": "vendored-rules.java.servlets.security.cookie-issecure-false",
"languages": [
"java"
],
"message": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)",
"https://owasp.org/www-community/controls/SecureCookieAttribute"
],
"subcategory": [
"audit"
],
"technology": [
"java",
"cookie"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern": "$COOKIE = new Cookie($...ARGS);"
},
{
"pattern-not-inside": "$COOKIE = new Cookie(...);\n...\n$COOKIE.setSecure(...);\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "setSecure\\(false\\)",
"replacement": "setSecure(true)"
},
"id": "vendored-rules.java.servlets.security.cookie-setSecure",
"languages": [
"java"
],
"message": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)",
"https://owasp.org/www-community/controls/SecureCookieAttribute"
],
"subcategory": [
"audit"
],
"technology": [
"java",
"cookie"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"patterns": [
{
"pattern-inside": "$COOKIE = new Cookie(...);\n...\n"
},
{
"pattern": "$COOKIE.setSecure(false);\n"
}
]
},
{
"pattern-not-inside": "$COOKIE = new Cookie(...);\n...\n$COOKIE.setSecure(true);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.unrestricted-request-mapping",
"languages": [
"java"
],
"message": "Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING",
"subcategory": [
"audit"
],
"technology": [
"spring"
]
},
"patterns": [
{
"pattern-inside": "@RequestMapping(...)\n$RETURNTYPE $METHOD(...) { ... }\n"
},
{
"pattern-not-inside": "@RequestMapping(..., method = $X, ...)\n$RETURNTYPE $METHOD(...) { ... }\n"
},
{
"pattern": "RequestMapping\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spel-injection",
"languages": [
"java"
],
"message": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION",
"subcategory": [
"audit"
],
"technology": [
"spring"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $CLASS {\n ...\n ExpressionParser $PARSER;\n ...\n}\n"
},
{
"pattern-inside": "class $CLASS {\n ...\n ExpressionParser $PARSER = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n ExpressionParser $PARSER = ...;\n ...\n}\n"
},
{
"pattern-inside": "class $CLASS {\n ...\n SpelExpressionParser $PARSER;\n ...\n}\n"
},
{
"pattern-inside": "class $CLASS {\n ...\n SpelExpressionParser $PARSER = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n SpelExpressionParser $PARSER = ...;\n ...\n}\n"
},
{
"pattern-inside": "class $CLASS {\n ...\n TemplateAwareExpressionParser $PARSER;\n ...\n}\n"
},
{
"pattern-inside": "class $CLASS {\n ...\n TemplateAwareExpressionParser $PARSER = ...;\n ...\n}\n"
},
{
"pattern-inside": "$X $METHOD(...) {\n ...\n TemplateAwareExpressionParser $PARSER = ...;\n ...\n}\n"
}
]
},
{
"pattern": "$X $METHOD(...) {\n ...\n $PARSER.parseExpression(...);\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n $PARSER.parseExpression(\"...\");\n ...\n}\n"
},
{
"pattern-not": "$X $METHOD(...) {\n ...\n String $S = \"...\";\n ...\n $PARSER.parseExpression($S);\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-actuator-fully-enabled-yaml",
"languages": [
"yaml"
],
"message": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints",
"https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785",
"https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
]
},
"patterns": [
{
"pattern-inside": "management:\n ...\n endpoints:\n ...\n web:\n ...\n exposure:\n ...\n"
},
{
"pattern": "include: \"*\"\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-actuator-fully-enabled",
"languages": [
"generic"
],
"message": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints",
"https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785",
"https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
]
},
"paths": {
"include": [
"*properties"
]
},
"pattern": "management.endpoints.web.exposure.include=*",
"severity": "ERROR"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled-yaml",
"languages": [
"yaml"
],
"message": "Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints",
"https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785",
"https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
]
},
"patterns": [
{
"pattern-inside": "management:\n ...\n endpoints:\n ...\n web:\n ...\n exposure:\n ...\n include:\n ...\n"
},
{
"pattern": "include: [..., $ACTUATOR, ...]\n"
},
{
"metavariable-comparison": {
"comparison": "not str($ACTUATOR) in [\"health\",\"*\"]",
"metavariable": "$ACTUATOR"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled",
"languages": [
"generic"
],
"message": "Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints",
"https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785",
"https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
]
},
"options": {
"generic_ellipsis_max_span": 0
},
"patterns": [
{
"pattern": "management.endpoints.web.exposure.include=$...ACTUATORS"
},
{
"metavariable-comparison": {
"comparison": "not str($...ACTUATORS) in [\"health\",\"*\"]",
"metavariable": "$...ACTUATORS"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-csrf-disabled",
"languages": [
"java"
],
"message": "CSRF protection is disabled for this configuration. This is a security risk.",
"metadata": {
"asvs": {
"control_id": "4.2.2 CSRF",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v42-operation-level-access-control",
"section": "V4 Access Control",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED",
"subcategory": [
"audit"
],
"technology": [
"spring"
]
},
"pattern": "$OBJ.csrf(...).disable(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-jsp-eval",
"languages": [
"generic"
],
"message": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL",
"subcategory": [
"audit"
],
"technology": [
"spring"
]
},
"paths": {
"include": [
"*.jsp"
]
},
"pattern": "<spring:eval ... expression=...>\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-sqli",
"languages": [
"java"
],
"message": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
]
},
"mode": "taint",
"options": {
"taint_assume_safe_booleans": true,
"taint_assume_safe_numbers": true
},
"pattern-sanitizers": [
{
"not_conflicting": true,
"pattern-either": [
{
"patterns": [
{
"focus-metavariable": "$A"
},
{
"pattern-inside": "new $TYPE(...,$A,...);\n"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"focus-metavariable": "$A"
},
{
"pattern": "new PreparedStatementCreatorFactory($A,...);\n"
}
]
},
{
"patterns": [
{
"focus-metavariable": "$A"
},
{
"pattern": "(JdbcTemplate $T).$M($A,...)\n"
}
]
},
{
"patterns": [
{
"pattern": "(String $A)"
},
{
"pattern-inside": "(JdbcTemplate $T).batchUpdate(...)\n"
}
]
},
{
"patterns": [
{
"focus-metavariable": "$A"
},
{
"pattern": "NamedParameterBatchUpdateUtils.$M($A,...)\n"
}
]
},
{
"patterns": [
{
"focus-metavariable": "$A"
},
{
"pattern": "BatchUpdateUtils.$M($A,...)\n"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$ARG"
},
{
"pattern-inside": "public $T $M (..., String $ARG,...){...}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.audit.spring-unvalidated-redirect",
"languages": [
"java"
],
"message": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT",
"subcategory": [
"vuln"
],
"technology": [
"spring"
]
},
"pattern-either": [
{
"pattern": "$X $METHOD(...,String $URL,...) {\n return \"redirect:\" + $URL;\n}\n"
},
{
"pattern": "$X $METHOD(...,String $URL,...) {\n ...\n String $REDIR = \"redirect:\" + $URL;\n ...\n return $REDIR;\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,String $URL,...) {\n ...\n new ModelAndView(\"redirect:\" + $URL);\n ...\n}\n"
},
{
"pattern": "$X $METHOD(...,String $URL,...) {\n ...\n String $REDIR = \"redirect:\" + $URL;\n ...\n new ModelAndView($REDIR);\n ...\n}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.java.spring.security.injection.tainted-file-path",
"languages": [
"java"
],
"message": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-23: Relative Path Traversal"
],
"impact": "HIGH",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"spring"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sanitizers": [
{
"pattern": "org.apache.commons.io.FilenameUtils.getName(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new File(...)"
},
{
"pattern": "new java.io.File(...)"
},
{
"pattern": "new FileReader(...)"
},
{
"pattern": "new java.io.FileReader(...)"
},
{
"pattern": "new FileInputStream(...)"
},
{
"pattern": "new java.io.FileInputStream(...)"
},
{
"pattern": "(Paths $PATHS).get(...)"
},
{
"patterns": [
{
"pattern": "$CLASS.$FUNC(...)\n"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "^(getResourceAsStream|getResource)$"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new ClassPathResource($FILE, ...)"
},
{
"pattern": "ResourceUtils.getFile($FILE, ...)"
},
{
"pattern": "new FileOutputStream($FILE, ...)"
},
{
"pattern": "new java.io.FileOutputStream($FILE, ...)"
},
{
"pattern": "new StreamSource($FILE, ...)"
},
{
"pattern": "new javax.xml.transform.StreamSource($FILE, ...)"
},
{
"pattern": "FileUtils.openOutputStream($FILE, ...)"
}
]
},
{
"focus-metavariable": "$FILE"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n"
},
{
"pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"
}
},
{
"metavariable-regex": {
"metavariable": "$REQ",
"regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"
}
},
{
"focus-metavariable": "$SOURCE"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.spring.security.injection.tainted-html-string",
"languages": [
"java"
],
"message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"spring"
]
},
"mode": "taint",
"pattern-propagators": [
{
"from": "$...TAINTED",
"pattern": "(StringBuilder $SB).append($...TAINTED)",
"to": "$SB"
},
{
"from": "$...TAINTED",
"pattern": "$VAR += $...TAINTED",
"to": "$VAR"
}
],
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "Encode.forHtml(...)"
},
{
"pattern": "(PolicyFactory $POLICY).sanitize(...)"
},
{
"pattern": "(AntiSamy $AS).scan(...)"
},
{
"pattern": "JSoup.clean(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new ResponseEntity<>($PAYLOAD, ...)"
},
{
"pattern": "new ResponseEntity<$ERROR>($PAYLOAD, ...)"
},
{
"pattern": "ResponseEntity. ... .body($PAYLOAD)"
},
{
"patterns": [
{
"pattern": "ResponseEntity.$RESPFUNC($PAYLOAD). ...\n"
},
{
"metavariable-regex": {
"metavariable": "$RESPFUNC",
"regex": "^(ok|of)$"
}
}
]
}
]
},
{
"focus-metavariable": "$PAYLOAD"
}
],
"requires": "CONCAT"
}
],
"pattern-sources": [
{
"label": "INPUT",
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n"
},
{
"pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"
}
},
{
"metavariable-regex": {
"metavariable": "$REQ",
"regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"
}
},
{
"focus-metavariable": "$SOURCE"
}
]
},
{
"by-side-effect": true,
"label": "CONCAT",
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$HTMLSTR\" + ...\n"
},
{
"pattern": "\"$HTMLSTR\".concat(...)\n"
},
{
"patterns": [
{
"pattern-inside": "StringBuilder $SB = new StringBuilder(\"$HTMLSTR\");\n...\n"
},
{
"pattern": "$SB.append(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VAR = \"$HTMLSTR\";\n...\n"
},
{
"pattern": "$VAR += ..."
}
]
},
{
"pattern": "String.format(\"$HTMLSTR\", ...)"
},
{
"patterns": [
{
"pattern-inside": "String $VAR = \"$HTMLSTR\";\n...\n"
},
{
"pattern": "String.format($VAR, ...)"
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTMLSTR",
"regex": "^<\\w+"
}
}
],
"requires": "INPUT"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.spring.security.injection.tainted-sql-string",
"languages": [
"java"
],
"message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
]
},
"mode": "taint",
"options": {
"interfile": true,
"taint_assume_safe_booleans": true,
"taint_assume_safe_numbers": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"pattern": "\"$SQLSTR\".concat(...)\n"
},
{
"patterns": [
{
"pattern-inside": "StringBuilder $SB = new StringBuilder(\"$SQLSTR\");\n...\n"
},
{
"pattern": "$SB.append(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VAR = \"$SQLSTR\";\n...\n"
},
{
"pattern": "$VAR += ..."
}
]
},
{
"pattern": "String.format(\"$SQLSTR\", ...)"
},
{
"patterns": [
{
"pattern-inside": "String $VAR = \"$SQLSTR\";\n...\n"
},
{
"pattern": "String.format($VAR, ...)"
}
]
}
]
},
{
"pattern-not-inside": "System.out.println(...)"
},
{
"pattern-not-inside": "$LOG.info(...)"
},
{
"pattern-not-inside": "$LOG.warn(...)"
},
{
"pattern-not-inside": "$LOG.warning(...)"
},
{
"pattern-not-inside": "$LOG.debug(...)"
},
{
"pattern-not-inside": "$LOG.debugging(...)"
},
{
"pattern-not-inside": "$LOG.error(...)"
},
{
"pattern-not-inside": "new Exception(...)"
},
{
"pattern-not-inside": "throw ...;"
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n"
},
{
"pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$REQ",
"regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue)"
}
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"
}
},
{
"focus-metavariable": "$SOURCE"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.spring.security.injection.tainted-system-command",
"languages": [
"java"
],
"message": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.stackhawk.com/blog/command-injection-java/",
"https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html",
"https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"spring"
]
},
"mode": "taint",
"pattern-propagators": [
{
"from": "$INPUT",
"label": "CONCAT",
"pattern": "(StringBuilder $STRB).append($INPUT)",
"requires": "INPUT",
"to": "$STRB"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(Process $P) = new Process(...);\n"
},
{
"pattern": "(ProcessBuilder $PB).command(...);\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "(Runtime $R).$EXEC(...);\n"
},
{
"pattern": "Runtime.getRuntime(...).$EXEC(...);\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$EXEC",
"regex": "(exec|loadLibrary|load)"
}
}
]
},
{
"patterns": [
{
"pattern": "(ProcessBuilder $PB).command(...).$ADD(...);\n"
},
{
"metavariable-regex": {
"metavariable": "$ADD",
"regex": "(add|addAll)"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$BUILDER = new ProcessBuilder(...);\n...\n"
},
{
"pattern": "$BUILDER.start(...)"
}
]
},
{
"pattern": "new ProcessBuilder(...). ... .start(...);\n"
}
]
}
]
}
]
}
],
"requires": "CONCAT"
}
],
"pattern-sources": [
{
"label": "INPUT",
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n"
},
{
"pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"
}
},
{
"metavariable-regex": {
"metavariable": "$REQ",
"regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"
}
},
{
"focus-metavariable": "$SOURCE"
}
]
},
{
"label": "CONCAT",
"patterns": [
{
"pattern-either": [
{
"pattern": "$X + $SOURCE"
},
{
"pattern": "$SOURCE + $Y"
},
{
"pattern": "String.format(\"...\", ..., $SOURCE, ...)"
},
{
"pattern": "String.join(\"...\", ..., $SOURCE, ...)"
},
{
"pattern": "(String $STR).concat($SOURCE)"
},
{
"pattern": "$SOURCE.concat(...)"
},
{
"pattern": "$X += $SOURCE"
},
{
"pattern": "$SOURCE += $X"
}
]
}
],
"requires": "INPUT"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.java.spring.security.injection.tainted-url-host",
"languages": [
"java"
],
"message": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java",
"spring"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "new URL($ONEARG)"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$URLSTR\" + ...\n"
},
{
"pattern": "\"$URLSTR\".concat(...)\n"
},
{
"patterns": [
{
"pattern-inside": "StringBuilder $SB = new StringBuilder(\"$URLSTR\");\n...\n"
},
{
"pattern": "$SB.append(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VAR = \"$URLSTR\";\n...\n"
},
{
"pattern": "$VAR += ..."
}
]
},
{
"patterns": [
{
"pattern": "String.format(\"$URLSTR\", ...)"
},
{
"pattern-not": "String.format(\"$URLSTR\", \"...\", ...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "String $VAR = \"$URLSTR\";\n...\n"
},
{
"pattern": "String.format($VAR, ...)"
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": "http(s?)://%(v|s|q).*"
}
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {\n ...\n}\n"
},
{
"pattern-inside": "$METHODNAME(..., @$REQ $TYPE $SOURCE,...) {\n ...\n}\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))"
}
},
{
"metavariable-regex": {
"metavariable": "$REQ",
"regex": "(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)"
}
},
{
"focus-metavariable": "$SOURCE"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.ajv.security.audit.ajv-allerrors-true",
"languages": [
"js",
"ts"
],
"message": "By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-400: Uncontrolled Resource Consumption"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://ajv.js.org/options.html#allerrors"
],
"subcategory": [
"audit"
],
"technology": [
"ajv"
]
},
"pattern-either": [
{
"pattern": "new Ajv({...,allErrors: true,...},...)\n"
},
{
"patterns": [
{
"pattern": "new Ajv($SETTINGS,...)\n"
},
{
"pattern-inside": "$SETTINGS = {...,allErrors: true,...}\n...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-element-methods",
"languages": [
"js",
"ts"
],
"message": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/function/angular.element",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"vuln"
],
"technology": [
"angularjs"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$sce.getTrustedHtml(...)"
},
{
"pattern": "$sanitize(...)"
},
{
"pattern": "DOMPurify.sanitize(...)"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "angular.element(...). ... .$SINK($QUERY)\n"
},
{
"pattern-inside": "$ANGULAR = angular.element(...)\n...\n$ANGULAR. ... .$SINK($QUERY)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SINK",
"regex": "^(after|append|html|prepend|replaceWith|wrap)$"
}
},
{
"focus-metavariable": "$QUERY"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "function(..., $SCOPE, ...) { ... }\n"
},
{
"focus-metavariable": "$SCOPE"
},
{
"metavariable-regex": {
"metavariable": "$SCOPE",
"regex": "^\\$scope$"
}
}
]
},
{
"pattern": "$rootScope"
},
{
"pattern": "$injector.get('$rootScope')"
},
{
"pattern": "$injector.get('$scope')"
}
]
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-element-taint",
"languages": [
"js",
"ts"
],
"message": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/function/angular.element",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"vuln"
],
"technology": [
"angularjs"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$sce.getTrustedHtml(...)"
},
{
"pattern": "$sanitize(...)"
},
{
"pattern": "DOMPurify.sanitize(...)"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "angular.element(...). ... .$SINK($QUERY)\n"
},
{
"pattern-inside": "$ANGULAR = angular.element(...)\n...\n$ANGULAR. ... .$SINK($QUERY)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SINK",
"regex": "^(after|append|html|prepend|replaceWith|wrap)$"
}
},
{
"focus-metavariable": "$QUERY"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "window.location.search"
},
{
"pattern": "window.document.location.search"
},
{
"pattern": "document.location.search"
},
{
"pattern": "location.search"
},
{
"pattern": "$location.search(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$DECODE(<... location.hash ...>)"
},
{
"pattern": "$DECODE(<... window.location.hash ...>)"
},
{
"pattern": "$DECODE(<... document.location.hash ...>)"
},
{
"pattern": "$DECODE(<... location.href ...>)"
},
{
"pattern": "$DECODE(<... window.location.href ...>)"
},
{
"pattern": "$DECODE(<... document.location.href ...>)"
},
{
"pattern": "$DECODE(<... document.URL ...>)"
},
{
"pattern": "$DECODE(<... window.document.URL ...>)"
},
{
"pattern": "$DECODE(<... document.location.href ...>)"
},
{
"pattern": "$DECODE(<... document.location.href ...>)"
},
{
"pattern": "$DECODE(<... $location.absUrl() ...>)"
},
{
"pattern": "$DECODE(<... $location.url() ...>)"
},
{
"pattern": "$DECODE(<... $location.hash() ...>)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$DECODE",
"regex": "^(unescape|decodeURI|decodeURIComponent)$"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "$http.$METHOD(...).$CONTINUE(function $FUNC($RES) {...})"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|delete|head|jsonp|post|put|patch)"
}
},
{
"pattern": "$RES.data"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-open-redirect",
"languages": [
"js",
"ts"
],
"message": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.",
"metadata": {
"asvs": {
"control_id": "5.5.1 Insecue Redirect",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsJs",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular"
]
},
"patterns": [
{
"pattern": "$window.location.href = ...\n"
},
{
"pattern-not": "$window.location.href = \"...\"\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-resource-loading",
"languages": [
"js",
"ts"
],
"message": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsJs",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular"
]
},
"pattern-either": [
{
"pattern": "$sceDelegateProvider.resourceUrlWhitelist([...,'**',...]);\n"
},
{
"patterns": [
{
"pattern": "$sceDelegateProvider.resourceUrlWhitelist([...,$DOM,...]);\n"
},
{
"metavariable-regex": {
"metavariable": "$DOM",
"regex": "^'.*\\*\\*.+'$"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-sce-disabled",
"languages": [
"js",
"ts"
],
"message": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"vuln"
],
"technology": [
"angular"
]
},
"pattern": "$sceProvider.enabled(false);\n",
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-css-method",
"languages": [
"js",
"ts"
],
"message": "The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsCss",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsCss($SOURCE);\n"
},
{
"pattern": "$sce.trustAsCss($scope.$INPUT);\n"
}
]
},
{
"pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-html-method",
"languages": [
"js",
"ts"
],
"message": "The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsHtml($SOURCE);\n"
},
{
"pattern": "$sce.trustAsHtml($scope.$INPUT);\n"
}
]
},
{
"pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-js-method",
"languages": [
"js",
"ts"
],
"message": "The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsJs",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsJs($SOURCE);\n"
},
{
"pattern": "$sce.trustAsJs($scope.$INPUT);\n"
}
]
},
{
"pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-method",
"languages": [
"js",
"ts"
],
"message": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"vuln"
],
"technology": [
"angular"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "$sce.trustAs(...)"
},
{
"pattern": "$sce.trustAsHtml(...)"
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "app.controller(..., function($scope,$sce) {\n...\n});\n"
},
{
"pattern": "$scope.$X"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-resourceurl-method",
"languages": [
"js",
"ts"
],
"message": "The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsResourceUrl($SOURCE);\n"
},
{
"pattern": "$sce.trustAsResourceUrl($scope.$INPUT);\n"
}
]
},
{
"pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-trust-as-url-method",
"languages": [
"js",
"ts"
],
"message": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SOURCE = $scope.$INPUT;\n$sce.trustAsUrl($SOURCE);\n"
},
{
"pattern": "$sce.trustAsUrl($scope.$INPUT);\n"
}
]
},
{
"pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.angular.security.detect-angular-translateprovider-translations-method",
"languages": [
"js",
"ts"
],
"message": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl",
"https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"angular",
"typescript"
]
},
"patterns": [
{
"pattern": "$translateProvider.translations(...,$SOURCE);\n"
},
{
"pattern-inside": "app.controller(..., function($scope,$sce){\n...\n});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.apollo.security.apollo-axios-ssrf",
"languages": [
"js",
"ts"
],
"message": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://www.cvedetails.com/cve/CVE-2020-28168/",
"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
],
"subcategory": [
"audit"
],
"technology": [
"apollo",
"axios"
]
},
"patterns": [
{
"pattern": "const $RESPONSE = await axios.request($INNERARG,...)"
},
{
"pattern-inside": "Query: {\n $METHOD(parent, args, context, info) {\n ...\n $DATA = args.$DATAVAL\n ...\n async function $INNERFUNC(...,$INNERARG,...){\n ...\n }\n ...\n return $INNERFUNC(...,$DATA,...)\n }\n }\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.argon2.security.unsafe-argon2-config",
"languages": [
"js",
"ts"
],
"message": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-916: Use of Password Hash With Insufficient Computational Effort"
],
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html",
"https://eprint.iacr.org/2016/759.pdf",
"https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf",
"https://datatracker.ietf.org/doc/html/rfc9106#section-4"
],
"subcategory": [
"vuln"
],
"technology": [
"argon2",
"cryptography"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "{type: $ARGON.argon2id}\n...\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$Y\n"
},
{
"pattern-inside": "$ARGON.hash(...,$Y)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "$ARGON = require('argon2');\n...\n"
},
{
"pattern": "{type: ...}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.audit.detect-replaceall-sanitization",
"languages": [
"js",
"ts"
],
"message": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.npmjs.com/package/dompurify",
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"javascript",
"typescript"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$STR.$FUNC('<', '&lt;')"
},
{
"pattern": "$STR.$FUNC('>', '&gt;')"
},
{
"pattern": "$STR.$FUNC('\"', '&quot;')"
},
{
"pattern": "$STR.$FUNC(\"'\", '&apos;')"
},
{
"pattern": "$STR.$FUNC('&', '&amp;')"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(replace|replaceAll)"
}
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.detect-child-process",
"languages": [
"js",
"ts"
],
"message": "Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$CMD"
},
{
"pattern-either": [
{
"pattern": "exec($CMD,...)"
},
{
"pattern": "execSync($CMD,...)"
},
{
"pattern": "spawn($CMD,...)"
},
{
"pattern": "spawnSync($CMD,...)"
},
{
"pattern": "$CP.exec($CMD,...)"
},
{
"pattern": "$CP.execSync($CMD,...)"
},
{
"pattern": "$CP.spawn($CMD,...)"
},
{
"pattern": "$CP.spawnSync($CMD,...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "require('child_process')\n...\n"
},
{
"pattern-inside": "import 'child_process'\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$EVENT"
},
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.dynamodb-request-object",
"languages": [
"js",
"ts"
],
"message": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript",
"aws-lambda",
"dynamodb"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "{...}\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern": "$DC.$METHOD($SINK, ...)\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(query|send|scan|delete|put|transactWrite|update|batchExecuteStatement|executeStatement|executeTransaction|transactWriteItems)"
}
},
{
"pattern-either": [
{
"pattern-inside": "$DC = new $AWS.DocumentClient(...);\n...\n"
},
{
"pattern-inside": "$DC = new $AWS.DynamoDB(...);\n...\n"
},
{
"pattern-inside": "$DC = new DynamoDBClient(...);\n...\n"
},
{
"pattern-inside": "$DC = DynamoDBDocumentClient.from(...);\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$EVENT"
},
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.knex-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://knexjs.org/#Builder-fromRaw",
"https://knexjs.org/#Builder-whereRaw"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"knex"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$KNEX.fromRaw($QUERY, ...)"
},
{
"pattern": "$KNEX.whereRaw($QUERY, ...)"
},
{
"pattern": "$KNEX.raw($QUERY, ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "require('knex')\n...\n"
},
{
"pattern-inside": "import 'knex'\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
},
{
"pattern": "$EVENT"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.mysql-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.npmjs.com/package/mysql2"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"mysql",
"mysql2"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$POOL.query($QUERY, ...)"
},
{
"pattern": "$POOL.execute($QUERY, ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "require('mysql')\n...\n"
},
{
"pattern-inside": "require('mysql2')\n...\n"
},
{
"pattern-inside": "require('mysql2/promise')\n...\n"
},
{
"pattern-inside": "import 'mysql'\n...\n"
},
{
"pattern-inside": "import 'mysql2'\n...\n"
},
{
"pattern-inside": "import 'mysql2/promise'\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
},
{
"pattern": "$EVENT"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.pg-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://node-postgres.com/features/queries"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"postgres",
"pg"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$DB.query($QUERY, ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "require('pg')\n...\n"
},
{
"pattern-inside": "import 'pg'\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
},
{
"pattern": "$EVENT"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.sequelize-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://sequelize.org/master/manual/raw-queries.html"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"sequelize"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$DB.query($QUERY, ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "require('sequelize')\n...\n"
},
{
"pattern-inside": "import 'sequelize'\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
},
{
"pattern": "$EVENT"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.tainted-eval",
"languages": [
"js",
"ts"
],
"message": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$CODE"
},
{
"pattern-either": [
{
"pattern": "eval($CODE)"
},
{
"pattern": "Function(...,$CODE)"
},
{
"pattern": "new Function(...,$CODE)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$EVENT"
},
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.tainted-html-response",
"languages": [
"js",
"ts"
],
"message": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$BODY"
},
{
"pattern-inside": "{..., headers: {..., 'Content-Type': 'text/html', ...}, body: $BODY, ... }\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
},
{
"pattern": "$EVENT"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.tainted-html-string",
"languages": [
"js",
"ts"
],
"message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$HTMLSTR\" + $EXPR\n"
},
{
"pattern": "\"$HTMLSTR\".concat(...)\n"
},
{
"pattern": "$UTIL.format($HTMLSTR, ...)"
},
{
"pattern": "format($HTMLSTR, ...)"
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$HTMLSTR",
"pattern": "<$TAG ..."
}
}
]
},
{
"patterns": [
{
"pattern": "`...${...}...`\n"
},
{
"pattern-regex": ".*<\\w+.*\n"
}
]
}
]
},
{
"pattern-not-inside": "console.$LOG(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
},
{
"pattern": "$EVENT"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.tainted-sql-string",
"languages": [
"js",
"ts"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + $EXPR\n"
},
{
"pattern": "\"$SQLSTR\".concat(...)\n"
},
{
"pattern": "util.format($SQLSTR, ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*"
}
}
]
},
{
"patterns": [
{
"pattern": "`...${...}...`\n"
},
{
"pattern-regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*\n"
}
]
}
]
},
{
"pattern-not-inside": "console.$LOG(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
},
{
"pattern": "$EVENT"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.aws-lambda.security.vm-runincontext-injection",
"languages": [
"js",
"ts"
],
"message": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('vm');\n...\n"
},
{
"pattern-inside": "import 'vm'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$VM.runInContext($X,...)"
},
{
"pattern": "$VM.runInNewContext($X,...)"
},
{
"pattern": "$VM.runInThisContext($X,...)"
},
{
"pattern": "$VM.compileFunction($X,...)"
},
{
"pattern": "new $VM.Script($X,...)"
},
{
"pattern": "new $VM.SourceTextModule($X,...)"
},
{
"pattern": "runInContext($X,...)"
},
{
"pattern": "runInNewContext($X,...)"
},
{
"pattern": "runInThisContext($X,...)"
},
{
"pattern": "compileFunction($X,...)"
},
{
"pattern": "new Script($X,...)"
},
{
"pattern": "new SourceTextModule($X,...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$EVENT"
},
{
"pattern-either": [
{
"pattern-inside": "exports.handler = function ($EVENT, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
},
{
"pattern-inside": "$FUNC = function ($EVENT, ...) {...}\n...\nexports.handler = $FUNC\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.bluebird.security.audit.tofastproperties-code-execution",
"languages": [
"js",
"ts"
],
"message": "Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"http://bluebirdjs.com/docs/getting-started.html"
],
"subcategory": [
"vuln"
],
"technology": [
"bluebird"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$UTIL.toFastProperties($SINK,...)"
},
{
"pattern": "toFastProperties($SINK,...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$BB = require('bluebird');\n...\n"
},
{
"pattern-inside": "import 'bluebird';\n...\n"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $ARG,...) {...}"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.browser.security.dom-based-xss",
"languages": [
"js",
"ts"
],
"message": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=<script>alert(document.cookie)</script> which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/DOM_Based_XSS"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"pattern-either": [
{
"pattern": "document.write(<... document.location.$W ...>)"
},
{
"pattern": "document.write(<... location.$W ...>)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.browser.security.eval-detected",
"languages": [
"js",
"ts"
],
"message": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dynamic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"patterns": [
{
"pattern-not": "eval(\"...\")"
},
{
"pattern": "eval(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.browser.security.insecure-document-method",
"languages": [
"js",
"ts"
],
"message": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$EL.innerHTML = $HTML;\n"
},
{
"pattern": "$EL.outerHTML = $HTML;\n"
},
{
"pattern": "document.write(...)"
}
]
},
{
"pattern-not": "$EL.innerHTML = \"...\";\n"
},
{
"pattern-not": "$EL.outerHTML = \"...\";\n"
},
{
"pattern-not": "document.write(\"...\")"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.browser.security.insecure-innerhtml",
"languages": [
"js",
"ts"
],
"message": "User controlled data in a `$EL.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"patterns": [
{
"pattern": "$EL.innerHTML = $HTML;\n"
},
{
"pattern-not": "$EL.innerHTML = \"...\";\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.browser.security.insufficient-postmessage-origin-validation",
"languages": [
"js",
"ts"
],
"message": "No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-345: Insufficient Verification of Data Authenticity"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "window.addEventListener('message', $FUNC, ...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$FUNC",
"patterns": [
{
"pattern": "function($OBJ) { ... }\n"
},
{
"pattern-not": "function($OBJ) { ... if (<... $OBJ.origin ...>) { ... } ... }\n"
}
]
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function $FNAME($OBJ) { $CONTEXT }\n...\n"
},
{
"pattern-inside": "$FNAME = (...) => { $CONTEXT }\n...\n"
}
]
},
{
"pattern": "window.addEventListener('message', $FNAME,...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$CONTEXT",
"patterns": [
{
"pattern-not": "... if (<... $OBJ.origin ...>) { ... } ...\n"
}
]
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.browser.security.js-open-redirect-from-function",
"languages": [
"js",
"ts"
],
"message": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.",
"metadata": {
"asvs": {
"control_id": "5.5.1 Insecue Redirect",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"browser"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "location.href = $SINK"
},
{
"pattern": "window.location.href = $SINK"
},
{
"pattern": "this.window.location.href = $SINK"
},
{
"pattern": "this.location.href = $SINK"
},
{
"pattern": "location.replace($SINK)"
},
{
"pattern": "window.location.replace($SINK)"
},
{
"pattern": "this.window.location.replace($SINK)"
},
{
"pattern": "this.location.replace($SINK)"
}
]
},
{
"focus-metavariable": "$SINK"
},
{
"metavariable-pattern": {
"metavariable": "$SINK",
"patterns": [
{
"pattern-not": "\"...\" + $VALUE\n"
},
{
"pattern-not": "`...${$VALUE}`\n"
}
]
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $PROP, ...) { ... }\n"
},
{
"focus-metavariable": "$PROP"
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.javascript.browser.security.js-open-redirect",
"languages": [
"js",
"ts"
],
"message": "The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.",
"metadata": {
"asvs": {
"control_id": "5.5.1 Insecue Redirect",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"interfile": true,
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"browser"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "location.href = $SINK"
},
{
"pattern": "$THIS. ... .location.href = $SINK"
},
{
"pattern": "location.replace($SINK)"
},
{
"pattern": "$THIS. ... .location.replace($SINK)"
},
{
"pattern": "location = $SINK"
},
{
"pattern": "$WINDOW. ... .location = $SINK"
}
]
},
{
"focus-metavariable": "$SINK"
},
{
"metavariable-pattern": {
"metavariable": "$SINK",
"patterns": [
{
"pattern-not": "\"...\" + $VALUE\n"
},
{
"pattern-not": "`...${$VALUE}`\n"
}
]
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.search).get('...')\n...\n"
},
{
"pattern-inside": "$PROP = new URLSearchParams(location.search).get('...')\n...\n"
},
{
"pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...')\n...\n"
},
{
"pattern-inside": "$PROP = new URLSearchParams(location.hash.substring(1)).get('...')\n...\n"
}
]
},
{
"pattern": "$PROP"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PROPS = new URLSearchParams($WINDOW. ... .location.search)\n...\n"
},
{
"pattern-inside": "$PROPS = new URLSearchParams(location.search)\n...\n"
},
{
"pattern-inside": "$PROPS = new URLSearchParams($WINDOW. ... .location.hash.substring(1))\n...\n"
},
{
"pattern-inside": "$PROPS = new URLSearchParams(location.hash.substring(1))\n...\n"
}
]
},
{
"pattern": "$PROPS.get('...')"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PROPS = new URL($WINDOW. ... .location.href)\n...\n"
},
{
"pattern-inside": "$PROPS = new URL(location.href)\n...\n"
}
]
},
{
"pattern": "$PROPS.searchParams.get('...')"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PROPS = new URL($WINDOW. ... .location.href).searchParams.get('...')\n...\n"
},
{
"pattern-inside": "$PROPS = new URL(location.href).searchParams.get('...')\n...\n"
}
]
},
{
"pattern": "$PROPS"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.browser.security.raw-html-concat",
"languages": [
"js",
"ts"
],
"message": "User controlled data in a HTML string may result in XSS",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/xss/"
],
"subcategory": [
"vuln"
],
"technology": [
"browser"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "$S = require(\"underscore.string\")\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$S.escapeHTML(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"dompurify\")\n...\n"
},
{
"pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$VALUE = $S(...)\n...\n"
},
{
"pattern": "$VALUE.sanitize(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VALUE = $S.sanitize\n...\n"
},
{
"pattern": "$S(...)"
}
]
},
{
"pattern": "$S.sanitize(...)"
},
{
"pattern": "$S(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'xss';\n...\n"
},
{
"pattern-inside": "import * as $S from 'xss';\n...\n"
},
{
"pattern-inside": "$S = require(\"xss\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'sanitize-html';\n...\n"
},
{
"pattern-inside": "import * as $S from \"sanitize-html\";\n...\n"
},
{
"pattern-inside": "$S = require(\"sanitize-html\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$S = new Remarkable()\n...\n"
}
]
},
{
"pattern": "$S.render(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$STRING + $EXPR"
},
{
"pattern-not": "$STRING + \"...\""
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$STRING",
"patterns": [
{
"pattern": "<$TAG ..."
},
{
"pattern-not": "<$TAG ...>...</$TAG>..."
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "$EXPR + $STRING"
},
{
"pattern-not": "\"...\" + $STRING"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$STRING",
"patterns": [
{
"pattern": "... </$TAG"
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "[..., $STRING, ...].join(...)"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$STRING",
"patterns": [
{
"pattern": "<$TAG ..."
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "[..., $STRING, ...].join(...)"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$STRING",
"patterns": [
{
"pattern": "... </$TAG"
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "$VAR += $STRING"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$STRING",
"patterns": [
{
"pattern": "<$TAG ..."
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "$VAR += $STRING"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$STRING",
"patterns": [
{
"pattern": "... </$TAG"
}
]
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "location.href"
},
{
"pattern": "location.hash"
},
{
"pattern": "location.search"
},
{
"pattern": "$WINDOW. ... .location.href"
},
{
"pattern": "$WINDOW. ... .location.hash"
},
{
"pattern": "$WINDOW. ... .location.search"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.browser.security.raw-html-join",
"languages": [
"js",
"ts"
],
"message": "User controlled data in a HTML string may result in XSS",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/xss/"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "[..., $STRING, ...].join(...)\n"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$STRING",
"patterns": [
{
"pattern-either": [
{
"pattern": "... </$TAG\n"
},
{
"pattern": "<$TAG ...\n"
}
]
}
]
}
},
{
"pattern-not": "[..., \"$HARDCODED\", ...].join(\"...\")\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.browser.security.wildcard-postmessage-configuration",
"languages": [
"js",
"ts"
],
"message": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-345: Insufficient Verification of Data Authenticity"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"browser"
]
},
"pattern": "$OBJECT.postMessage(...,'*')",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://github.com/cyrus-and/chrome-remote-interface"
],
"subcategory": [
"vuln"
],
"technology": [
"chrome-remote-interface"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('chrome-remote-interface');\n...\n"
},
{
"pattern-inside": "import 'chrome-remote-interface';\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$RUNTIME.compileScript({expression: $SINK},...)\n"
},
{
"pattern": "$RUNTIME.evaluate({expression: $SINK},...)\n"
},
{
"pattern": "$PAGE.navigate({url: $SINK},...)\n"
},
{
"pattern": "$RUNTIME.printToPDF({headerTemplate: $SINK},...)\n"
},
{
"pattern": "$RUNTIME.printToPDF({footerTemplate: $SINK},...)\n"
},
{
"pattern": "$PAGE.setDocumentContent({html: $SINK},...)\n"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $ARG,...) {...}"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.deno.security.audit.deno-dangerous-run",
"languages": [
"js",
"ts"
],
"message": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://deno.land/manual/examples/subprocess#simple-example"
],
"subcategory": [
"vuln"
],
"technology": [
"deno"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Deno.run({cmd: [$INPUT,...]},...)\n"
},
{
"pattern": "Deno.run({cmd: [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",$INPUT,...]},...)\n"
},
{
"patterns": [
{
"pattern": "Deno.run({cmd: [$CMD,\"-c\",$INPUT,...]},...)\n"
},
{
"pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\"\n...\n"
}
]
}
]
},
{
"focus-metavariable": "$INPUT"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $ARG,...) {...}"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.cors-misconfiguration",
"languages": [
"js",
"ts"
],
"message": "By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-346: Origin Validation Error"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RES.set($HEADER, $X)"
},
{
"pattern": "$RES.header($HEADER, $X)"
},
{
"pattern": "$RES.setHeader($HEADER, $X)"
},
{
"pattern": "$RES.set({$HEADER: $X}, ...)\n"
},
{
"pattern": "$RES.writeHead($STATUS, {$HEADER: $X}, ...)\n"
}
]
},
{
"focus-metavariable": "$X"
},
{
"metavariable-regex": {
"metavariable": "$HEADER",
"regex": ".*(Access-Control-Allow-Origin|access-control-allow-origin).*"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.express-data-exfiltration",
"languages": [
"js",
"ts"
],
"message": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://en.wikipedia.org/wiki/Mass_assignment_vulnerability",
"https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "Object.assign(...)"
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.express-expat-xxe",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/astro/node-expat"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$XML = require('node-expat')\n...\n"
},
{
"pattern-inside": "import $XML from 'node-expat'\n...\n"
},
{
"pattern-inside": "import * as $XML from 'node-expat'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$PARSER = new $XML.Parser(...);\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PARSER.parse($QUERY)"
},
{
"pattern": "$PARSER.write($QUERY)"
}
]
},
{
"focus-metavariable": "$QUERY"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.express-insecure-template-usage",
"languages": [
"js",
"ts"
],
"message": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"
],
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection",
"A01:2017 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html"
],
"source_rule_url": [
"https://github.com/github/codeql/blob/2ba2642c7ab29b9eedef33bcc2b8cd1d203d0c10/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript",
"typescript",
"express",
"pug",
"jade",
"dot",
"ejs",
"nunjucks",
"lodash",
"handlbars",
"mustache",
"hogan.js",
"eta",
"squirrelly"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-propagators": [
{
"from": "$E",
"pattern": "$MODEL.$FIND($E).then((...,$S,...)=>{...})",
"to": "$S"
}
],
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PUG = require('pug')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'pug'\n...\n"
},
{
"pattern-inside": "$PUG = require('jade')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'jade'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PUG.compile(...)"
},
{
"pattern": "$PUG.compileClient(...)"
},
{
"pattern": "$PUG.compileClientWithDependenciesTracked(...)"
},
{
"pattern": "$PUG.render(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PUG = require('dot')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'dot'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PUG.template(...)"
},
{
"pattern": "$PUG.compile(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PUG = require('ejs')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'ejs'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PUG.render(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PUG = require('nunjucks')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'nunjucks'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PUG.renderString(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PUG = require('lodash')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'lodash'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PUG.template(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PUG = require('mustache')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'mustache'\n...\n"
},
{
"pattern-inside": "$PUG = require('eta')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'eta'\n...\n"
},
{
"pattern-inside": "$PUG = require('squirrelly')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'squirrelly'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PUG.render(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PUG = require('hogan.js')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'hogan.js'\n...\n"
},
{
"pattern-inside": "$PUG = require('handlebars')\n...\n"
},
{
"pattern-inside": "import * as $PUG from 'handlebars'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PUG.compile(...)"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.express-jwt-hardcoded-secret",
"languages": [
"js",
"ts"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"express",
"secrets"
]
},
"options": {
"interfile": true
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$JWT = require('express-jwt');\n...\n"
},
{
"pattern-inside": "import $JWT from 'express-jwt';\n...\n"
},
{
"pattern-inside": "import * as $JWT from 'express-jwt';\n...\n"
},
{
"pattern-inside": "import { ..., $JWT, ... } from 'express-jwt';\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$JWT({...,secret: \"$Y\",...},...)\n"
},
{
"pattern": "$OPTS = \"$Y\";\n...\n$JWT({...,secret: $OPTS},...);\n"
}
]
},
{
"focus-metavariable": "$Y"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.express-phantom-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://phantomjs.org/page-automation.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('phantom');\n...\n"
},
{
"pattern-inside": "import 'phantom';\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PAGE.open($SINK,...)"
},
{
"pattern": "$PAGE.setContent($SINK,...)"
},
{
"pattern": "$PAGE.openUrl($SINK,...)"
},
{
"pattern": "$PAGE.evaluateJavaScript($SINK,...)"
},
{
"pattern": "$PAGE.property(\"content\",$SINK,...)"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.express-puppeteer-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://pptr.dev/api/puppeteer.page"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('puppeteer');\n...\n"
},
{
"pattern-inside": "import 'puppeteer';\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PAGE.goto($SINK,...)"
},
{
"pattern": "$PAGE.setContent($SINK,...)"
},
{
"pattern": "$PAGE.evaluate($SINK,...)"
},
{
"pattern": "$PAGE.evaluate($CODE,$SINK,...)"
},
{
"pattern": "$PAGE.evaluateHandle($SINK,...)"
},
{
"pattern": "$PAGE.evaluateHandle($CODE,$SINK,...)"
},
{
"pattern": "$PAGE.evaluateOnNewDocument($SINK,...)"
},
{
"pattern": "$PAGE.evaluateOnNewDocument($CODE,$SINK,...)"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.express-sandbox-code-injection",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach `sandbox`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$SANDBOX = require('sandbox');\n...\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$S = new $SANDBOX(...);\n...\n"
},
{
"pattern": "$S.run(...)\n"
}
]
},
{
"pattern": "new $SANDBOX($OPTS).run(...)\n"
},
{
"pattern": "new $SANDBOX().run(...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.express-vm-injection",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach `$VM`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$VM = require('vm');\n...\n"
},
{
"pattern-either": [
{
"pattern": "$VM.runInContext(...)\n"
},
{
"pattern": "$VM.runInNewContext(...)\n"
},
{
"pattern": "$VM.compileFunction(...)\n"
},
{
"pattern": "$VM.runInThisContext(...)\n"
},
{
"pattern": "new $VM.Script(...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.express-vm2-injection",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach `vm2`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "require('vm2')\n...\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$VM = new VM(...)\n...\n"
},
{
"pattern-inside": "$VM = new NodeVM(...)\n...\n"
}
]
},
{
"pattern": "$VM.run(...)\n"
}
]
},
{
"pattern": "new VM(...).run(...)\n"
},
{
"pattern": "new NodeVM(...).run(...)\n"
},
{
"pattern": "new VMScript(...)\n"
},
{
"pattern": "new VM(...)\n"
},
{
"pattern": "new NodeVM(...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.express-wkhtmltoimage-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://www.npmjs.com/package/wkhtmltopdf"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$WK.generate($SINK,...)"
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.express-wkhtmltopdf-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://www.npmjs.com/package/wkhtmltopdf"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$WK = require('wkhtmltopdf');\n...\n"
},
{
"pattern": "$WK($SINK,...)"
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.express-xml2json-xxe",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://www.npmjs.com/package/xml2json"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('xml2json');\n...\n"
},
{
"pattern-inside": "import 'xml2json';\n...\n"
}
]
},
{
"pattern": "$EXPAT.toJson($SINK,...)"
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
},
{
"pattern": "$REQ.files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
},
{
"pattern": "files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.require-request",
"languages": [
"js",
"ts"
],
"message": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference"
],
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it"
],
"source-rule-url": "https://nodesecroadmap.fyi/chapter-1/threat-UIR.html",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern": "require($SINK)"
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.x-frame-options-misconfiguration",
"languages": [
"js",
"ts"
],
"message": "By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-451: User Interface (UI) Misrepresentation of Critical Information"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RES.set($HEADER, ...)"
},
{
"pattern": "$RES.header($HEADER, ...)"
},
{
"pattern": "$RES.setHeader($HEADER, ...)"
},
{
"pattern": "$RES.set({$HEADER: ...}, ...)\n"
},
{
"pattern": "$RES.writeHead($STATUS, {$HEADER: ...}, ...)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HEADER",
"regex": ".*(X-Frame-Options|x-frame-options).*"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-check-csurf-middleware-usage",
"languages": [
"js",
"ts"
],
"message": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.npmjs.com/package/csurf",
"https://www.npmjs.com/package/csrf",
"https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"javascript",
"typescript",
"express"
]
},
"patterns": [
{
"pattern-inside": "$EXPRESS = require('express')\n...\n"
},
{
"pattern-not-inside": "import {$CSRF} from 'csurf'\n...\n"
},
{
"pattern-not-inside": "require('csurf')\n...\n"
},
{
"pattern-not-inside": "import {$CSRF} from 'csrf'\n...\n"
},
{
"pattern-not-inside": "require('csrf')\n...\n"
},
{
"pattern": "$APP = $EXPRESS()\n"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-check-directory-listing",
"languages": [
"js",
"ts"
],
"message": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-548: Exposure of Information Through Directory Listing"
],
"impact": "MEDIUM",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.npmjs.com/package/serve-index",
"https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"options": {
"interfile": true
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$APP.use(require('serve-index')(...))\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SERVEINDEX = require('serve-index')\n...\n"
},
{
"pattern-inside": "import $SERVEINDEX from 'serve-index'\n...\n"
},
{
"pattern-inside": "import * as $SERVEINDEX from 'serve-index'\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$VALUE = $SERVEINDEX(...)\n...\n"
},
{
"pattern": "$VALUE(...)\n"
}
]
},
{
"pattern": "$APP.use(..., $SERVEINDEX(...), ...)\n"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-cookie-session-default-name",
"languages": [
"js",
"ts"
],
"message": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SESSION = require('cookie-session');\n...\n"
},
{
"pattern-inside": "$SESSION = require('express-session');\n...\n"
}
]
},
{
"pattern": "$SESSION(...)"
},
{
"pattern-not-inside": "$SESSION(<... {name:...} ...>,...)"
},
{
"pattern-not-inside": "$OPTS = <... {name:...} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.name = ...;\n...\n$SESSION($OPTS,...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-secure",
"languages": [
"js",
"ts"
],
"message": "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SESSION = require('cookie-session');\n...\n"
},
{
"pattern-inside": "$SESSION = require('express-session');\n...\n"
}
]
},
{
"pattern": "$SESSION(...)"
},
{
"pattern-not-inside": "$SESSION(<... {cookie:{secure:true}} ...>,...)"
},
{
"pattern-not-inside": "$OPTS = <... {cookie:{secure:true}} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {secure:true} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {secure:true} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.secure = true;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.secure = true;\n...\n$SESSION($OPTS,...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-httponly",
"languages": [
"js",
"ts"
],
"message": "Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SESSION = require('cookie-session');\n...\n"
},
{
"pattern-inside": "$SESSION = require('express-session');\n...\n"
}
]
},
{
"pattern": "$SESSION(...)"
},
{
"pattern-not-inside": "$SESSION(<... {cookie:{httpOnly:true}} ...>,...)"
},
{
"pattern-not-inside": "$OPTS = <... {cookie:{httpOnly:true}} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {httpOnly:true} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {httpOnly:true} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.httpOnly = true;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.httpOnly = true;\n...\n$SESSION($OPTS,...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-domain",
"languages": [
"js",
"ts"
],
"message": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SESSION = require('cookie-session');\n...\n"
},
{
"pattern-inside": "$SESSION = require('express-session');\n...\n"
}
]
},
{
"pattern": "$SESSION(...)"
},
{
"pattern-not-inside": "$SESSION(<... {cookie:{domain:...}} ...>,...)"
},
{
"pattern-not-inside": "$OPTS = <... {cookie:{domain:...}} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {domain:...} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {domain:...} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.domain = ...;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.domain = ...;\n...\n$SESSION($OPTS,...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-path",
"languages": [
"js",
"ts"
],
"message": "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SESSION = require('cookie-session');\n...\n"
},
{
"pattern-inside": "$SESSION = require('express-session');\n...\n"
}
]
},
{
"pattern": "$SESSION(...)"
},
{
"pattern-not-inside": "$SESSION(<... {cookie:{path:...}} ...>,...)"
},
{
"pattern-not-inside": "$OPTS = <... {cookie:{path:...}} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {path:...} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {path:...} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.path = ...;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.path = ...;\n...\n$SESSION($OPTS,...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-cookie-session-no-expires",
"languages": [
"js",
"ts"
],
"message": "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://expressjs.com/en/advanced/best-practice-security.html",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SESSION = require('cookie-session');\n...\n"
},
{
"pattern-inside": "$SESSION = require('express-session');\n...\n"
}
]
},
{
"pattern": "$SESSION(...)"
},
{
"pattern-not-inside": "$SESSION(<... {cookie:{expires:...}} ...>,...)"
},
{
"pattern-not-inside": "$OPTS = <... {cookie:{expires:...}} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE = <... {expires:...} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie = <... {expires:...} ...>;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$COOKIE.expires = ...;\n...\n$SESSION($OPTS,...);\n"
},
{
"pattern-not-inside": "$OPTS = ...;\n...\n$OPTS.cookie.expires = ...;\n...\n$SESSION($OPTS,...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-detect-notevil-usage",
"languages": [
"js",
"ts"
],
"message": "Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1104: Use of Unmaintained Third Party Components"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A06:2021 - Vulnerable and Outdated Components"
],
"references": [
"https://github.com/mmckegg/notevil"
],
"subcategory": [
"audit"
],
"technology": [
"javascript",
"typescript"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $EVAL from 'notevil'\n...\n"
},
{
"pattern-inside": "import {$EVAL} from 'notevil'\n...\n"
},
{
"pattern-inside": "$EVAL = require('notevil')\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$EVAL(...)"
},
{
"pattern-not": "$EVAL('...')"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$VM.runInContext(\"$CMD\", ...)"
},
{
"pattern": "$VM.runInNewContext(\"$CMD\", ...)"
},
{
"pattern": "$VM.runInThisContext(\"$CMD\", ...)"
},
{
"pattern": "$VM.compileFunction(\"$CMD\", ...)"
}
]
},
{
"metavariable-pattern": {
"language": "typescript",
"metavariable": "$CMD",
"patterns": [
{
"pattern": "$EVAL(...)"
},
{
"pattern-not": "$EVAL('...')"
}
]
}
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-jwt-not-revoked",
"languages": [
"js",
"ts"
],
"message": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.",
"metadata": {
"asvs": {
"control_id": "3.5.3 Insecue Stateless Session Tokens",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/security/expirejwt.md",
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-inside": "$JWT = require('express-jwt');\n...\n"
},
{
"pattern": "$JWT(...)"
},
{
"pattern-not-inside": "$JWT(<... {isRevoked:...} ...>,...)"
},
{
"pattern-not-inside": "$OPTS = <... {isRevoked:...} ...>;\n...\n$JWT($OPTS,...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-libxml-noent",
"languages": [
"js",
"ts"
],
"message": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$XML = require('$IMPORT')\n...\n"
},
{
"pattern-inside": "import $XML from '$IMPORT'\n ...\n"
},
{
"pattern-inside": "import * as $XML from '$IMPORT'\n...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$IMPORT",
"regex": "^(libxmljs|libxmljs2)$"
}
},
{
"pattern-inside": "$XML.$FUNC($QUERY, {...,noent:true,...})"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "^(parseXmlString|parseXml)$"
}
},
{
"focus-metavariable": "$QUERY"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
},
{
"pattern": "$REQ.files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
},
{
"pattern": "files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-libxml-vm-noent",
"languages": [
"js",
"ts"
],
"message": "Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$VM.runInContext(\"$CMD\", ...)"
},
{
"pattern": "$VM.runInNewContext(\"$CMD\", ...)"
},
{
"pattern": "$VM.runInThisContext(\"$CMD\", ...)"
},
{
"pattern": "$VM.compileFunction(\"$CMD\", ...)"
}
]
},
{
"metavariable-pattern": {
"language": "typescript",
"metavariable": "$CMD",
"pattern-either": [
{
"pattern": "$LIBXML.parseXml($DATA, {..., noent: true, ...}, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "$OPTS = {..., noent: true, ...}\n...\n"
},
{
"pattern": "$LIBXML.parseXml( $DATA, $OPTS )"
}
]
}
]
}
}
]
},
{
"pattern": "$LIBXML.parseXml($DATA, {..., noent: true, ...}, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "$OPTS = {..., noent: true, ...}\n...\n"
},
{
"pattern": "$LIBXML.parseXml( $DATA, $OPTS )"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-open-redirect",
"languages": [
"js",
"ts"
],
"message": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true,
"taint_unify_mvars": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RES.redirect(\"$HTTP\"+$REQ. ... .$VALUE)"
},
{
"pattern": "$RES.redirect(\"$HTTP\"+$REQ. ... .$VALUE + $...A)"
},
{
"pattern": "$RES.redirect(`$HTTP${$REQ. ... .$VALUE}...`)"
},
{
"pattern": "$RES.redirect(\"$HTTP\"+$REQ.$VALUE[...])"
},
{
"pattern": "$RES.redirect(\"$HTTP\"+$REQ.$VALUE[...] + $...A)"
},
{
"pattern": "$RES.redirect(`$HTTP${$REQ.$VALUE[...]}...`)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTTP",
"regex": "^https?:\\/\\/$"
}
},
{
"pattern-either": [
{
"pattern": "$REQ. ... .$VALUE"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RES.redirect($REQ. ... .$VALUE)"
},
{
"pattern": "$RES.redirect($REQ. ... .$VALUE + $...A)"
},
{
"pattern": "$RES.redirect(`${$REQ. ... .$VALUE}...`)"
}
]
},
{
"pattern": "$REQ. ... .$VALUE"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RES.redirect($REQ.$VALUE['...'])"
},
{
"pattern": "$RES.redirect($REQ.$VALUE['...'] + $...A)"
},
{
"pattern": "$RES.redirect(`${$REQ.$VALUE['...']}...`)"
}
]
},
{
"pattern": "$REQ.$VALUE"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$ASSIGN = $REQ. ... .$VALUE\n...\n"
},
{
"pattern-inside": "$ASSIGN = $REQ.$VALUE['...']\n...\n"
},
{
"pattern-inside": "$ASSIGN = $REQ. ... .$VALUE + $...A\n...\n"
},
{
"pattern-inside": "$ASSIGN = $REQ.$VALUE['...'] + $...A\n... \n"
},
{
"pattern-inside": "$ASSIGN = `${$REQ. ... .$VALUE}...`\n...\n"
},
{
"pattern-inside": "$ASSIGN = `${$REQ.$VALUE['...']}...`\n... \n"
}
]
},
{
"pattern-either": [
{
"pattern": "$RES.redirect($ASSIGN)"
},
{
"pattern": "$RES.redirect($ASSIGN + $...FOO)"
},
{
"pattern": "$RES.redirect(`${$ASSIGN}...`)"
}
]
},
{
"focus-metavariable": "$ASSIGN"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-path-join-resolve-traversal",
"languages": [
"js",
"ts"
],
"message": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"subcategory": [
"vuln"
],
"technology": [
"express",
"node.js"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "$Y.replace(...)"
},
{
"pattern": "$Y.indexOf(...)"
},
{
"pattern": "function ... (...) {\n ...\n <... $Y.indexOf(...) ...>\n ...\n}\n"
},
{
"patterns": [
{
"pattern": "$FUNC(...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "sanitize"
}
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern-either": [
{
"pattern-inside": "$PATH = require('path');\n...\n"
},
{
"pattern-inside": "import $PATH from 'path';\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PATH.join(...,$SINK,...)"
},
{
"pattern": "$PATH.resolve(...,$SINK,...)"
}
]
}
]
},
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern-inside": "import 'path';\n...\n"
},
{
"pattern-either": [
{
"pattern": "path.join(...,$SINK,...)"
},
{
"pattern": "path.resolve(...,$SINK,...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-res-sendfile",
"languages": [
"js",
"ts"
],
"message": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-73: External Control of File Name or Path"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RES.$METH($QUERY,...)"
}
]
},
{
"pattern-not-inside": "$RES.$METH($QUERY,$OPTIONS)"
},
{
"metavariable-regex": {
"metavariable": "$METH",
"regex": "^(sendfile|sendFile)$"
}
},
{
"focus-metavariable": "$QUERY"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... (...,$REQ: $TYPE, ...) {...}\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": "^(string|String)"
}
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-session-hardcoded-secret",
"languages": [
"js",
"ts"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express",
"secrets"
]
},
"options": {
"interfile": true
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SESSION = require('express-session');\n...\n"
},
{
"pattern-inside": "import $SESSION from 'express-session'\n...\n"
},
{
"pattern-inside": "import {..., $SESSION, ...} from 'express-session'\n...\n"
},
{
"pattern-inside": "import * as $SESSION from 'express-session'\n...\n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.use($SESSION({...}))"
},
{
"pattern": "$SECRET = $VALUE\n...\n$APP.use($SESSION($SECRET))\n"
}
]
},
{
"pattern": "secret: '$Y'\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-ssrf",
"languages": [
"js",
"ts"
],
"message": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. ",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"taint_unify_mvars": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$REQUEST = require('request')\n...\n"
},
{
"pattern-inside": "import * as $REQUEST from 'request'\n...\n"
},
{
"pattern-inside": "import $REQUEST from 'request'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ. ... .$VALUE)"
},
{
"pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ. ... .$VALUE + $...A)"
},
{
"pattern": "$REQUEST.$METHOD(`$HTTP${$REQ. ... .$VALUE}...`)"
},
{
"pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ.$VALUE[...])"
},
{
"pattern": "$REQUEST.$METHOD(\"$HTTP\"+$REQ.$VALUE[...] + $...A)"
},
{
"pattern": "$REQUEST.$METHOD(`$HTTP${$REQ.$VALUE[...]}...`)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|patch|del|head|delete)$"
}
},
{
"metavariable-regex": {
"metavariable": "$HTTP",
"regex": "^(https?:\\/\\/|//)$"
}
},
{
"pattern-either": [
{
"pattern": "$REQ. ... .$VALUE"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$REQUEST = require('request')\n...\n"
},
{
"pattern-inside": "import * as $REQUEST from 'request'\n...\n"
},
{
"pattern-inside": "import $REQUEST from 'request'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$REQUEST.$METHOD($REQ. ... .$VALUE,...)"
},
{
"pattern": "$REQUEST.$METHOD($REQ. ... .$VALUE + $...A,...)"
},
{
"pattern": "$REQUEST.$METHOD(`${$REQ. ... .$VALUE}...`,...)"
}
]
},
{
"pattern": "$REQ. ... .$VALUE"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|patch|del|head|delete)$"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$REQUEST = require('request')\n...\n"
},
{
"pattern-inside": "import * as $REQUEST from 'request'\n...\n"
},
{
"pattern-inside": "import $REQUEST from 'request'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$REQUEST.$METHOD($REQ.$VALUE['...'],...)"
},
{
"pattern": "$REQUEST.$METHOD($REQ.$VALUE['...'] + $...A,...)"
},
{
"pattern": "$REQUEST.$METHOD(`${$REQ.$VALUE['...']}...`,...)"
}
]
},
{
"pattern": "$REQ.$VALUE"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|patch|del|head|delete)$"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$REQUEST = require('request')\n...\n"
},
{
"pattern-inside": "import * as $REQUEST from 'request'\n...\n"
},
{
"pattern-inside": "import $REQUEST from 'request'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$ASSIGN = $REQ. ... .$VALUE\n...\n"
},
{
"pattern-inside": "$ASSIGN = $REQ. ... .$VALUE['...']\n...\n"
},
{
"pattern-inside": "$ASSIGN = $REQ. ... .$VALUE + $...A\n...\n"
},
{
"pattern-inside": "$ASSIGN = $REQ. ... .$VALUE['...'] + $...A\n... \n"
},
{
"pattern-inside": "$ASSIGN = `${$REQ. ... .$VALUE}...`\n...\n"
},
{
"pattern-inside": "$ASSIGN = `${$REQ. ... .$VALUE['...']}...`\n... \n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$ASSIGN = \"$HTTP\"+ $REQ. ... .$VALUE\n...\n"
},
{
"pattern-inside": "$ASSIGN = \"$HTTP\"+$REQ. ... .$VALUE + $...A\n...\n"
},
{
"pattern-inside": "$ASSIGN = \"$HTTP\"+$REQ.$VALUE[...]\n...\n"
},
{
"pattern-inside": "$ASSIGN = \"$HTTP\"+$REQ.$VALUE[...] + $...A\n...\n"
},
{
"pattern-inside": "$ASSIGN = `$HTTP${$REQ.$VALUE[...]}...`\n...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTTP",
"regex": "^(https?:\\/\\/|//)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQUEST.$METHOD($ASSIGN,...)"
},
{
"pattern": "$REQUEST.$METHOD($ASSIGN + $...FOO,...)"
},
{
"pattern": "$REQUEST.$METHOD(`${$ASSIGN}...`,...)"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$REQUEST.$METHOD(\"$HTTP\"+$ASSIGN,...)"
},
{
"pattern": "$REQUEST.$METHOD(\"$HTTP\"+$ASSIGN + $...A,...)"
},
{
"pattern": "$REQUEST.$METHOD(`$HTTP${$ASSIGN}...`,...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTTP",
"regex": "^(https?:\\/\\/|//)$"
}
}
]
}
]
},
{
"pattern": "$ASSIGN"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|patch|del|head|delete)$"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, ...) {...}"
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,...) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: $EXPRESS.Request,...) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-third-party-object-deserialization",
"languages": [
"js",
"ts"
],
"message": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
],
"source_rule_url": [
"https://github.com/ajinabraham/njsscan/blob/75bfbeb9c8d72999e4d527dfa2548f7f0f3cc48a/njsscan/rules/semantic_grep/eval/eval_deserialize.yaml"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SER = require('$IMPORT')\n...\n"
},
{
"pattern-inside": "import $SER from '$IMPORT'\n ...\n"
},
{
"pattern-inside": "import * as $SER from '$IMPORT'\n...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$IMPORT",
"regex": "^(node-serialize|serialize-to-js)$"
}
},
{
"pattern": "$SER.$FUNC(...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "^(unserialize|deserialize)$"
}
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
},
{
"pattern": "$REQ.files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
},
{
"pattern": "files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.express-xml2json-xxe-event",
"languages": [
"js",
"ts"
],
"message": "Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://www.npmjs.com/package/xml2json"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('xml2json');\n...\n"
},
{
"pattern-inside": "import 'xml2json';\n...\n"
}
]
},
{
"pattern": "$REQ.on('...', function(...) { ... $EXPAT.toJson($INPUT,...); ... })"
},
{
"focus-metavariable": "$INPUT"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.unknown-value-in-redirect",
"languages": [
"js",
"ts"
],
"message": "It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.",
"metadata": {
"asvs": {
"control_id": "5.5.1 Insecue Redirect",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$UNK = query.$B;\n...\n"
},
{
"pattern-inside": "$UNK = $A.query.$B;\n...\n"
},
{
"pattern-inside": "$UNK = req.$SOMETHING;\n...\n"
}
]
},
{
"pattern": "$RES.redirect(..., <... $UNK ...>, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.remote-property-injection",
"languages": [
"js",
"ts"
],
"message": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "var $X = ..."
},
{
"pattern-not": "var $X = $REQ.$ANY"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$OBJ[...] = ..."
},
{
"pattern-not-inside": "$OBJ[\"...\"] = ..."
},
{
"pattern-not-inside": "$OBJ[...] = \"...\""
},
{
"pattern": "$INDEX"
},
{
"pattern-not": "\"...\" + $INDEX\n"
},
{
"pattern-not": "$INDEX + \"...\"\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.express.security.audit.res-render-injection",
"languages": [
"js",
"ts"
],
"message": "User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference"
],
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"http://expressjs.com/en/4x/api.html#res.render"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$RES.render($SINK, ...)"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.direct-response-write",
"languages": [
"js",
"ts"
],
"message": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
],
"vulnerability_class": [
"Cross-Site-Scripting (XSS)"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "$S = require(\"underscore.string\")\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$S.escapeHTML(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"dompurify\")\n...\n"
},
{
"pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$VALUE = $S(...)\n...\n"
},
{
"pattern": "$VALUE.sanitize(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VALUE = $S.sanitize\n...\n"
},
{
"pattern": "$S(...)"
}
]
},
{
"pattern": "$S.sanitize(...)"
},
{
"pattern": "$S(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'xss';\n...\n"
},
{
"pattern-inside": "import * as $S from 'xss';\n...\n"
},
{
"pattern-inside": "$S = require(\"xss\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'sanitize-html';\n...\n"
},
{
"pattern-inside": "import * as $S from \"sanitize-html\";\n...\n"
},
{
"pattern-inside": "$S = require(\"sanitize-html\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$S = new Remarkable()\n...\n"
}
]
},
{
"pattern": "$S.render(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'express-xss-sanitizer';\n...\n"
},
{
"pattern-inside": "import * as $S from \"express-xss-sanitizer\";\n...\n"
},
{
"pattern-inside": "const { ..., $S, ... } = require('express-xss-sanitizer');\n...\n"
},
{
"pattern-inside": "var { ..., $S, ... } = require('express-xss-sanitizer');\n...\n"
},
{
"pattern-inside": "let { ...,$S,... } = require('express-xss-sanitizer');\n...\n"
},
{
"pattern-inside": "$S = require(\"express-xss-sanitizer\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern": "$RES. ... .type('$F'). ... .send(...)"
},
{
"metavariable-regex": {
"metavariable": "$F",
"regex": "(?!.*text/html)"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "$X = [...];\n...\n"
},
{
"pattern": "if(<... !$X.includes($SOURCE)...>) {\n ...\n return ...\n}\n...\n"
},
{
"pattern": "$SOURCE"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $RES,...) {...}"
},
{
"pattern-either": [
{
"pattern": "$RES.write($ARG)"
},
{
"pattern": "$RES.send($ARG)"
}
]
},
{
"pattern-not": "$RES. ... .set('...'). ... .send($ARG)"
},
{
"pattern-not": "$RES. ... .type('...'). ... .send($ARG)"
},
{
"pattern-not-inside": "$RES.$METHOD({ ... })"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)"
}
}
]
}
]
},
{
"pattern-not-inside": "function ... ($REQ, $RES) {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n"
},
{
"pattern-not-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n})\n"
},
{
"pattern-not-inside": "function ... ($REQ, $RES, $NEXT) {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n"
},
{
"pattern-not-inside": "function ... ($REQ, $RES) {\n ...\n $RES.set('$TYPE')\n}\n"
},
{
"pattern-not-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {\n ...\n $RES.set('$TYPE')\n})\n"
},
{
"pattern-not-inside": "function ... ($REQ, $RES, $NEXT) {\n ...\n $RES.set('$TYPE')\n}\n"
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"pattern-not-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n"
},
{
"pattern-not-inside": "({ $REQ }: Request,$RES: Response) => {\n ...\n $RES.$SET('Content-Type', '$TYPE')\n}\n"
},
{
"pattern-not-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{\n ...\n $RES.set('$TYPE')\n}\n"
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "<%-(.*?)%>",
"replacement": "<%=\\1%>"
},
"id": "vendored-rules.javascript.express.security.audit.xss.ejs.template-explicit-unescape",
"languages": [
"regex"
],
"message": "Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.ejs",
"*.html"
]
},
"pattern-regex": "<%-((?!include).)*?%>",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.ejs.var-in-href",
"languages": [
"regex"
],
"message": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link %>'. You may also consider setting the Content Security Policy (CSP) header.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI",
"https://github.com/pugjs/pug/issues/2952"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.ejs",
"*.html"
]
},
"pattern-regex": "<a.*href\\s*=[^>]*?[^\\/&=]<%.*?%>.*?>",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.ejs.var-in-script-src",
"languages": [
"generic"
],
"message": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough",
"https://github.com/ESAPI/owasp-esapi-js"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.ejs",
"*.html"
]
},
"patterns": [
{
"pattern-inside": "<script ...>"
},
{
"pattern-either": [
{
"pattern-inside": "src = '...'"
},
{
"pattern-inside": "src = \"...\""
}
]
},
{
"pattern": "<% ... >"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.ejs.var-in-script-tag",
"languages": [
"generic"
],
"message": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough",
"https://github.com/ESAPI/owasp-esapi-js"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.ejs",
"*.html"
]
},
"patterns": [
{
"pattern-inside": "<script ...> ... </script>"
},
{
"pattern-not-inside": "<script ... $ATTR = \"...\" ...>"
},
{
"pattern-not-inside": "<script ... $ATTR = '...' ...>"
},
{
"pattern": "<% ... >"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.mustache.escape-function-overwrite",
"languages": [
"js",
"ts"
],
"message": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/janl/mustache.js/#variables"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"pattern-either": [
{
"pattern": "Mustache.escape = ..."
},
{
"patterns": [
{
"pattern-inside": "$MUSTACHE = require(\"mustache\");\n...\n"
},
{
"pattern": "$MUSTACHE.escape = ..."
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.mustache.template-explicit-unescape",
"languages": [
"regex"
],
"message": "Detected an explicit unescape in a Mustache template, using triple braces '{{{...}}}' or ampersand '&'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/janl/mustache.js/#variables",
"https://ractive.js.org/v0.x/0.7/mustaches#variables"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.mustache",
"*.hbs",
"*.html"
]
},
"pattern-either": [
{
"pattern-regex": "{{{((?!include).)*?}}}"
},
{
"pattern-regex": "{{[\\\\s]*&.*}}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.mustache.var-in-script-tag",
"languages": [
"generic"
],
"message": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough",
"https://github.com/ESAPI/owasp-esapi-js"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.mustache",
"*.hbs",
"*.html"
]
},
"patterns": [
{
"pattern-inside": "<script ...> ... </script>"
},
{
"pattern": "{{ ... }}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.pug.template-and-attributes",
"languages": [
"regex"
],
"message": "Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://pugjs.org/language/attributes.html#attributes"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.pug"
]
},
"pattern-regex": ".*&attributes.*",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.pug.template-explicit-unescape",
"languages": [
"regex"
],
"message": "Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://pugjs.org/language/code.html#unescaped-buffered-code",
"https://pugjs.org/language/attributes.html#unescaped-attributes"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.pug"
]
},
"pattern-either": [
{
"pattern-regex": "\\w.*(!=)[^=].*"
},
{
"pattern-regex": "!{.*?}"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.pug.var-in-href",
"languages": [
"regex"
],
"message": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href='/'+url). You may also consider setting the Content Security Policy (CSP) header.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/pugjs/pug/issues/2952",
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.pug"
]
},
"pattern-regex": "a\\(.*href=[^'\"].*\\)",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.audit.xss.pug.var-in-script-tag",
"languages": [
"regex"
],
"message": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough",
"https://github.com/ESAPI/owasp-esapi-js"
],
"subcategory": [
"audit"
],
"technology": [
"express"
]
},
"paths": {
"include": [
"*.pug"
]
},
"pattern-either": [
{
"pattern-regex": "script\\s*=[A-Za-z0-9]+"
},
{
"pattern-regex": "script\\s*=.*[\"']\\s*\\+.*"
},
{
"pattern-regex": "script\\s*=[^'\"]+\\+.*"
},
{
"pattern-regex": "script\\(.*?\\)\\s*=\\s*[A-Za-z0-9]+"
},
{
"pattern-regex": "script\\(.*?\\)\\s*=\\s*.*[\"']\\s*\\+.*"
},
{
"pattern-regex": "script\\(.*?\\)\\s*=\\s*[^'\"]+\\+.*"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.injection.raw-html-format",
"languages": [
"js",
"ts"
],
"message": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$HTMLSTR\" + $EXPR"
},
{
"pattern": "\"$HTMLSTR\".concat(...)"
},
{
"pattern": "util.format($HTMLSTR, ...)"
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$HTMLSTR",
"pattern": "<$TAG ..."
}
}
]
},
{
"patterns": [
{
"pattern": "`...`\n"
},
{
"pattern-regex": ".*<\\w+.*\n"
}
]
}
]
}
],
"requires": "(EXPRESS and not CLEAN) or (EXPRESSTS and not CLEAN)"
}
],
"pattern-sources": [
{
"label": "EXPRESS",
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"label": "EXPRESSTS",
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
},
{
"by-side-effect": true,
"label": "CLEAN",
"patterns": [
{
"pattern-either": [
{
"pattern": "$A($SOURCE)"
},
{
"pattern": "$SANITIZE. ... .$A($SOURCE)"
},
{
"pattern": "$A. ... .$SANITIZE($SOURCE)"
}
]
},
{
"focus-metavariable": "$SOURCE"
},
{
"metavariable-regex": {
"metavariable": "$A",
"regex": "(?i)(.*valid|.*sanitiz)"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.express.security.injection.tainted-sql-string",
"languages": [
"js",
"ts"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "\"$SQLSTR\" + $EXPR\n"
},
{
"pattern-inside": "\"$SQLSTR\".concat($EXPR)\n"
},
{
"pattern": "util.format($SQLSTR, $EXPR)"
},
{
"pattern": "`$SQLSTR${$EXPR}...`\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": ".*\\b(?i)(select|delete|insert|create|update\\s+.+\\sset|alter|drop)\\b.*"
}
}
]
}
]
},
{
"focus-metavariable": "$EXPR"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... (...,$REQ, ...) {...}"
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "(...,{ $REQ }: Request,...) => {...}\n"
},
{
"pattern-inside": "(...,{ $REQ }: $EXPRESS.Request,...) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.fbjs.security.audit.insecure-createnodesfrommarkup",
"languages": [
"js",
"ts"
],
"message": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"fbjs"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "createNodesFromMarkup(...)"
},
{
"pattern": "$X.createNodesFromMarkup(...)"
}
]
},
{
"pattern-not": "createNodesFromMarkup(\"...\",...)"
},
{
"pattern-not": "$X.createNodesFromMarkup(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.grpc.security.grpc-nodejs-insecure-connection",
"languages": [
"js",
"ts"
],
"message": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security"
],
"subcategory": [
"audit"
],
"technology": [
"grpc"
]
},
"pattern-either": [
{
"pattern": "require('grpc');\n...\n$GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...);\n"
},
{
"pattern": "require('grpc');\n...\nnew $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...);\n"
},
{
"pattern": "require('grpc');\n...\n$CREDS = <... $CREDENTIALS.createInsecure() ...>;\n...\n$GRPC($ADDR,...,$CREDS,...);"
},
{
"pattern": "require('grpc');\n...\n$CREDS = <... $CREDENTIALS.createInsecure() ...>;\n...\nnew $GRPC($ADDR,...,$CREDS,...);"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash",
"languages": [
"js",
"ts"
],
"message": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-287: Improper Authentication"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"
],
"subcategory": [
"audit"
],
"technology": [
"intercom"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "window.intercomSettings = {..., email: $EMAIL, ...};\n"
},
{
"pattern": "window.intercomSettings = {..., user_id: $USER_ID, ...};\n"
},
{
"pattern": "Intercom('boot', {..., email: $EMAIL, ...});\n"
},
{
"pattern": "Intercom('boot', {..., user_id: $USER_ID, ...});\n"
},
{
"pattern": "$VAR = {..., email: $EMAIL, ...};\n...\nIntercom('boot', $VAR);\n"
},
{
"pattern": "$VAR = {..., user_id: $EMAIL, ...};\n...\nIntercom('boot', $VAR);\n"
}
]
},
{
"pattern-not": "window.intercomSettings = {..., user_hash: $USER_HASH, ...};\n"
},
{
"pattern-not": "Intercom('boot', {..., user_hash: $USER_HASH, ...});\n"
},
{
"pattern-not": "$VAR = {..., user_hash: $USER_HASH, ...};\n...\nIntercom('boot', $VAR);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jose.security.hardcoded-jwt-secret",
"languages": [
"js",
"ts"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"asvs": {
"control_id": "3.5.2 Static API keys or secret",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"interfile": true,
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"jose",
"jwt",
"secrets"
]
},
"options": {
"interfile": true,
"symbolic_propagation": true
},
"patterns": [
{
"pattern-inside": "$JOSE = require(\"jose\");\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "var {JWT} = $JOSE;\n...\n"
},
{
"pattern-inside": "var {JWK, JWT} = $JOSE;\n...\n"
},
{
"pattern-inside": "const {JWT} = $JOSE;\n...\n"
},
{
"pattern-inside": "const {JWK, JWT} = $JOSE;\n...\n"
},
{
"pattern-inside": "let {JWT} = $JOSE;\n...\n"
},
{
"pattern-inside": "let {JWK, JWT} = $JOSE;\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "JWT.verify($P, \"...\", ...);\n"
},
{
"pattern": "JWT.sign($P, \"...\", ...);\n"
},
{
"pattern": "JWT.verify($P, JWK.asKey(\"...\"), ...); \n"
},
{
"pattern": "$JWT.sign($P, JWK.asKey(\"...\"), ...);\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jose.security.jwt-none-alg",
"languages": [
"js",
"ts"
],
"message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.",
"metadata": {
"asvs": {
"control_id": "3.5.3 Insecue Stateless Session Tokens",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"vuln"
],
"technology": [
"jose",
"jwt"
]
},
"pattern-either": [
{
"pattern": "var $JOSE = require(\"jose\");\n...\nvar { JWK, JWT } = $JOSE;\n...\nvar $T = JWT.verify($P, JWK.None,...);\n"
},
{
"pattern": "var $JOSE = require(\"jose\");\n...\nvar { JWK, JWT } = $JOSE;\n...\n$T = JWT.verify($P, JWK.None,...);\n"
},
{
"pattern": "var $JOSE = require(\"jose\");\n...\nvar { JWK, JWT } = $JOSE;\n...\nJWT.verify($P, JWK.None,...);\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.jose.security.audit.jose-exposed-data",
"languages": [
"js",
"ts"
],
"message": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.",
"metadata": {
"asvs": {
"control_id": "3.5.2 Static API keys or secret",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jose",
"jwt"
]
},
"patterns": [
{
"pattern-inside": "require('jose');\n...\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "function (...,$INPUT,...) {...}"
},
{
"pattern-either": [
{
"pattern": "$JOSE.JWT.sign($INPUT,...)"
},
{
"pattern": "$JWT.sign($INPUT,...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "function $F(...,$INPUT,...) {...}"
},
{
"pattern-either": [
{
"pattern": "$JOSE.JWT.sign($INPUT,...)"
},
{
"pattern": "$JWT.sign($INPUT,...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jquery.security.audit.jquery-insecure-method",
"languages": [
"js",
"ts"
],
"message": "User controlled data in a jQuery's `.$METHOD(...)` is an anti-pattern that can lead to XSS vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/xss/",
"https://bugs.jquery.com/ticket/9521"
],
"subcategory": [
"audit"
],
"technology": [
"jquery"
]
},
"options": {
"symbolic_propagation": true
},
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$.$METHOD($VAR,...)"
},
{
"pattern": "$(...).$METHOD($VAR,...)"
},
{
"pattern": "jQuery.$METHOD($VAR,...)"
},
{
"pattern": "jQuery(...).$METHOD($VAR,...)"
}
]
},
{
"pattern-not": "$.$METHOD(\"...\",...)"
},
{
"pattern-not": "$(...).$METHOD(\"...\",...)"
},
{
"pattern-not": "jQuery.$METHOD(\"...\",...)"
},
{
"pattern-not": "jQuery(...).$METHOD(\"...\",...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(html|append|prepend|wrap|wrapInner|wrapAll|before|after|globalEval|getScript)$"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$(...).$METHOD($VAR,...)"
},
{
"pattern": "jQuery(...).$METHOD($VAR,...)"
}
]
},
{
"pattern-not": "$(\"...\",...).$METHOD(...)"
},
{
"pattern-not": "jQuery(\"...\",...).$METHOD(...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(appendTo|insertAfter|insertBefore|prependTo)$"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jquery.security.audit.jquery-insecure-selector",
"languages": [
"js",
"ts"
],
"message": "User controlled data in a `$(...)` is an anti-pattern that can lead to XSS vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/xss/",
"https://bugs.jquery.com/ticket/9521"
],
"subcategory": [
"audit"
],
"technology": [
"jquery"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$(<... window ...>)\n"
},
{
"pattern": "$(<... location ...>)\n"
},
{
"patterns": [
{
"pattern": "$X = <... window ...>;\n...\n$(<... $X ...>);\n"
},
{
"focus-metavariable": "$X"
}
]
},
{
"patterns": [
{
"pattern": "$X = <... location ...>;\n...\n$(<... $X ...>);\n"
},
{
"focus-metavariable": "$X"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function $FUNC(..., $Y, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function (..., $Y, ...) {\n ...\n}\n"
},
{
"pattern-inside": "function $FUNC(...,$Z,...) {\n ...\n $Y = <... $Z ...>;\n ...\n}\n"
},
{
"pattern-inside": "function (...,$Z,...) {\n ...\n $Y = <... $Z ...>;\n ...\n}\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$(<... $Y ...>)\n"
},
{
"pattern": "$(\"...\" + (<... $Y ...>))\n"
},
{
"pattern": "$((<... $Y ...>) + \"...\")\n"
}
]
},
{
"pattern-not-inside": "$JQUERY.each(function($INDEX, $Y) {\n ...\n})\n"
},
{
"focus-metavariable": "$Y"
}
]
}
]
},
{
"pattern-not": "$(window)\n"
},
{
"pattern-not": "$(document)\n"
},
{
"pattern-not": "$(this)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jquery.security.audit.prohibit-jquery-html",
"languages": [
"js",
"ts"
],
"message": "JQuery's `html` function is susceptible to Cross Site Scripting (XSS) attacks. If you're just passing text, consider `text` instead. Otherwise, use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"help": "## Remediation\nAvoid using JQuery's html() function. If the string is plain text, use the text() function instead.\nOtherwise, use a function that escapes html such as edx's HtmlUtils.setHtml().\n",
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"precision": "high",
"references": [
"https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss.html#javascript-concat-html",
"https://stackoverflow.com/questions/8318581/html-vs-innerhtml-jquery-javascript-xss-attacks",
"https://api.jquery.com/text/#text-text"
],
"shortDesription": "Use of JQuery's unsafe html() function.",
"subcategory": [
"audit"
],
"tags": [
"security"
],
"technology": [
"jquery"
]
},
"patterns": [
{
"pattern": "$X.html(...)\n"
},
{
"pattern-not": "$X.html(\"...\",...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jsonwebtoken.security.hardcoded-jwt-secret",
"languages": [
"js",
"ts"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"asvs": {
"control_id": "3.5.2 Static API keys or secret",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"jwt",
"javascript",
"secrets"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$JWT = require(\"jsonwebtoken\")\n...\n"
},
{
"pattern-inside": "import $JWT from \"jsonwebtoken\"\n...\n"
},
{
"pattern-inside": "import * as $JWT from \"jsonwebtoken\"\n...\n"
},
{
"pattern-inside": "import {...,$JWT,...} from \"jsonwebtoken\"\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$JWT.sign($DATA,$VALUE,...);\n"
},
{
"pattern-inside": "$JWT.verify($DATA,$VALUE,...);\n"
}
]
},
{
"focus-metavariable": "$VALUE"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$X = '...' \n"
},
{
"pattern": "$X = '$Y' \n"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$JWT.sign($DATA,\"...\",...);\n"
},
{
"pattern-inside": "$JWT.verify($DATA,\"...\",...);\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jsonwebtoken.security.jwt-none-alg",
"languages": [
"js",
"ts"
],
"message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.",
"metadata": {
"asvs": {
"control_id": "3.5.3 Insecue Stateless Session Tokens",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"vuln"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "$JWT = require(\"jsonwebtoken\");\n...\n"
},
{
"pattern": "$JWT.verify($P, $X, {algorithms:[...,'none',...]},...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.jsonwebtoken.security.audit.jwt-decode-without-verify",
"languages": [
"js",
"ts"
],
"message": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.",
"metadata": {
"asvs": {
"control_id": "3.5.3 Insecue Stateless Session Tokens",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-345: Insufficient Verification of Data Authenticity"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "$JWT = require('jsonwebtoken');\n...\n"
},
{
"pattern-not-inside": "...\n$JWT.verify($TOKEN, ...)\n...\n"
},
{
"pattern-not-inside": "...\nif (<... $JWT.verify($TOKEN, ...) ...>) { ... }\n...\n"
},
{
"pattern": "$JWT.decode($TOKEN, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jsonwebtoken.security.audit.jwt-exposed-data",
"languages": [
"js",
"ts"
],
"message": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.",
"metadata": {
"asvs": {
"control_id": "3.5.3 Insecue Stateless Session Tokens",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "$JWT = require('jsonwebtoken');\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "function (...,$INPUT,...) {...}"
},
{
"pattern-inside": "function $F(...,$INPUT,...) {...}"
}
]
},
{
"pattern": "$JWT.sign($INPUT,...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.jwt-simple.security.jwt-simple-noverify",
"languages": [
"js",
"ts"
],
"message": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set 'verify' to `true` before using the token.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-287: Improper Authentication",
"CWE-345: Insufficient Verification of Data Authenticity",
"CWE-347: Improper Verification of Cryptographic Signature"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A05:2021 - Security Misconfiguration",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://www.npmjs.com/package/jwt-simple",
"https://cwe.mitre.org/data/definitions/287",
"https://cwe.mitre.org/data/definitions/345",
"https://cwe.mitre.org/data/definitions/347"
],
"subcategory": [
"vuln"
],
"technology": [
"jwt-simple",
"jwt"
]
},
"patterns": [
{
"pattern-inside": "$JWT = require('jwt-simple');\n...\n"
},
{
"pattern": "$JWT.decode($TOKEN, $SECRET, $NOVERIFY, ...)"
},
{
"metavariable-pattern": {
"metavariable": "$NOVERIFY",
"patterns": [
{
"pattern-either": [
{
"pattern": "true\n"
},
{
"pattern": "\"...\"\n"
}
]
}
]
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.lang.security.detect-buffer-noassert",
"languages": [
"js",
"ts"
],
"message": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/119.html"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js",
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern": "$OBJ.$API(..., true)"
},
{
"metavariable-regex": {
"metavariable": "$API",
"regex": "(read|write)(U?Int8|(U?Int(16|32)|Float|Double)(LE|BE))"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.detect-child-process",
"languages": [
"js",
"ts"
],
"message": "Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. ",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js",
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$CP = require('child_process')\n...\n"
},
{
"pattern-inside": "import * as $CP from 'child_process'\n...\n"
},
{
"pattern-inside": "import $CP from 'child_process'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$CP.exec($CMD,...)"
},
{
"pattern": "$CP.execSync($CMD,...)"
},
{
"pattern": "$CP.spawn($CMD,...)"
},
{
"pattern": "$CP.spawnSync($CMD,...)"
}
]
},
{
"pattern-not-inside": "$CP.$EXEC(\"...\",...)"
},
{
"pattern-not-inside": "$CP.$EXEC([\"...\",...],...)"
},
{
"pattern-not-inside": "$CMD = \"...\"\n...\n"
},
{
"pattern-not-inside": "$CMD = [\"...\",...]\n...\n"
},
{
"focus-metavariable": "$CMD"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "child_process.exec($CMD,...)"
},
{
"pattern": "child_process.execSync($CMD,...)"
},
{
"pattern": "child_process.spawn($CMD,...)"
},
{
"pattern": "child_process.spawnSync($CMD,...)"
}
]
},
{
"pattern-not-inside": "child_process.$EXEC(\"...\",...)"
},
{
"pattern-not-inside": "child_process.$EXEC([\"...\",...],...)"
},
{
"pattern-not-inside": "$CMD = \"...\"\n...\n"
},
{
"pattern-not-inside": "$CMD = [\"...\",...]\n...\n"
},
{
"focus-metavariable": "$CMD"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (...,$FUNC,...) {\n ...\n}\n"
},
{
"focus-metavariable": "$FUNC"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.lang.security.detect-disable-mustache-escape",
"languages": [
"js",
"ts"
],
"message": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js",
"subcategory": [
"audit"
],
"technology": [
"mustache"
]
},
"pattern": "$OBJ.escapeMarkup = false",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.detect-eval-with-expression",
"languages": [
"js",
"ts"
],
"message": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js",
"subcategory": [
"vuln"
],
"technology": [
"javascript"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "location.href = $FUNC(...)"
},
{
"pattern": "location.hash = $FUNC(...)"
},
{
"pattern": "location.search = $FUNC(...)"
},
{
"pattern": "$WINDOW. ... .location.href = $FUNC(...)"
},
{
"pattern": "$WINDOW. ... .location.hash = $FUNC(...)"
},
{
"pattern": "$WINDOW. ... .location.search = $FUNC(...)"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "eval(<... $SINK ...>)"
},
{
"pattern": "window.eval(<... $SINK ...>)"
},
{
"pattern": "new Function(<... $SINK ...>)"
},
{
"pattern": "new Function(<... $SINK ...>)(...)"
},
{
"pattern": "setTimeout(<... $SINK ...>,...)"
},
{
"pattern": "setInterval(<... $SINK ...>,...)"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.search).get('...')\n ...\n"
},
{
"pattern-inside": "$PROP = new URLSearchParams(location.search).get('...')\n ...\n"
},
{
"pattern-inside": "$PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...')\n ...\n"
},
{
"pattern-inside": "$PROP = new URLSearchParams(location.hash.substring(1)).get('...')\n ...\n"
}
]
},
{
"focus-metavariable": "$PROP"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$PROPS = new URLSearchParams($WINDOW. ... .location.search)\n ...\n"
},
{
"pattern-inside": "$PROPS = new URLSearchParams(location.search)\n ...\n"
},
{
"pattern-inside": "$PROPS = new\nURLSearchParams($WINDOW. ... .location.hash.substring(1))\n ...\n"
},
{
"pattern-inside": "$PROPS = new URLSearchParams(location.hash.substring(1))\n...\n"
}
]
},
{
"pattern": "$PROPS.get('...')"
},
{
"focus-metavariable": "$PROPS"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "location.href"
},
{
"pattern": "location.hash"
},
{
"pattern": "location.search"
},
{
"pattern": "$WINDOW. ... .location.href"
},
{
"pattern": "$WINDOW. ... .location.hash"
},
{
"pattern": "$WINDOW. ... .location.search"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.detect-insecure-websocket",
"languages": [
"regex"
],
"message": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.",
"metadata": {
"asvs": {
"control_id": "13.5.1 Insecure WebSocket",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v135-websocket-security-requirements",
"section": "V13: API and Web Service Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"regex"
]
},
"patterns": [
{
"pattern-regex": "\\bws:\\/\\/"
},
{
"pattern-not-inside": "\\bws:\\/\\/localhost.*"
},
{
"pattern-not-inside": "\\bws:\\/\\/127.0.0.1.*"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.lang.security.detect-no-csrf-before-method-override",
"languages": [
"js",
"ts"
],
"message": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control",
"A05:2017 - Broken Access Control"
],
"references": [
"https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-no-csrf-before-method-override.js",
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"pattern": "express.csrf();\n...\nexpress.methodOverride();\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.detect-pseudoRandomBytes",
"languages": [
"js",
"ts"
],
"message": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.",
"metadata": {
"asvs": {
"control_id": "6.3.1 Insecure Randomness",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values",
"section": "V6: Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js",
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"pattern": "crypto.pseudoRandomBytes",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.html-in-template-string",
"languages": [
"js",
"ts"
],
"message": "This template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "`$HTML${$VAR}...`\n"
},
{
"pattern": "`...${$VAR}$HTML`\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTML",
"regex": ".*</?[a-zA-Z]"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.insecure-object-assign",
"languages": [
"js",
"ts"
],
"message": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html",
"https://en.wikipedia.org/wiki/Mass_assignment_vulnerability"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "Object.assign(...)"
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "JSON.parse(...)"
},
{
"pattern-not": "JSON.parse(\"...\",...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.spawn-git-clone",
"languages": [
"js",
"ts"
],
"message": "Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"git"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "spawn('git', ['clone',...,$F])"
},
{
"pattern": "$X.spawn('git', ['clone',...,$F])"
},
{
"pattern": "spawn('git', ['clone',...,$P,$F])"
},
{
"pattern": "$X.spawn('git', ['clone',...,$P,$F])"
}
]
},
{
"pattern-not": "spawn('git', ['clone',...,\"...\"])"
},
{
"pattern-not": "$X.spawn('git', ['clone',...,\"...\"])"
},
{
"pattern-not": "spawn('git', ['clone',...,\"...\",\"...\"])"
},
{
"pattern-not": "$X.spawn('git', ['clone',...,\"...\",\"...\"])"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.lang.security.audit.code-string-concat",
"languages": [
"js",
"ts"
],
"message": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"interfile": true,
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval",
"https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback",
"https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/",
"https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js",
"Express",
"Next.js"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern": "eval(...)\n"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import { ...,$IMPORT,... } from 'next/router'\n...\n"
},
{
"pattern-inside": "import $IMPORT from 'next/router';\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$ROUTER = $IMPORT()\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "const { ...,$PROPS,... } = $ROUTER.query\n...\n"
},
{
"pattern-inside": "var { ...,$PROPS,... } = $ROUTER.query\n...\n"
},
{
"pattern-inside": "let { ...,$PROPS,... } = $ROUTER.query\n...\n"
}
]
},
{
"focus-metavariable": "$PROPS"
}
]
},
{
"patterns": [
{
"pattern-inside": "$ROUTER = $IMPORT()\n...\n"
},
{
"pattern": "$ROUTER.query.$VALUE \n"
}
]
},
{
"patterns": [
{
"pattern": "$IMPORT().query.$VALUE"
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.lang.security.audit.dangerous-spawn-shell",
"languages": [
"js",
"ts"
],
"message": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js",
"subcategory": [
"vuln"
],
"technology": [
"javascript"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('child_process')\n...\n"
},
{
"pattern-inside": "import 'child_process'\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "spawn(...)"
},
{
"pattern": "spawnSync(...)"
},
{
"pattern": "$CP.spawn(...)"
},
{
"pattern": "$CP.spawnSync(...)"
}
]
},
{
"pattern-either": [
{
"pattern": "$EXEC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",[\"-c\", $ARG, ...],...)\n"
},
{
"patterns": [
{
"pattern": "$EXEC($CMD,[\"-c\", $ARG, ...],...)"
},
{
"pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\"\n...\n"
}
]
},
{
"pattern": "$EXEC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",[$ARG, ...],...)\n"
},
{
"patterns": [
{
"pattern": "$EXEC($CMD,[$ARG, ...],...)"
},
{
"pattern-inside": "$CMD = \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\"\n...\n"
}
]
}
]
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (...,$FUNC,...) {\n ...\n}\n"
},
{
"focus-metavariable": "$FUNC"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.lang.security.audit.detect-non-literal-fs-filename",
"languages": [
"js",
"ts"
],
"message": "Detected that function argument `$ARG` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-fs-filename.js",
"subcategory": [
"vuln"
],
"technology": [
"typescript"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$FS = require('fs')\n...\n"
},
{
"pattern-inside": "$FS = require('fs/promises')\n...\n"
},
{
"pattern-inside": "import * as $FS from 'fs'\n...\n"
},
{
"pattern-inside": "import $FS from 'fs'\n...\n"
},
{
"pattern-inside": "import * as $FS from 'fs/promises'\n...\n"
},
{
"pattern-inside": "import $FS from 'fs/promises'\n...\n"
}
]
},
{
"pattern-not": "$FS. ... .$METHOD(\"...\", ...)"
},
{
"pattern-either": [
{
"pattern": "$FS. ... .access($FILE,...)"
},
{
"pattern": "$FS. ... .appendFile($FILE,...)"
},
{
"pattern": "$FS. ... .chmod($FILE,...)"
},
{
"pattern": "$FS. ... .chown($FILE,...)"
},
{
"pattern": "$FS. ... .close($FILE,...)"
},
{
"pattern": "$FS. ... .copyFile($FILE,...)"
},
{
"pattern": "$FS. ... .copyFile($SMTH, $FILE,...)"
},
{
"pattern": "$FS. ... .cp($FILE, ...)"
},
{
"pattern": "$FS. ... .cp($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .createReadStream($FILE,...)"
},
{
"pattern": "$FS. ... .createWriteStream($FILE,...)"
},
{
"pattern": "$FS. ... .exists($FILE, ...)"
},
{
"pattern": "$FS. ... .fchmod($FILE, ...)"
},
{
"pattern": "$FS. ... .fchown($FILE, ...)"
},
{
"pattern": "$FS. ... .fdatasync($FILE, ...)"
},
{
"pattern": "$FS. ... .fstat($FILE, ...)"
},
{
"pattern": "$FS. ... .fsync($FILE, ...)"
},
{
"pattern": "$FS. ... .ftruncate($FILE, ...)"
},
{
"pattern": "$FS. ... .futimes($FILE, ...)"
},
{
"pattern": "$FS. ... .lchmod($FILE, ...)"
},
{
"pattern": "$FS. ... .lchown($FILE, ...)"
},
{
"pattern": "$FS. ... .lutimes($FILE, ...)"
},
{
"pattern": "$FS. ... .link($FILE, ...)"
},
{
"pattern": "$FS. ... .link($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .lstat($FILE, ...)"
},
{
"pattern": "$FS. ... .mkdir($FILE, ...)"
},
{
"pattern": "$FS. ... .mkdtemp($FILE, ...)"
},
{
"pattern": "$FS. ... .open($FILE, ...)"
},
{
"pattern": "$FS. ... .opendir($FILE, ...)"
},
{
"pattern": "$FS. ... .read($FILE, ...)"
},
{
"pattern": "$FS. ... .read($FILE, ...)"
},
{
"pattern": "$FS. ... .readdir($FILE, ...)"
},
{
"pattern": "$FS. ... .readFile($FILE, ...)"
},
{
"pattern": "$FS. ... .readlink($FILE, ...)"
},
{
"pattern": "$FS. ... .readv($FILE, ...)"
},
{
"pattern": "$FS. ... .realpath($FILE, ...)"
},
{
"pattern": "$FS. ... .realpath.native($FILE, ...)"
},
{
"pattern": "$FS. ... .rename($FILE, ...)"
},
{
"pattern": "$FS. ... .rename($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .rmdir($FILE, ...)"
},
{
"pattern": "$FS. ... .rm($FILE, ...)"
},
{
"pattern": "$FS. ... .stat($FILE, ...)"
},
{
"pattern": "$FS. ... .symlink($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .symlink($FILE, ...)"
},
{
"pattern": "$FS. ... .truncate($FILE, ...)"
},
{
"pattern": "$FS. ... .unlink($FILE, ...)"
},
{
"pattern": "$FS. ... .unwatchFile($FILE, ...)"
},
{
"pattern": "$FS. ... .utimes($FILE, ...)"
},
{
"pattern": "$FS. ... .watch($FILE, ...)"
},
{
"pattern": "$FS. ... .watchFile($FILE, ...)"
},
{
"pattern": "$FS. ... .write($FILE, ...)"
},
{
"pattern": "$FS. ... .writeFile($FILE, ...)"
},
{
"pattern": "$FS. ... .writev($FILE, ...)"
},
{
"pattern": "$FS. ... .accessSync($FILE, ...)"
},
{
"pattern": "$FS. ... .appendFileSync($FILE, ...)"
},
{
"pattern": "$FS. ... .chmodSync($FILE, ...)"
},
{
"pattern": "$FS. ... .chownSync($FILE, ...)"
},
{
"pattern": "$FS. ... .closeSync($FILE, ...)"
},
{
"pattern": "$FS. ... .copyFileSync($FILE, ...)"
},
{
"pattern": "$FS. ... .copyFileSync($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .cpSync($FILE, ...)"
},
{
"pattern": "$FS. ... .cpSync($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .existsSync($FILE, ...)"
},
{
"pattern": "$FS. ... .fchmodSync($FILE, ...)"
},
{
"pattern": "$FS. ... .fchownSync($FILE, ...)"
},
{
"pattern": "$FS. ... .fdatasyncSync($FILE, ...)"
},
{
"pattern": "$FS. ... .fstatSync($FILE, ...)"
},
{
"pattern": "$FS. ... .fsyncSync($FILE, ...)"
},
{
"pattern": "$FS. ... .ftruncateSync($FILE, ...)"
},
{
"pattern": "$FS. ... .futimesSync($FILE, ...)"
},
{
"pattern": "$FS. ... .lchmodSync($FILE, ...)"
},
{
"pattern": "$FS. ... .lchownSync($FILE, ...)"
},
{
"pattern": "$FS. ... .lutimesSync($FILE, ...)"
},
{
"pattern": "$FS. ... .linkSync($FILE, ...)"
},
{
"pattern": "$FS. ... .linkSync($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .lstatSync($FILE, ...)"
},
{
"pattern": "$FS. ... .mkdirSync($FILE, ...)"
},
{
"pattern": "$FS. ... .mkdtempSync($FILE, ...)"
},
{
"pattern": "$FS. ... .opendirSync($FILE, ...)"
},
{
"pattern": "$FS. ... .openSync($FILE, ...)"
},
{
"pattern": "$FS. ... .readdirSync($FILE, ...)"
},
{
"pattern": "$FS. ... .readFileSync($FILE, ...)"
},
{
"pattern": "$FS. ... .readlinkSync($FILE, ...)"
},
{
"pattern": "$FS. ... .readSync($FILE, ...)"
},
{
"pattern": "$FS. ... .readSync($FILE, ...)"
},
{
"pattern": "$FS. ... .readvSync($FILE, ...)"
},
{
"pattern": "$FS. ... .realpathync($FILE, ...)"
},
{
"pattern": "$FS. ... .realpathSync.native($FILE, ...)"
},
{
"pattern": "$FS. ... .renameSync($FILE, ...)"
},
{
"pattern": "$FS. ... .renameSync($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .rmdirSync($FILE, ...)"
},
{
"pattern": "$FS. ... .rmSync($FILE, ...)"
},
{
"pattern": "$FS. ... .statSync($FILE, ...)"
},
{
"pattern": "$FS. ... .symlinkSync($FILE, ...)"
},
{
"pattern": "$FS. ... .symlinkSync($SMTH, $FILE, ...)"
},
{
"pattern": "$FS. ... .truncateSync($FILE, ...)"
},
{
"pattern": "$FS. ... .unlinkSync($FILE, ...)"
},
{
"pattern": "$FS. ... .utimesSync($FILE, ...)"
},
{
"pattern": "$FS. ... .writeFileSync($FILE, ...)"
},
{
"pattern": "$FS. ... .writeSync($FILE, ...)"
},
{
"pattern": "$FS. ... .writevSync($FILE, ...)"
}
]
},
{
"focus-metavariable": "$FILE"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import 'fs'\n...\n"
},
{
"pattern-inside": "import 'fs/promises'\n...\n"
}
]
},
{
"pattern-not": "$METHOD(\"...\", ...)"
},
{
"pattern-either": [
{
"pattern": "access($FILE,...)"
},
{
"pattern": "appendFile($FILE,...)"
},
{
"pattern": "chmod($FILE,...)"
},
{
"pattern": "chown($FILE,...)"
},
{
"pattern": "close($FILE,...)"
},
{
"pattern": "copyFile($FILE,...)"
},
{
"pattern": "copyFile($SMTH, $FILE,...)"
},
{
"pattern": "cp($FILE, ...)"
},
{
"pattern": "cp($SMTH, $FILE, ...)"
},
{
"pattern": "createReadStream($FILE,...)"
},
{
"pattern": "createWriteStream($FILE,...)"
},
{
"pattern": "exists($FILE, ...)"
},
{
"pattern": "fchmod($FILE, ...)"
},
{
"pattern": "fchown($FILE, ...)"
},
{
"pattern": "fdatasync($FILE, ...)"
},
{
"pattern": "fstat($FILE, ...)"
},
{
"pattern": "fsync($FILE, ...)"
},
{
"pattern": "ftruncate($FILE, ...)"
},
{
"pattern": "futimes($FILE, ...)"
},
{
"pattern": "lchmod($FILE, ...)"
},
{
"pattern": "lchown($FILE, ...)"
},
{
"pattern": "lutimes($FILE, ...)"
},
{
"pattern": "link($FILE, ...)"
},
{
"pattern": "link($SMTH, $FILE, ...)"
},
{
"pattern": "lstat($FILE, ...)"
},
{
"pattern": "mkdir($FILE, ...)"
},
{
"pattern": "mkdtemp($FILE, ...)"
},
{
"pattern": "open($FILE, ...)"
},
{
"pattern": "opendir($FILE, ...)"
},
{
"pattern": "read($FILE, ...)"
},
{
"pattern": "read($FILE, ...)"
},
{
"pattern": "readdir($FILE, ...)"
},
{
"pattern": "readFile($FILE, ...)"
},
{
"pattern": "readlink($FILE, ...)"
},
{
"pattern": "readv($FILE, ...)"
},
{
"pattern": "realpath($FILE, ...)"
},
{
"pattern": "realpath.native($FILE, ...)"
},
{
"pattern": "rename($FILE, ...)"
},
{
"pattern": "rename($SMTH, $FILE, ...)"
},
{
"pattern": "rmdir($FILE, ...)"
},
{
"pattern": "rm($FILE, ...)"
},
{
"pattern": "stat($FILE, ...)"
},
{
"pattern": "symlink($SMTH, $FILE, ...)"
},
{
"pattern": "symlink($FILE, ...)"
},
{
"pattern": "truncate($FILE, ...)"
},
{
"pattern": "unlink($FILE, ...)"
},
{
"pattern": "unwatchFile($FILE, ...)"
},
{
"pattern": "utimes($FILE, ...)"
},
{
"pattern": "watch($FILE, ...)"
},
{
"pattern": "watchFile($FILE, ...)"
},
{
"pattern": "write($FILE, ...)"
},
{
"pattern": "writeFile($FILE, ...)"
},
{
"pattern": "writev($FILE, ...)"
},
{
"pattern": "accessSync($FILE, ...)"
},
{
"pattern": "appendFileSync($FILE, ...)"
},
{
"pattern": "chmodSync($FILE, ...)"
},
{
"pattern": "chownSync($FILE, ...)"
},
{
"pattern": "closeSync($FILE, ...)"
},
{
"pattern": "copyFileSync($FILE, ...)"
},
{
"pattern": "copyFileSync($SMTH, $FILE, ...)"
},
{
"pattern": "cpSync($FILE, ...)"
},
{
"pattern": "cpSync($SMTH, $FILE, ...)"
},
{
"pattern": "existsSync($FILE, ...)"
},
{
"pattern": "fchmodSync($FILE, ...)"
},
{
"pattern": "fchownSync($FILE, ...)"
},
{
"pattern": "fdatasyncSync($FILE, ...)"
},
{
"pattern": "fstatSync($FILE, ...)"
},
{
"pattern": "fsyncSync($FILE, ...)"
},
{
"pattern": "ftruncateSync($FILE, ...)"
},
{
"pattern": "futimesSync($FILE, ...)"
},
{
"pattern": "lchmodSync($FILE, ...)"
},
{
"pattern": "lchownSync($FILE, ...)"
},
{
"pattern": "lutimesSync($FILE, ...)"
},
{
"pattern": "linkSync($FILE, ...)"
},
{
"pattern": "linkSync($SMTH, $FILE, ...)"
},
{
"pattern": "lstatSync($FILE, ...)"
},
{
"pattern": "mkdirSync($FILE, ...)"
},
{
"pattern": "mkdtempSync($FILE, ...)"
},
{
"pattern": "opendirSync($FILE, ...)"
},
{
"pattern": "openSync($FILE, ...)"
},
{
"pattern": "readdirSync($FILE, ...)"
},
{
"pattern": "readFileSync($FILE, ...)"
},
{
"pattern": "readlinkSync($FILE, ...)"
},
{
"pattern": "readSync($FILE, ...)"
},
{
"pattern": "readSync($FILE, ...)"
},
{
"pattern": "readvSync($FILE, ...)"
},
{
"pattern": "realpathync($FILE, ...)"
},
{
"pattern": "realpathSync.native($FILE, ...)"
},
{
"pattern": "renameSync($FILE, ...)"
},
{
"pattern": "renameSync($SMTH, $FILE, ...)"
},
{
"pattern": "rmdirSync($FILE, ...)"
},
{
"pattern": "rmSync($FILE, ...)"
},
{
"pattern": "statSync($FILE, ...)"
},
{
"pattern": "symlinkSync($FILE, ...)"
},
{
"pattern": "symlinkSync($SMTH, $FILE, ...)"
},
{
"pattern": "truncateSync($FILE, ...)"
},
{
"pattern": "unlinkSync($FILE, ...)"
},
{
"pattern": "utimesSync($FILE, ...)"
},
{
"pattern": "writeFileSync($FILE, ...)"
},
{
"pattern": "writeSync($FILE, ...)"
},
{
"pattern": "writevSync($FILE, ...)"
}
]
},
{
"focus-metavariable": "$FILE"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $ARG,...) {...}"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.detect-non-literal-regexp",
"languages": [
"js",
"ts"
],
"message": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"subcategory": [
"vuln"
],
"technology": [
"javascript"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new RegExp($ARG, ...)"
},
{
"pattern": "RegExp($ARG, ...)"
}
]
},
{
"pattern-not": "RegExp(\"...\", ...)"
},
{
"pattern-not": "new RegExp(\"...\", ...)"
},
{
"pattern-not": "RegExp(/.../, ...)"
},
{
"pattern-not": "new RegExp(/.../, ...)"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (...,$ARG,...) {...}\n"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.detect-non-literal-require",
"languages": [
"js",
"ts"
],
"message": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load and run arbitrary code, or access arbitrary files.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js",
"subcategory": [
"vuln"
],
"technology": [
"javascript"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "require(...)"
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $ARG,...) {...}"
},
{
"focus-metavariable": "$ARG"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.detect-redos",
"languages": [
"js",
"ts"
],
"message": "Detected the use of a regular expression `$REDOS` which appears to be vulnerable to a Regular expression Denial-of-Service (ReDoS). For this reason, it is recommended to review the regex and ensure it is not vulnerable to catastrophic backtracking, and if possible use a library which offers default safety against ReDoS vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS",
"https://www.regular-expressions.info/redos.html"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "new RegExp(/$REDOS/,...)\n"
},
{
"pattern": "new RegExp(\"$REDOS\",...)\n"
},
{
"pattern": "/$REDOS/.test(...)\n"
},
{
"pattern": "\"$REDOS\".test(...)\n"
},
{
"pattern": "$X.match(/$REDOS/)\n"
},
{
"pattern": "$X.match(\"$REDOS\")\n"
}
]
},
{
"metavariable-analysis": {
"analyzer": "redos",
"metavariable": "$REDOS"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.hardcoded-hmac-key",
"languages": [
"js",
"ts"
],
"message": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"interfile": true,
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://rules.sonarsource.com/javascript/RSPEC-2068",
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management"
],
"subcategory": [
"audit"
],
"technology": [
"crypto",
"hmac"
]
},
"options": {
"interfile": true
},
"pattern-either": [
{
"pattern": "$CRYPTO.createHmac($ALGO, '...')"
},
{
"patterns": [
{
"pattern-inside": "const $SECRET = '...'\n...\n"
},
{
"pattern": "$CRYPTO.createHmac($ALGO, $SECRET)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.incomplete-sanitization",
"languages": [
"js",
"ts"
],
"message": "`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern": "$STR.replace(($CHAR: string), ...)\n"
},
{
"metavariable-regex": {
"metavariable": "$CHAR",
"regex": "^[\\\"\\']([\\'\\\"\\<\\>\\*\\|\\{\\}\\[\\]\\%\\$]{1}|\\\\n|\\\\r|\\\\t|\\\\&)[\\\"\\']$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.md5-used-as-password",
"languages": [
"js",
"ts"
],
"message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html",
"https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords",
"https://github.com/returntocorp/semgrep-rules/issues/1609",
"https://www.npmjs.com/package/bcrypt"
],
"subcategory": [
"vuln"
],
"technology": [
"crypto",
"md5"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FUNCTION(...);"
},
{
"metavariable-regex": {
"metavariable": "$FUNCTION",
"regex": "(?i)(.*password.*)"
}
}
]
}
],
"pattern-sources": [
{
"pattern": "$CRYPTO.createHash(\"md5\")"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.spawn-shell-true",
"languages": [
"js",
"ts"
],
"message": "Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "spawn(...,{shell: $SHELL})\n"
},
{
"pattern": "spawnSync(...,{shell: $SHELL})\n"
},
{
"pattern": "$CP.spawn(...,{shell: $SHELL})\n"
},
{
"pattern": "$CP.spawnSync(...,{shell: $SHELL})\n"
}
]
},
{
"pattern-not": "spawn(...,{shell: false})\n"
},
{
"pattern-not": "spawnSync(...,{shell: false})\n"
},
{
"pattern-not": "$CP.spawn(...,{shell: false})\n"
},
{
"pattern-not": "$CP.spawnSync(...,{shell: false})\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.lang.security.audit.unknown-value-with-script-tag",
"languages": [
"js",
"ts"
],
"message": "Cannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.developsec.com/2017/11/09/xss-in-a-script-tag/",
"https://github.com/juice-shop/juice-shop/blob/1ceb8751e986dacd3214a618c37e7411be6bc11a/routes/videoHandler.ts#L68"
],
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern-inside": "$UNK = $ANYFUNC(...);\n...\n$OTHERFUNC(..., <... $UNK ...>, ...);\n"
},
{
"pattern": "$OTHERFUNC(..., <... \"=~/.*<script.*/\" ...>, ...)"
},
{
"pattern": "$UNK"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.unsafe-dynamic-method",
"languages": [
"js",
"ts"
],
"message": "Using non-static data to retrieve and run functions from the object is dangerous. If the data is user-controlled, it may allow executing arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$OBJ[$X](...)"
},
{
"pattern": "$Y = $OBJ[$X]\n...\n$Y(...)\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$X",
"patterns": [
{
"pattern-not": "\"...\"\n"
},
{
"pattern-not": "($X: float)\n"
}
]
}
},
{
"pattern-not-inside": "for (...) {...}\n"
},
{
"pattern-not-inside": "$SMTH.forEach(...)\n"
},
{
"pattern-not-inside": "$SMTH.map(...)\n"
},
{
"pattern-not-inside": "$SMTH.reduce(...)\n"
},
{
"pattern-not-inside": "$SMTH.reduceRight(...)\n"
},
{
"pattern-not-inside": "if (<... $OBJ.hasOwnProperty(...) ...>) {\n ...\n}\n...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.unsafe-formatstring",
"languages": [
"js",
"ts"
],
"message": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-134: Use of Externally-Controlled Format String"
],
"impact": "LOW",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cwe.mitre.org/data/definitions/134.html"
],
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$STR"
},
{
"pattern-either": [
{
"pattern": "console.$LOG($STR,$PARAM,...)\n"
},
{
"patterns": [
{
"pattern-inside": "$UTIL = require('util')\n...\n"
},
{
"pattern": "$UTIL.format($STR,$PARAM,...)\n"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$X + $Y"
},
{
"pattern": "$X.concat($Y)"
},
{
"pattern": "`...${...}...`\n"
}
]
},
{
"pattern-not": "\"...\" + \"...\"\n"
},
{
"pattern-not": "$X.concat(\"...\")\n"
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.javascript.lang.security.audit.path-traversal.path-join-resolve-traversal",
"languages": [
"js",
"ts"
],
"message": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"subcategory": [
"vuln"
],
"technology": [
"javascript",
"node.js"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "$Y.replace(...)"
},
{
"pattern": "$Y.indexOf(...)"
},
{
"pattern": "function ... (...) {\n ...\n <... $Y.indexOf(...) ...>\n ...\n}\n"
},
{
"patterns": [
{
"pattern": "$FUNC(...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "sanitize"
}
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern-either": [
{
"pattern-inside": "$PATH = require('path');\n...\n"
},
{
"pattern-inside": "import $PATH from 'path';\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$PATH.join(...,$SINK,...)"
},
{
"pattern": "$PATH.resolve(...,$SINK,...)"
}
]
}
]
},
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern-inside": "import 'path';\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "path.join(...,$SINK,...)"
},
{
"pattern-inside": "path.resolve(...,$SINK,...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$X"
},
{
"pattern-either": [
{
"pattern-inside": "function ... (...,$X,...) {...}\n"
},
{
"pattern-inside": "function ... (...,{...,$X,...},...) {...}\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment",
"languages": [
"js",
"ts"
],
"message": "Possibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"javascript"
]
},
"patterns": [
{
"pattern": "$X[$B] = ...\n"
},
{
"pattern-not": "$X[$B] = '...'\n"
},
{
"pattern-inside": "$X = $SMTH[$A]\n...\n"
},
{
"pattern-not-inside": "if (<...'constructor' ...>) {\n ...\n}\n...\n"
},
{
"pattern-not-inside": "if (<...'__proto__' ...>) {\n ...\n}\n...\n"
},
{
"pattern-not-inside": "for(var $B = $S; ...; ...) {...}\n"
},
{
"pattern-not-inside": "for($B = $S; ...; ...) {...}\n"
},
{
"pattern-not-inside": "$X.forEach(function $NAME($OBJ, $B,...) {...})\n"
},
{
"metavariable-pattern": {
"metavariable": "$A",
"patterns": [
{
"pattern-not": "\"...\""
},
{
"pattern-not": "`...${...}...`\n"
},
{
"pattern-not": "($A: float)\n"
}
]
}
},
{
"metavariable-pattern": {
"metavariable": "$B",
"patterns": [
{
"pattern-not": "\"...\""
},
{
"pattern-not": "`...${...}...`\n"
},
{
"pattern-not": "($B: float)\n"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop",
"languages": [
"js",
"ts"
],
"message": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf"
],
"subcategory": [
"audit"
],
"technology": [
"typescript"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SMTH = $SMTH[$A]\n"
},
{
"pattern": "$SMTH = $SMTH[$A] = ...\n"
},
{
"pattern": "$SMTH = $SMTH[$A] && $Z\n"
},
{
"pattern": "$SMTH = $SMTH[$A] || $Z\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "for(...) {\n ...\n}\n"
},
{
"pattern-inside": "while(...) {\n ...\n}\n"
},
{
"pattern-inside": "$X.forEach(function $NAME(...) {\n ...\n})\n"
}
]
},
{
"pattern-not-inside": "for(var $A = $S; ...; ...) {...}\n"
},
{
"pattern-not-inside": "for($A = $S; ...; ...) {...}\n"
},
{
"pattern-not-inside": "$X.forEach(function $NAME($OBJ, $A,...) {...})\n"
},
{
"metavariable-pattern": {
"metavariable": "$A",
"patterns": [
{
"pattern-not": "\"...\""
},
{
"pattern-not": "`...${...}...`\n"
},
{
"pattern-not": "($A: float)\n"
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.sqli.node-knex-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://knexjs.org/#Builder-fromRaw",
"https://knexjs.org/#Builder-whereRaw",
"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"express",
"nodejs",
"knex"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "parseInt(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern-inside": "$KNEX.fromRaw($QUERY, ...)"
},
{
"pattern-inside": "$KNEX.whereRaw($QUERY, ...)"
},
{
"pattern-inside": "$KNEX.raw($QUERY, ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "require('knex')\n...\n"
},
{
"pattern-inside": "import 'knex'\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
},
{
"pattern": "$REQ.files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
},
{
"pattern": "files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.sqli.node-mssql-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.npmjs.com/package/mssql"
],
"subcategory": [
"vuln"
],
"technology": [
"mssql"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "require('mssql');\n...\n"
},
{
"pattern-inside": "import 'mssql';\n...\n"
}
]
},
{
"pattern-inside": "$REQ = $POOL.request(...)\n...\n"
},
{
"pattern": "$REQ.query($QUERY,...)\n"
},
{
"focus-metavariable": "$QUERY"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (...,$FUNC,...) {\n ...\n}\n"
},
{
"focus-metavariable": "$FUNC"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.sqli.node-mysql-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.npmjs.com/package/mysql2",
"https://www.npmjs.com/package/mysql",
"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"mysql",
"mysql2",
"javascript",
"nodejs"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "parseInt(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern-inside": "$POOL.query($QUERY, ...)"
},
{
"pattern-inside": "$POOL.execute($QUERY, ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "import $S from \"$IMPORT\"\n...\n"
},
{
"pattern-inside": "import { ... } from \"$IMPORT\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"$IMPORT\"\n...\n"
},
{
"pattern-inside": "require(\"$IMPORT\")\n...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$IMPORT",
"regex": "(mysql|mysql2)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (..., $Y,...) {...}"
},
{
"pattern": "$Y"
},
{
"pattern-not-inside": "function ... (..., $Y: number,...) {...}\n"
},
{
"pattern-not-inside": "$Y.query"
},
{
"pattern-not-inside": "$Y.body"
},
{
"pattern-not-inside": "$Y.params"
},
{
"pattern-not-inside": "$Y.cookies"
},
{
"pattern-not-inside": "$Y.headers"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.lang.security.audit.sqli.node-postgres-sqli",
"languages": [
"js",
"ts"
],
"message": "Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query('SELECT $1 from table', [userinput])`",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://node-postgres.com/features/queries"
],
"subcategory": [
"vuln"
],
"technology": [
"node-postgres"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "const { $CLIENT } = require('pg')\n ...\n"
},
{
"pattern-inside": "var { $CLIENT } = require('pg')\n ...\n"
},
{
"pattern-inside": "let { $CLIENT } = require('pg')\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$DB = new $CLIENT(...)\n...\n"
},
{
"pattern-inside": "$NEWPOOL = new $CLIENT(...)\n...\n$NEWPOOL.connect((..., $DB, ...) => {\n ...\n})\n"
}
]
},
{
"pattern": "$DB.query($QUERY,...)"
},
{
"focus-metavariable": "$QUERY"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "function ... (...,$FUNC,...) {\n ...\n}\n"
},
{
"focus-metavariable": "$FUNC"
},
{
"pattern-not-inside": "$F. ... .$SOURCE(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.monaco-editor.security.audit.monaco-hover-htmlsupport",
"languages": [
"js",
"ts"
],
"message": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/microsoft/monaco-editor/issues/801"
],
"subcategory": [
"audit"
],
"technology": [
"monaco",
"monaco-editor"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import \"monaco-editor\"\n...\n"
},
{
"pattern-inside": "require(\"monaco-editor\")\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "{value: $VAL, supportHtml: true}\n"
},
{
"pattern": "{value: $VAL, isTrusted: true}\n"
}
]
},
{
"pattern-inside": "{range: $R, contents: [...]}\n"
},
{
"pattern-not": "{..., value: \"...\", ...}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.node-crypto.security.aead-no-final",
"languages": [
"js",
"ts"
],
"message": "The 'final' call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call 'final' will invalidate all integrity guarantees of the released ciphertext.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-310: CWE CATEGORY: Cryptographic Issues"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding",
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
],
"subcategory": [
"vuln"
],
"technology": [
"node-crypto"
]
},
"patterns": [
{
"pattern": "$DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...)\n...\n$DECIPHER.update(...)\n"
},
{
"pattern-not-inside": "$DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...)\n...\n$DECIPHER.final(...)\n"
},
{
"metavariable-regex": {
"metavariable": "$ALGO",
"regex": ".*(-gcm|-ccm|-ocb|chacha20-poly1305)$"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.node-crypto.security.create-de-cipher-no-iv",
"languages": [
"js",
"ts"
],
"message": "The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-1204: Generation of Weak Initialization Vector (IV)"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"references": [
"https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options",
"https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options"
],
"subcategory": [
"vuln"
],
"technology": [
"node-crypto"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$CRYPTO.createCipher(...)\n"
},
{
"pattern": "$CRYPTO.createDecipher(...)\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.node-crypto.security.gcm-no-tag-length",
"languages": [
"js",
"ts"
],
"message": "The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-310: CWE CATEGORY: Cryptographic Issues"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/",
"https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options",
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
],
"subcategory": [
"vuln"
],
"technology": [
"node-crypto"
]
},
"patterns": [
{
"pattern": "$CRYPTO.createDecipheriv('$ALGO', $KEY, $IV)\n"
},
{
"metavariable-regex": {
"metavariable": "$ALGO",
"regex": ".*(-gcm)$"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.node-expat.security.audit.expat-xxe",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"audit"
],
"technology": [
"node-expat"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "var $EXPAT = require('node-expat');\n...\nnew $EXPAT.Parser(...);\n...\n$PARSER.parse(...);\n"
},
{
"pattern": "var $EXPAT = require('node-expat');\n...\nnew $EXPAT.Parser(...);\n...\n$PARSER.write(...);\n"
},
{
"pattern": "require('node-expat');\n...\nnew Parser(...);\n...\n$PARSER.parse(...);\n"
},
{
"pattern": "require('node-expat');\n...\nnew Parser(...);\n...\n$PARSER.write(...);\n"
}
]
},
{
"pattern-not": "var $EXPAT = require('node-expat');\n...\nnew $EXPAT.Parser(...);\n...\n$PARSER.parse(\"...\");\n"
},
{
"pattern-not": "var $EXPAT = require('node-expat');\n...\nnew $EXPAT.Parser(...);\n...\n$PARSER.write(\"...\");\n"
},
{
"pattern-not": "require('node-expat');\n...\nnew Parser(...);\n...\n$PARSER.parse(\"...\");\n"
},
{
"pattern-not": "require('node-expat');\n...\nnew Parser(...);\n...\n$PARSER.write(\"...\");\n"
},
{
"pattern-not": "$X = \"...\";\n...\n$PARSER.parse($X);\n"
},
{
"pattern-not": "$X = \"...\";\n...\n$PARSER.write($X);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.passport-jwt.security.hardcoded-passport-secret",
"languages": [
"js",
"ts"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"asvs": {
"control_id": "3.5.2 Static API keys or secret",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"jwt",
"nodejs",
"secrets"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$F = require(\"$I\").Strategy\n...\n"
},
{
"pattern-inside": "$F = require(\"$I\")\n...\n"
},
{
"pattern-inside": "import { $STRAT as $F } from '$I'\n...\n"
},
{
"pattern-inside": "import $F from '$I'\n...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$I",
"regex": "(passport-.*)"
}
},
{
"pattern-inside": "new $F($VALUE,...)\n"
},
{
"focus-metavariable": "$VALUE"
}
]
}
],
"pattern-sources": [
{
"by-side-effect": true,
"patterns": [
{
"pattern-either": [
{
"pattern": "{..., clientSecret: \"...\", ...}\n"
},
{
"pattern": "{..., secretOrKey: \"...\", ...}\n"
},
{
"pattern": "{..., consumerSecret: \"...\", ...}\n"
},
{
"patterns": [
{
"pattern-inside": "$OBJ = {}\n...\n"
},
{
"pattern-either": [
{
"pattern": "$OBJ.clientSecret = \"...\"\n"
},
{
"pattern": "$OBJ.secretOrKey = \"...\"\n"
},
{
"pattern": "$OBJ.consumerSecret = \"...\"\n"
}
]
},
{
"pattern": "$OBJ"
}
]
},
{
"patterns": [
{
"pattern-inside": "$SECRET = '...'\n...\n"
},
{
"pattern-either": [
{
"pattern": "{..., clientSecret: $SECRET, ...}\n"
},
{
"pattern": "{..., secretOrKey: $SECRET, ...}\n"
},
{
"pattern": "{..., consumerSecret: $SECRET, ...}\n"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$SECRET = '...'\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "$VALUE = {..., clientSecret: $SECRET, ...}\n...\n"
},
{
"pattern-inside": "$VALUE = {..., secretOrKey: $SECRET, ...}\n...\n"
},
{
"pattern-inside": "$VALUE = {..., consumerSecret: $SECRET, ...}\n...\n"
}
]
},
{
"pattern": "$VALUE"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.phantom.security.audit.phantom-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"phantom"
]
},
"patterns": [
{
"pattern-inside": "$PHANTOM = require('phantom');\n...\n"
},
{
"pattern-either": [
{
"pattern": "$PAGE.open($INPUT,...)"
},
{
"pattern": "$PAGE.property(\"content\",$INPUT,...)"
},
{
"pattern": "$PAGE.setContent($INPUT,...)"
},
{
"pattern": "$PAGE.openUrl($INPUT,...)"
},
{
"pattern": "$PAGE.evaluateJavaScript($INPUT,...)"
}
]
},
{
"pattern-not": "$PAGE.open(\"...\",...)"
},
{
"pattern-not": "$PAGE.property(\"content\",\"...\",...)"
},
{
"pattern-not": "$PAGE.setContent(\"...\",...)"
},
{
"pattern-not": "$PAGE.openUrl(\"...\",...)"
},
{
"pattern-not": "$PAGE.evaluateJavaScript(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.playwright.security.audit.playwright-addinitscript-code-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"playwright"
]
},
"patterns": [
{
"pattern-inside": "require('playwright');\n...\n"
},
{
"pattern-not-inside": "var $INPUT = function $FNAME(...){...};\n...\n"
},
{
"pattern": "$CONTEXT.addInitScript($INPUT,...)"
},
{
"pattern-not": "$CONTEXT.addInitScript(\"...\",...)"
},
{
"pattern-not": "$CONTEXT.addInitScript(function(...){...},...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.playwright.security.audit.playwright-evaluate-arg-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"playwright"
]
},
"patterns": [
{
"pattern-inside": "require('playwright');\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "function $FUNC (...,$INPUT,...) {...}"
},
{
"pattern-inside": "function (...,$INPUT,...) {...}"
}
]
},
{
"pattern-either": [
{
"pattern": "$PAGE.evaluate($CODE,...,<... $INPUT ...>,...)"
},
{
"pattern": "$PAGE.evaluateHandle($CODE,...,<... $INPUT ...>,...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.playwright.security.audit.playwright-evaluate-code-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"playwright"
]
},
"patterns": [
{
"pattern-inside": "require('playwright');\n...\n"
},
{
"pattern-not-inside": "var $INPUT = function $FNAME(...){...};\n...\n"
},
{
"pattern-either": [
{
"pattern": "$PAGE.evaluate($INPUT,...)"
},
{
"pattern": "$PAGE.evaluateHandle($INPUT,...)"
},
{
"pattern": "$PAGE.evaluateOnNewDocument($INPUT,...)"
}
]
},
{
"pattern-not": "$PAGE.evaluate(\"...\",...)"
},
{
"pattern-not": "$PAGE.evaluate(function(...){...},...)"
},
{
"pattern-not": "$PAGE.evaluateHandle(\"...\",...)"
},
{
"pattern-not": "$PAGE.evaluateHandle(function(...){...},...)"
},
{
"pattern-not": "$PAGE.evaluateOnNewDocument(\"...\",...)"
},
{
"pattern-not": "$PAGE.evaluateOnNewDocument(function(...){...},...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.playwright.security.audit.playwright-exposed-chrome-devtools",
"languages": [
"js",
"ts"
],
"message": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"playwright"
]
},
"patterns": [
{
"pattern-inside": "require('playwright');\n...\n"
},
{
"pattern-either": [
{
"pattern-regex": "--remote-debugging-address"
},
{
"pattern-regex": "--remote-debugging-port"
},
{
"pattern-regex": "--remote-debugging-socket-name"
},
{
"pattern-regex": "--remote-debugging-targets"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.playwright.security.audit.playwright-goto-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"playwright"
]
},
"patterns": [
{
"pattern-inside": "require('playwright');\n...\n"
},
{
"pattern-not-inside": "require('playwright');\n...\nvar $INPUT = \"...\";\n...\n$PAGE.goto($INPUT,...)\n"
},
{
"pattern": "$PAGE.goto($INPUT,...)"
},
{
"pattern-not": "$PAGE.goto(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.playwright.security.audit.playwright-setcontent-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"playwright"
]
},
"patterns": [
{
"pattern-inside": "require('playwright');\n...\n"
},
{
"pattern-not-inside": "require('playwright');\n...\nvar $INPUT = \"...\";\n...\n$PAGE.setContent($INPUT,...)\n"
},
{
"pattern": "$PAGE.setContent($INPUT,...)"
},
{
"pattern-not": "$PAGE.setContent(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"puppeteer"
]
},
"patterns": [
{
"pattern-inside": "require('puppeteer');\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "function $FUNC (...,$INPUT,...) {...}"
},
{
"pattern-inside": "function (...,$INPUT,...) {...}"
}
]
},
{
"pattern-either": [
{
"pattern": "$PAGE.evaluate($CODE,...,<... $INPUT ...>,...)"
},
{
"pattern": "$PAGE.evaluateHandle($CODE,...,<... $INPUT ...>,...)"
},
{
"pattern": "$PAGE.evaluateOnNewDocument($CODE,...,<... $INPUT ...>,...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"puppeteer"
]
},
"patterns": [
{
"pattern-inside": "require('puppeteer');\n...\n"
},
{
"pattern-not-inside": "var $INPUT = function $FNAME(...){...};\n...\n"
},
{
"pattern-either": [
{
"pattern": "$PAGE.evaluate($INPUT,...)"
},
{
"pattern": "$PAGE.evaluateHandle($INPUT,...)"
},
{
"pattern": "$PAGE.evaluateOnNewDocument($INPUT,...)"
}
]
},
{
"pattern-not": "$PAGE.evaluate(\"...\",...)"
},
{
"pattern-not": "$PAGE.evaluate(function(...){...},...)"
},
{
"pattern-not": "$PAGE.evaluateHandle(\"...\",...)"
},
{
"pattern-not": "$PAGE.evaluateHandle(function(...){...},...)"
},
{
"pattern-not": "$PAGE.evaluateOnNewDocument(\"...\",...)"
},
{
"pattern-not": "$PAGE.evaluateOnNewDocument(function(...){...},...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools",
"languages": [
"js",
"ts"
],
"message": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"puppeteer"
]
},
"patterns": [
{
"pattern-inside": "require('puppeteer');\n...\n"
},
{
"pattern-either": [
{
"pattern-regex": "--remote-debugging-address"
},
{
"pattern-regex": "--remote-debugging-port"
},
{
"pattern-regex": "--remote-debugging-socket-name"
},
{
"pattern-regex": "--remote-debugging-targets"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.puppeteer.security.audit.puppeteer-goto-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"puppeteer"
]
},
"patterns": [
{
"pattern-inside": "require('puppeteer');\n...\n"
},
{
"pattern-not-inside": "require('puppeteer');\n...\nvar $INPUT = \"...\";\n...\n$PAGE.goto($INPUT,...)\n"
},
{
"pattern": "$PAGE.goto($INPUT,...)"
},
{
"pattern-not": "$PAGE.goto(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.puppeteer.security.audit.puppeteer-setcontent-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"puppeteer"
]
},
"patterns": [
{
"pattern-inside": "require('puppeteer');\n...\n"
},
{
"pattern-not-inside": "require('puppeteer');\n...\nvar $INPUT = \"...\";\n...\n"
},
{
"pattern": "$PAGE.setContent($INPUT,...)"
},
{
"pattern-not": "$PAGE.setContent(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.sandbox.security.audit.sandbox-code-injection",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach `sandbox`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"sandbox"
]
},
"patterns": [
{
"pattern-inside": "$SANDBOX = require('sandbox');\n...\n"
},
{
"pattern-not-inside": "$CODE = \"...\";\n...\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$S = new $SANDBOX(...);\n...\n"
},
{
"pattern": "$S.run($CODE,...);"
}
]
},
{
"pattern": "new $SANDBOX(...).run($CODE,...);\n"
}
]
},
{
"pattern-not-inside": "$S = new $SANDBOX(...);\n...\n$S.run(\"...\",...);\n"
},
{
"pattern-not-inside": "new $SANDBOX(...).run(\"...\",...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.sax.security.audit.sax-xxe",
"languages": [
"js",
"ts"
],
"message": "Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/Leonidas-from-XIV/node-xml2js/issues/415",
"https://github.com/isaacs/sax-js"
],
"subcategory": [
"audit"
],
"technology": [
"sax"
]
},
"pattern-either": [
{
"pattern": "require('sax');\n...\n$PARSER.ondoctype = ...;\n"
},
{
"pattern": "require('sax');\n...\n$PARSER.on('doctype',...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.sequelize.security.audit.sequelize-enforce-tls",
"languages": [
"js",
"ts"
],
"message": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://node-postgres.com/features/ssl",
"https://nodejs.org/api/tls.html#tls_class_tls_tlssocket",
"https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options",
"https://nodejs.org/api/tls.html#tls_tls_default_min_version"
],
"subcategory": [
"audit"
],
"technology": [
"sequelize"
]
},
"patterns": [
{
"pattern": "{\n host: $HOST,\n database: $DATABASE,\n dialect: $DIALECT\n }\n"
},
{
"pattern-not": "{\n host: $HOST,\n database: $DATABASE,\n dialect: \"postgres\",\n dialectOptions: {\n ssl: true\n }\n}\n"
},
{
"pattern-not": "{\n host: $HOST,\n database: $DATABASE,\n dialect: $DIALECT,\n dialectOptions: {\n ssl: { ... }\n }\n}\n"
},
{
"metavariable-regex": {
"metavariable": "$DIALECT",
"regex": "['\"](mariadb|mysql|postgres)['\"]"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.sequelize.security.audit.express-sequelize-injection",
"languages": [
"js",
"ts"
],
"message": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"interfile": true,
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"
],
"subcategory": [
"vuln"
],
"technology": [
"express"
]
},
"mode": "taint",
"options": {
"interfile": true
},
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "parseInt(...)"
},
{
"pattern": "$FUNC. ... .hash(...)"
}
]
}
],
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sequelize.query($QUERY,...)"
},
{
"pattern": "$DB.sequelize.query($QUERY,...)"
}
]
},
{
"focus-metavariable": "$QUERY"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ... ($REQ, $RES) {...}"
},
{
"pattern-inside": "function ... ($REQ, $RES, $NEXT) {...}"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES) {...})"
},
{
"pattern-inside": "$APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(get|post|put|head|delete|options)$"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.query"
},
{
"pattern": "$REQ.body"
},
{
"pattern": "$REQ.params"
},
{
"pattern": "$REQ.cookies"
},
{
"pattern": "$REQ.headers"
},
{
"pattern": "$REQ.files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "$REQ.files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>\n{...}\n"
},
{
"pattern-inside": "({ $REQ }: Request,$RES: Response) => {...}\n"
}
]
},
{
"focus-metavariable": "$REQ"
},
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "query"
},
{
"pattern": "cookies"
},
{
"pattern": "headers"
},
{
"pattern": "body"
},
{
"pattern": "files.$ANYTHING.data.toString('utf8')"
},
{
"pattern": "files.$ANYTHING['data'].toString('utf8')"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.sequelize.security.audit.sequelize-raw-query",
"languages": [
"js",
"ts"
],
"message": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. Data replacement or data binding should be used. See https://sequelize.org/master/manual/raw-queries.html",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://sequelize.org/master/manual/raw-queries.html"
],
"subcategory": [
"audit"
],
"technology": [
"sequelize"
]
},
"pattern-either": [
{
"pattern": "$DATABASE.sequelize.query(`...${...}...`, ...)\n"
},
{
"pattern": "$QUERY = `...${...}...`\n...\n$DATABASE.sequelize.query($QUERY, ...)\n"
},
{
"pattern": "$DATABASE.sequelize.query($SQL + $VALUE, ...)\n"
},
{
"pattern": "$QUERY = $SQL + $VALUE\n...\n$DATABASE.sequelize.query($QUERY, ...)\n"
},
{
"pattern": "Sequelize.literal(`...${...}...`)\n"
},
{
"pattern": "$QUERY = `...${...}...`\n...\nSequelize.literal($QUERY)\n"
},
{
"pattern": "Sequelize.literal($SQL + $VALUE)\n"
},
{
"pattern": "$QUERY = $SQL + $VALUE\n...\nSequelize.literal($QUERY)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation",
"languages": [
"js",
"ts"
],
"message": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://node-postgres.com/features/ssl",
"https://nodejs.org/api/tls.html#tls_class_tls_tlssocket",
"https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options"
],
"subcategory": [
"audit"
],
"technology": [
"sequelize"
]
},
"patterns": [
{
"pattern": "{\n host: $HOST,\n database: $DATABASE,\n dialect: $DIALECT,\n dialectOptions: {\n ssl: {\n rejectUnauthorized: false\n }\n }\n }\n"
},
{
"metavariable-regex": {
"metavariable": "$DIALECT",
"regex": "['\"](mariadb|mysql|postgres)['\"]"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.sequelize.security.audit.sequelize-weak-tls-version",
"languages": [
"js",
"ts"
],
"message": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://node-postgres.com/features/ssl",
"https://nodejs.org/api/tls.html#tls_class_tls_tlssocket",
"https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options",
"https://nodejs.org/api/tls.html#tls_tls_default_min_version"
],
"subcategory": [
"audit"
],
"technology": [
"sequelize"
]
},
"patterns": [
{
"pattern-inside": "{\n host: $HOST,\n database: $DATABASE,\n dialect: $DIALECT,\n dialectOptions:\n { ssl: ... }\n }\n"
},
{
"pattern-either": [
{
"pattern": "{\n minVersion: 'TLSv1'\n}\n"
},
{
"pattern": "{\n minVersion: 'TLSv1.1'\n}\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$DIALECT",
"regex": "['\"](mariadb|mysql|postgres)['\"]"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.serialize-javascript.security.audit.unsafe-serialize-javascript",
"languages": [
"js",
"ts"
],
"message": "`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"serialize-javascript"
]
},
"patterns": [
{
"pattern-inside": "$S = require('serialize-javascript');\n...\n"
},
{
"pattern-not-inside": "escape(...)"
},
{
"pattern-not-inside": "encodeURI(...)"
},
{
"pattern": "$S(..., {unsafe: true});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.shelljs.security.shelljs-exec-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `exec` method it can result in Remote Code Execution",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"shelljs"
]
},
"patterns": [
{
"pattern-inside": "require('shelljs');\n...\n"
},
{
"pattern-not-inside": "require('shelljs');\n...\nvar $INPUT = \"...\";\n...\n"
},
{
"pattern": "$SHELL.exec($INPUT,...)"
},
{
"pattern-not": "$SHELL.exec(\"...\",...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.javascript.thenify.security.audit.multiargs-code-execution",
"languages": [
"js",
"ts"
],
"message": "Potential arbitrary code execution, piped to eval",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"thenify"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$THENIFY($FN, {multiArgs: ...},...)\n"
},
{
"pattern": "$OPTS = {multiArgs: ...};\n...\n$THENIFY($FN,$OPTS,...);\n"
}
]
},
{
"pattern-not": "$THENIFY($FN, {multiArgs: false},...)\n"
},
{
"pattern-not": "$OPTS = {multiArgs: false};\n...\n$THENIFY($FN,$OPTS,...)\n"
},
{
"pattern-either": [
{
"pattern-inside": "$THENIFY = require('thenify');\n...\n"
},
{
"pattern-inside": "import 'thenify';\n...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.vm2.security.audit.vm2-code-injection",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach `vm2`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"vm2"
]
},
"patterns": [
{
"pattern-inside": "require('vm2');\n...\n"
},
{
"pattern-not-inside": "$CODE = \"...\";\n...\n"
},
{
"pattern-not-inside": "require('vm2');\n...\n$CODE = new VMScript(...);\n...\n"
},
{
"pattern-either": [
{
"pattern": "$VM = new VM(...);\n...\n$VM.run($CODE,...);\n"
},
{
"pattern": "new VM(...).run($CODE,...);\n"
},
{
"pattern": "$VM = new NodeVM(...);\n...\n$VM.run($CODE,...);\n"
},
{
"pattern": "new NodeVM(...).run($CODE,...);\n"
},
{
"pattern": "new VMScript($CODE,...);\n"
}
]
},
{
"pattern-not": "$VM = new VM(...);\n...\n$VM.run(\"...\",...);\n"
},
{
"pattern-not": "$VM = new NodeVM(...);\n...\n$VM.run(\"...\",...);\n"
},
{
"pattern-not": "(new VM(...)).run(\"...\",...);\n"
},
{
"pattern-not": "(new NodeVM(...)).run(\"...\",...);\n"
},
{
"pattern-not": "new VMScript(\"...\",...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.vm2.security.audit.vm2-context-injection",
"languages": [
"js",
"ts"
],
"message": "Make sure that unverified user data can not reach `vm2`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"vm2"
]
},
"patterns": [
{
"pattern-inside": "$VM = require('vm2');\n...\n"
},
{
"pattern-either": [
{
"pattern": "function (...,$INPUT,...) {\n ...\n new VM({sandbox: <... $INPUT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = <... {$NAME:$INPUT} ...>;\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $OPTS = {sandbox: <... $INPUT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n new VM({sandbox: <... $INPUT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = <... {$NAME:$INPUT} ...>;\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n new VM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $OPTS = {sandbox: <... $INPUT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new VM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n new NodeVM({sandbox: <... $INPUT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = <... {$NAME:$INPUT} ...>;\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $OPTS = {sandbox: <... $INPUT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function (...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n new NodeVM({sandbox: <... $INPUT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = <... {$NAME:$INPUT} ...>;\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n new NodeVM({sandbox: <... $CONTEXT ...>},...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $OPTS = {sandbox: <... $INPUT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = <... $INPUT ...>;\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $CONTEXT = {$NAME: <... $INPUT ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}\n"
},
{
"pattern": "function $F(...,$INPUT,...) {\n ...\n $VAR = <... $INPUT ...>;\n ...\n $CONTEXT = {$NAME: <... $VAR ...>};\n ...\n $OPTS = {sandbox: <... $CONTEXT ...>};\n ...\n new NodeVM($OPTS,...);\n ...\n}"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.vue.security.audit.xss.templates.avoid-v-html",
"languages": [
"regex"
],
"message": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://vuejs.org/v2/guide/syntax.html#Raw-HTML"
],
"subcategory": [
"audit"
],
"technology": [
"vue"
]
},
"paths": {
"include": [
"*.vue"
]
},
"pattern-regex": "<[^<>]*v-html=",
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"wkhtmltoimage"
]
},
"patterns": [
{
"pattern-inside": "$WK = require('wkhtmltoimage');\n...\n"
},
{
"pattern-not-inside": "var $INPUT = \"...\";\n...\n"
},
{
"pattern": "$WK.generate($INPUT,...)"
},
{
"pattern-not": "$WK.generate(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"audit"
],
"technology": [
"wkhtmltopdf"
]
},
"patterns": [
{
"pattern-inside": "$WK = require('wkhtmltopdf');\n...\n"
},
{
"pattern-not-inside": "var $INPUT = \"...\";\n...\n"
},
{
"pattern": "$WK($INPUT,...)"
},
{
"pattern-not": "$WK(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.javascript.xml2json.security.audit.xml2json-xxe",
"languages": [
"js",
"ts"
],
"message": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities",
"metadata": {
"asvs": {
"control_id": "5.5.2 Insecue XML Deserialization",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention",
"section": "V5 Validation, Sanitization and Encoding",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"audit"
],
"technology": [
"xml2json"
]
},
"patterns": [
{
"pattern": "var $XML = require('xml2json');\n...\n$XML.toJson(...);\n"
},
{
"pattern-not": "var $XML = require('xml2json');\n...\n$XML.toJson(\"...\",...);\n"
},
{
"pattern-not": "var $XML = require('xml2json');\n...\nvar $S = \"...\";\n...\n$XML.toJson($S,...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.json.aws.security.public-s3-bucket",
"languages": [
"json"
],
"message": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls"
],
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html"
],
"subcategory": [
"vuln"
],
"technology": [
"aws"
]
},
"patterns": [
{
"pattern-inside": "$BUCKETNAME: {\n \"Type\": \"AWS::S3::Bucket\",\n \"Properties\": {\n ...,\n },\n ...,\n}\n"
},
{
"pattern-either": [
{
"pattern": "\"PublicAccessBlockConfiguration\": {\n ...,\n \"RestrictPublicBuckets\": false,\n ...,\n },\n"
},
{
"pattern": "\"PublicAccessBlockConfiguration\": {\n ...,\n \"IgnorePublicAcls\": false,\n ...,\n },\n"
},
{
"pattern": "\"PublicAccessBlockConfiguration\": {\n ...,\n \"BlockPublicAcls\": false,\n ...,\n },\n"
},
{
"pattern": "\"PublicAccessBlockConfiguration\": {\n ...,\n \"BlockPublicPolicy\": false,\n ...,\n },\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.json.aws.security.public-s3-policy-statement",
"languages": [
"json"
],
"message": "Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html"
],
"subcategory": [
"vuln"
],
"technology": [
"aws"
]
},
"pattern": "{\n \"Effect\": \"Allow\",\n \"Principal\": \"*\",\n \"Resource\": [\n ..., \"=~/arn:aws:s3.*/\", ...\n ],\n ...\n}\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.json.aws.security.wildcard-assume-role",
"languages": [
"json"
],
"message": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-250: Execution with Unnecessary Privileges"
],
"impact": "HIGH",
"likelihood": "HIGH",
"owasp": [
"A06:2017 - Security Misconfiguration",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"
],
"subcategory": [
"vuln"
],
"technology": [
"aws"
]
},
"patterns": [
{
"pattern-inside": "\"Statement\": [...]\n"
},
{
"pattern-inside": "{..., \"Effect\": \"Allow\", ..., \"Action\": \"sts:AssumeRole\", ...}\n"
},
{
"pattern": "\"Principal\": {..., \"AWS\": \"*\", ...}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.kotlin.gradle.security.build-gradle-password-hardcoded",
"languages": [
"kotlin"
],
"message": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2020-top25": true,
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source_rule_url": "https://semgrep.dev/playground/r/d8Ur5BA/achufistov6_personal_org.build-gradle-password-hardcoded",
"subcategory": [
"vuln"
],
"technology": [
"secrets"
],
"vulnerability_class": [
"Hard-coded Secrets"
]
},
"options": {
"symbolic_propagation": true
},
"paths": {
"include": [
"*build.gradle.kts"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$PASS = env[...] ?: $VALUE"
}
]
},
{
"metavariable-regex": {
"metavariable": "$PASS",
"regex": "(password|pass|passwd|loginPassword)"
}
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$VALUE",
"patterns": [
{
"pattern-either": [
{
"pattern-regex": "^[A-Za-z0-9/+=]+$"
}
]
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.anonymous-ldap-bind",
"languages": [
"kt"
],
"message": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-287: Improper Authentication"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS",
"subcategory": [
"vuln"
],
"technology": [
"kotlin"
]
},
"pattern": "$ENV.put($CTX.SECURITY_AUTHENTICATION, \"none\")\n...\n$DCTX = InitialDirContext($ENV, ...)\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.bad-hexa-conversion",
"languages": [
"kt"
],
"message": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-704: Incorrect Type Conversion or Cast"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://cwe.mitre.org/data/definitions/704.html"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION",
"subcategory": [
"audit"
],
"technology": [
"kotlin"
]
},
"pattern": "fun $METHOD(...) {\n ...\n val $MD: MessageDigest = ...\n ...\n $MD.digest(...)\n ...\n Integer.toHexString(...)\n}",
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.command-injection-formatted-runtime-call",
"languages": [
"kt"
],
"message": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.",
"subcategory": [
"audit"
],
"technology": [
"kt"
]
},
"pattern-either": [
{
"pattern": "$RUNTIME.exec($X + $Y)"
},
{
"pattern": "$RUNTIME.exec(String.format(...))"
},
{
"pattern": "$RUNTIME.loadLibrary($X + $Y)"
},
{
"pattern": "$RUNTIME.loadLibrary(String.format(...))"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.kotlin.lang.security.cookie-missing-httponly",
"languages": [
"kt"
],
"message": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE",
"subcategory": [
"audit"
],
"technology": [
"kt"
]
},
"patterns": [
{
"pattern-not-inside": "$COOKIE.setValue(\"\")\n...\n"
},
{
"pattern-either": [
{
"pattern": "$COOKIE.setHttpOnly(false)"
},
{
"patterns": [
{
"pattern-not-inside": "$COOKIE.setHttpOnly(...)\n...\n"
},
{
"pattern": "$RESPONSE.addCookie($COOKIE)"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.cookie-missing-secure-flag",
"languages": [
"kt"
],
"message": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE",
"subcategory": [
"audit"
],
"technology": [
"kt"
]
},
"patterns": [
{
"pattern-not-inside": "$COOKIE.setValue(\"\")\n...\n"
},
{
"pattern-either": [
{
"pattern": "$COOKIE.setSecure(false)"
},
{
"patterns": [
{
"pattern-not-inside": "$COOKIE.setSecure(...)\n...\n"
},
{
"pattern": "$RESPONSE.addCookie($COOKIE)"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "DefaultHttpClient",
"replacement": "SystemDefaultHttpClient"
},
"id": "vendored-rules.kotlin.lang.security.defaulthttpclient-is-deprecated",
"languages": [
"kt"
],
"message": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.",
"metadata": {
"asvs": {
"control_id": "9.1.3 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "LOW",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT",
"subcategory": [
"audit"
],
"technology": [
"kotlin"
]
},
"pattern": "DefaultHttpClient(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.ecb-cipher",
"languages": [
"kt"
],
"message": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE",
"subcategory": [
"vuln"
],
"technology": [
"kotlin"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "val $VAR : Cipher = $CIPHER.getInstance($MODE)\n"
},
{
"pattern": "var $VAR : Cipher = $CIPHER.getInstance($MODE)\n"
},
{
"pattern": "val $VAR = $CIPHER.getInstance($MODE)\n"
},
{
"pattern": "var $VAR = $CIPHER.getInstance($MODE)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$MODE",
"regex": ".*ECB.*"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.gcm-detection",
"languages": [
"kt"
],
"message": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-323: Reusing a Nonce, Key Pair in Encryption"
],
"impact": "LOW",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/323.html"
],
"subcategory": [
"audit"
],
"technology": [
"kotlin"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$METHOD.getInstance(\"AES/GCM/NoPadding\",...)"
},
{
"pattern": "GCMParameterSpec(...)"
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.kotlin.lang.security.no-null-cipher",
"languages": [
"kt",
"scala"
],
"message": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER",
"subcategory": [
"vuln"
],
"technology": [
"kotlin"
]
},
"pattern": "NullCipher(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.unencrypted-socket",
"languages": [
"kt"
],
"message": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET",
"subcategory": [
"audit"
],
"technology": [
"kotlin"
]
},
"pattern-either": [
{
"pattern": "ServerSocket(...)"
},
{
"pattern": "Socket(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.use-of-md5",
"languages": [
"kt"
],
"message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5",
"subcategory": [
"vuln"
],
"technology": [
"kotlin"
]
},
"pattern-either": [
{
"pattern": "$VAR = $MD.getInstance(\"MD5\")\n"
},
{
"pattern": "$DU.getMd5Digest().digest(...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.use-of-sha1",
"languages": [
"kt"
],
"message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1",
"subcategory": [
"vuln"
],
"technology": [
"kotlin"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "$VAR = $MD.getInstance(\"$ALGO\")\n"
},
{
"metavariable-regex": {
"metavariable": "$ALGO",
"regex": "(SHA1|SHA-1)"
}
}
]
},
{
"pattern": "$DU.getSha1Digest().digest(...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.kotlin.lang.security.use-of-weak-rsa-key",
"languages": [
"kt"
],
"message": "RSA keys should be at least 2048 bits based on NIST recommendation.",
"metadata": {
"asvs": {
"control_id": "6.2.5 Insecure Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE",
"subcategory": [
"audit"
],
"technology": [
"kotlin"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$KEY = $G.getInstance(\"RSA\")\n...\n$KEY.initialize($BITS)\n"
}
]
},
{
"metavariable-comparison": {
"comparison": "$BITS < 2048",
"metavariable": "$BITS"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ocaml.lang.security.ocamllint-digest",
"languages": [
"ocaml"
],
"message": "Digest uses MD5 and should not be used for security purposes. Consider using SHA256 instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-328: Use of Weak Hash (4.12)",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://v2.ocaml.org/api/Digest.html"
],
"subcategory": [
"audit"
],
"technology": [
"ocaml"
]
},
"pattern-either": [
{
"pattern": "Digest.string"
},
{
"pattern": "Digest.bytes"
},
{
"pattern": "Digest.substring"
},
{
"pattern": "Digest.subbytes"
},
{
"pattern": "Digest.channel"
},
{
"pattern": "Digest.file"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ocaml.lang.security.ocamllint-exec",
"languages": [
"ocaml"
],
"message": "Executing external programs might lead to comand or argument injection vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-78: OS Command Injection",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://v2.ocaml.org/api/Unix.html"
],
"subcategory": [
"audit"
],
"technology": [
"ocaml"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "Unix.execve $STR"
},
{
"pattern": "Unix.execvp $STR"
},
{
"pattern": "Unix.execvpe $STR"
},
{
"pattern": "Unix.system $STR"
},
{
"pattern": "Sys.command $STR"
}
]
},
{
"pattern-not": "Unix.execve \"...\""
},
{
"pattern-not": "Unix.execvp \"...\""
},
{
"pattern-not": "Unix.execvpe \"...\""
},
{
"pattern-not": "Unix.system \"...\""
},
{
"pattern-not": "Sys.command \"...\""
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ocaml.lang.security.ocamllint-filenameconcat",
"languages": [
"ocaml"
],
"message": "When attacker supplied data is passed to Filename.concat directory traversal attacks might be possible.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-35: Path Traversal",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://v2.ocaml.org/api/Filename.html"
],
"subcategory": [
"audit"
],
"technology": [
"ocaml"
]
},
"pattern": "Filename.concat",
"severity": "WARNING"
},
{
"id": "vendored-rules.ocaml.lang.security.ocamllint-hashtable-dos",
"languages": [
"ocaml"
],
"message": "Creating a Hashtbl without the optional random number parameter makes it prone to DoS attacks when attackers are able to fill the table with malicious content. Hashtbl.randomize or the R flag in the OCAMLRUNPARAM are other ways to randomize it.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-399: Resource Management Errors (4.12)",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://v2.ocaml.org/api/Hashtbl.html"
],
"subcategory": [
"audit"
],
"technology": [
"ocaml"
]
},
"patterns": [
{
"pattern": "Hashtbl.create $Y"
},
{
"pattern-not": "Hashtbl.create $Y ~random:true"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ocaml.lang.security.ocamllint-marshal",
"languages": [
"ocaml"
],
"message": "Marshaling is currently not type-safe and can lead to insecure behaviour when untrusted data is marshalled. Marshalling can lead to out-of-bound reads as well.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-502: Deserialization of Untrusted Data",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://eternal.red/2021/secure-ocaml-sandbox/"
],
"subcategory": [
"vuln"
],
"technology": [
"ocaml"
]
},
"pattern-either": [
{
"pattern": "input_value"
},
{
"pattern": "Marshal.from_channel"
},
{
"pattern": "Marshal.from_bytes"
},
{
"pattern": "Marshal.from_string"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ocaml.lang.security.ocamllint-tempfile",
"languages": [
"ocaml"
],
"message": "Filename.temp_file might lead to race conditions, since the file could be altered or replaced by a symlink before being opened.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://v2.ocaml.org/api/Filename.html"
],
"subcategory": [
"audit"
],
"technology": [
"ocaml"
]
},
"pattern": "Filename.temp_file",
"severity": "WARNING"
},
{
"id": "vendored-rules.ocaml.lang.security.ocamllint-unsafe",
"languages": [
"ocaml"
],
"message": "Unsafe functions do not perform boundary checks or have other side effects, use with care.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-242: Use of Inherently Dangerous Function (4.12)",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://v2.ocaml.org/api/Bigarray.Array1.html#VALunsafe_get",
"https://v2.ocaml.org/api/Bytes.html#VALunsafe_to_string"
],
"subcategory": [
"audit"
],
"technology": [
"ocaml"
]
},
"pattern-either": [
{
"pattern": "$X.unsafe_get"
},
{
"pattern": "$X.unsafe_set"
},
{
"pattern": "$X.unsafe_to_string"
},
{
"pattern": "$X.unsafe_of_string"
},
{
"pattern": "$X.unsafe_blit"
},
{
"pattern": "$X.unsafe_blit_string"
},
{
"pattern": "$X.unsafe_fill"
},
{
"pattern": "$X.unsafe_to_string"
},
{
"pattern": "$X.unsafe_getenv"
},
{
"pattern": "$X.unsafe_environment"
},
{
"pattern": "$X.unsafe_chr"
},
{
"pattern": "$X.unsafe_of_int"
},
{
"pattern": "$X.unsafe_output"
},
{
"pattern": "$X.unsafe_output_string"
},
{
"pattern": "$X.unsafe_read"
},
{
"pattern": "$X.unsafe_recv"
},
{
"pattern": "$X.unsafe_recvfrom"
},
{
"pattern": "$X.unsafe_send"
},
{
"pattern": "$X.unsafe_sendto"
},
{
"pattern": "$X.unsafe_set"
},
{
"pattern": "$X.unsafe_set_int16"
},
{
"pattern": "$X.unsafe_set_int32"
},
{
"pattern": "$X.unsafe_set_int64"
},
{
"pattern": "$X.unsafe_set_int8"
},
{
"pattern": "$X.unsafe_set_uint16_ne"
},
{
"pattern": "$X.unsafe_set_uint8"
},
{
"pattern": "$X.unsafe_single_write"
},
{
"pattern": "$X.unsafe_string"
},
{
"pattern": "$X.unsafe_sub"
},
{
"pattern": "$X.unsafe_write"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.doctrine.security.audit.doctrine-dbal-dangerous-query",
"languages": [
"php"
],
"message": "Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html",
"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"doctrine"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$CONNECTION->prepare($QUERY,...)"
},
{
"pattern": "$CONNECTION->createQuery($QUERY,...)"
},
{
"pattern": "$CONNECTION->executeQuery($QUERY,...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "use Doctrine\\DBAL\\Connection;\n...\n"
},
{
"pattern-inside": "$CONNECTION = $SMTH->getConnection(...);\n...\n"
}
]
},
{
"pattern-not": "$CONNECTION->prepare(\"...\",...)"
},
{
"pattern-not": "$CONNECTION->createQuery(\"...\",...)"
},
{
"pattern-not": "$CONNECTION->executeQuery(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.doctrine.security.audit.doctrine-orm-dangerous-query",
"languages": [
"php"
],
"message": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection",
"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"doctrine"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern-either": [
{
"pattern": "$QUERY->add(...,$SINK,...)"
},
{
"pattern": "$QUERY->select(...,$SINK,...)"
},
{
"pattern": "$QUERY->addSelect(...,$SINK,...)"
},
{
"pattern": "$QUERY->delete(...,$SINK,...)"
},
{
"pattern": "$QUERY->update(...,$SINK,...)"
},
{
"pattern": "$QUERY->insert(...,$SINK,...)"
},
{
"pattern": "$QUERY->from(...,$SINK,...)"
},
{
"pattern": "$QUERY->join(...,$SINK,...)"
},
{
"pattern": "$QUERY->innerJoin(...,$SINK,...)"
},
{
"pattern": "$QUERY->leftJoin(...,$SINK,...)"
},
{
"pattern": "$QUERY->rightJoin(...,$SINK,...)"
},
{
"pattern": "$QUERY->where(...,$SINK,...)"
},
{
"pattern": "$QUERY->andWhere(...,$SINK,...)"
},
{
"pattern": "$QUERY->orWhere(...,$SINK,...)"
},
{
"pattern": "$QUERY->groupBy(...,$SINK,...)"
},
{
"pattern": "$QUERY->addGroupBy(...,$SINK,...)"
},
{
"pattern": "$QUERY->having(...,$SINK,...)"
},
{
"pattern": "$QUERY->andHaving(...,$SINK,...)"
},
{
"pattern": "$QUERY->orHaving(...,$SINK,...)"
},
{
"pattern": "$QUERY->orderBy(...,$SINK,...)"
},
{
"pattern": "$QUERY->addOrderBy(...,$SINK,...)"
},
{
"pattern": "$QUERY->set($SINK,...)"
},
{
"pattern": "$QUERY->setValue($SINK,...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$Q = $X->createQueryBuilder();\n...\n"
},
{
"pattern-inside": "$Q = new QueryBuilder(...);\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sprintf(...)"
},
{
"pattern": "\"...\".$SMTH\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.assert-use",
"languages": [
"php"
],
"message": "Calling assert with user input is equivalent to eval'ing.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/function.assert",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "assert($SINK, ...);"
},
{
"pattern-not": "assert(\"...\", ...);"
},
{
"pattern": "$SINK"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_SERVER"
}
]
}
]
},
{
"patterns": [
{
"pattern": "Route::$METHOD($ROUTENAME, function(..., $ARG, ...) { ... })\n"
},
{
"focus-metavariable": "$ARG"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.backticks-use",
"languages": [
"php"
],
"message": "Backticks use may lead to command injection vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/language.operators.execution.php",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"pattern": "`...`;",
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.base-convert-loses-precision",
"languages": [
"php"
],
"message": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-190: Integer Overflow or Wraparound"
],
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://www.php.net/base_convert",
"https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "substr(..., $LENGTH)"
},
{
"metavariable-comparison": {
"comparison": "$LENGTH <= 7",
"metavariable": "$LENGTH"
}
}
]
}
],
"pattern-sinks": [
{
"pattern": "base_convert(...)"
}
],
"pattern-sources": [
{
"pattern": "hash(...)"
},
{
"pattern": "hash_hmac(...)"
},
{
"pattern": "sha1(...)"
},
{
"pattern": "md5(...)"
},
{
"patterns": [
{
"pattern": "random_bytes($N)"
},
{
"metavariable-comparison": {
"comparison": "$N > 7",
"metavariable": "$N"
}
}
]
},
{
"patterns": [
{
"pattern": "openssl_random_pseudo_bytes($N)"
},
{
"metavariable-comparison": {
"comparison": "$N > 7",
"metavariable": "$N"
}
}
]
},
{
"patterns": [
{
"pattern": "$OBJ->get_random_bytes($N)"
},
{
"metavariable-comparison": {
"comparison": "$N > 7",
"metavariable": "$N"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.curl-ssl-verifypeer-off",
"languages": [
"php"
],
"message": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$ARG = $IS_VERIFIED;\n...\ncurl_setopt(..., CURLOPT_SSL_VERIFYPEER, $ARG);\n"
},
{
"pattern": "curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $IS_VERIFIED)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$IS_VERIFIED",
"regex": "0|false|null"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.extract-user-data",
"languages": [
"php"
],
"message": "Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "extract($VAR, EXTR_SKIP,...)"
}
],
"pattern-sinks": [
{
"pattern": "extract(...)"
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "$_GET[...]"
},
{
"pattern": "$_FILES[...]"
},
{
"pattern": "$_POST[...]"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.eval-use",
"languages": [
"php"
],
"message": "Evaluating non-constant commands. This can lead to command injection.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/function.eval",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "eval(...);"
},
{
"pattern-not": "eval('...');"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.exec-use",
"languages": [
"php"
],
"message": "Executing non-constant commands. This can lead to command injection.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "$FUNC(...);"
},
{
"pattern-not": "$FUNC('...', ...);"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "exec|passthru|proc_open|popen|shell_exec|system|pcntl_exec"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.file-inclusion",
"languages": [
"php"
],
"message": "Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/function.include.php",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php",
"https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Types_of_Inclusion"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "basename($PATH, ...)"
},
{
"pattern-inside": "linkinfo($PATH, ...)"
},
{
"pattern-inside": "readlink($PATH, ...)"
},
{
"pattern-inside": "realpath($PATH, ...)"
},
{
"pattern-inside": "include_safe(...)"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$FUNC(...);"
},
{
"pattern": "$VAR"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "\\b(include|include_once|require|require_once)\\b"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_SERVER"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.ftp-use",
"languages": [
"php"
],
"message": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.php.net/manual/en/intro.ftp.php",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "$FUNC(...);"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "ftp_.+"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.ldap-bind-without-password",
"languages": [
"php"
],
"message": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-287: Improper Authentication"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://www.php.net/manual/en/function.ldap-bind.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "ldap_bind($LDAP, $DN, NULL)"
},
{
"pattern": "ldap_bind($LDAP, $DN, '')"
},
{
"patterns": [
{
"pattern": "ldap_bind(...)"
},
{
"pattern-not": "ldap_bind($LDAP, $DN, $PASSWORD)"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.mb-ereg-replace-eval",
"languages": [
"php"
],
"message": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/function.mb-ereg-replace.php",
"https://www.php.net/manual/en/function.mb-regex-set-options.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "mb_ereg_replace($PATTERN, $REPL, $STR, $OPTIONS);"
},
{
"pattern-not": "mb_ereg_replace($PATTERN, $REPL, $STR, \"...\");"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.mcrypt-use",
"languages": [
"php"
],
"message": "Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-676: Use of Potentially Dangerous Function"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://www.php.net/manual/en/intro.mcrypt.php",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "$FUNC(...);"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(mcrypt_|mdecrypt_).+"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.md5-loose-equality",
"languages": [
"php"
],
"message": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-697: Incorrect Comparison"
],
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://www.php.net/manual/en/types.comparisons.php",
"https://www.whitehatsec.com/blog/magic-hashes/"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$X == $FUNC(...)"
},
{
"pattern": "$FUNC(...) == $X"
},
{
"pattern": "$FUNC(...) == $FUNC(...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "md5|md5_file"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.md5-used-as-password",
"languages": [
"php"
],
"message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/html/rfc6151",
"https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision",
"https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords",
"https://github.com/returntocorp/semgrep-rules/issues/1609",
"https://www.php.net/password_hash"
],
"subcategory": [
"vuln"
],
"technology": [
"md5"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FUNCTION(...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNCTION",
"regex": "(?i)(.*password.*)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "md5(...)"
},
{
"pattern": "hash('md5', ...)"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.openssl-cbc-static-iv",
"languages": [
"php"
],
"message": "Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-329: Generation of Predictable IV with CBC Mode"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://csrc.nist.gov/publications/detail/sp/800-38a/final"
],
"subcategory": [
"vuln"
],
"technology": [
"php",
"openssl"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "openssl_encrypt($D, $M, $K, $FLAGS, \"...\",...);"
},
{
"pattern": "openssl_decrypt($D, $M, $K, $FLAGS, \"...\",...);"
}
]
},
{
"metavariable-comparison": {
"comparison": "re.match(\".*-CBC\",$M)",
"metavariable": "$M"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.php-permissive-cors",
"languages": [
"php"
],
"message": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-346: Origin Validation Error"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "header($VALUE,...)"
},
{
"pattern-either": [
{
"pattern": "header(\"...\",...)"
},
{
"pattern-inside": "$VALUE = \"...\";\n...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$VALUE",
"regex": "(\\'|\\\")\\s*(Access-Control-Allow-Origin|access-control-allow-origin)\\s*:\\s*(\\*)\\s*(\\'|\\\")"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.php-ssrf",
"languages": [
"php"
],
"message": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Dangerous function $FUNCS with payload $DATA",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$VAR=$DATA;\n...\n$FUNCS(...,$VAR, ...);\n"
},
{
"pattern": "$FUNCS(...,$DATA, ...);"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$DATA",
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
}
]
}
]
}
},
{
"metavariable-pattern": {
"metavariable": "$FUNCS",
"patterns": [
{
"pattern-either": [
{
"pattern": "curl_setopt"
},
{
"pattern": "fopen"
},
{
"pattern": "file_get_contents"
},
{
"pattern": "curl_init"
},
{
"pattern": "readfile"
}
]
}
]
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.phpinfo-use",
"languages": [
"php"
],
"message": "The 'phpinfo' function may reveal sensitive information about your environment.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.php.net/manual/en/function.phpinfo",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"pattern": "phpinfo(...);",
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.redirect-to-request-uri",
"languages": [
"php"
],
"message": "Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "LOW",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.php.net/manual/en/reserved.variables.server.php",
"https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "header('$LOCATION' . $_SERVER['REQUEST_URI']);\n"
},
{
"pattern": "header('$LOCATION' . $_SERVER['REQUEST_URI'] . $MORE);\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$LOCATION",
"regex": "^(?i)location:\\s*$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.tainted-exec",
"languages": [
"php"
],
"message": "Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "HIGH",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.stackhawk.com/blog/php-command-injection/",
"https://brightsec.com/blog/code-injection-php/",
"https://www.acunetix.com/websitesecurity/php-security-2/"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "escapeshellarg(...)"
}
],
"pattern-sinks": [
{
"pattern": "exec(...)"
},
{
"pattern": "system(...)"
},
{
"pattern": "popen(...)"
},
{
"pattern": "passthru(...)"
},
{
"pattern": "shell_exec(...)"
},
{
"pattern": "pcntl_exec(...)"
},
{
"pattern": "proc_open(...)"
}
],
"pattern-sources": [
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.unlink-use",
"languages": [
"php"
],
"message": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.php.net/manual/en/function.unlink",
"https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "unlink(...)"
},
{
"pattern-not": "unlink(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.unserialize-use",
"languages": [
"php"
],
"message": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://www.php.net/manual/en/function.unserialize.php",
"https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "unserialize(...)"
},
{
"pattern-not": "unserialize(\"...\",...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.weak-crypto",
"languages": [
"php"
],
"message": "Detected usage of weak crypto function. Consider using stronger alternatives.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.php.net/manual/en/book.sodium.php",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "$FUNC(...);"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "crypt|md5|md5_file|sha1|sha1_file|str_rot13"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.audit.assert-use-audit",
"languages": [
"php"
],
"message": "Calling assert with user input is equivalent to eval'ing.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/function.assert",
"https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php"
],
"subcategory": [
"audit"
],
"technology": [
"php"
]
},
"patterns": [
{
"pattern": "assert($ASSERT, ...);"
},
{
"pattern-not": "assert(\"...\", ...);"
},
{
"metavariable-regex": {
"metavariable": "$ASSERT",
"regex": "\\A\\$[A-Za-z\\[\\]\\-_'\"\\$]+(\\-\\>\\w+)?\\Z"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.audit.openssl-decrypt-validate",
"languages": [
"php"
],
"message": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-252: Unchecked Return Value"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.php.net/manual/en/function.openssl-decrypt.php"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"openssl"
]
},
"patterns": [
{
"pattern": "openssl_decrypt(...);"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nif($DECRYPTED_STRING === false){\n ...\n}\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nif($DECRYPTED_STRING == false){\n ...\n}\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nif(false === $DECRYPTED_STRING){\n ...\n}\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nif(false == $DECRYPTED_STRING){\n ...\n}\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nassertTrue(false !== $DECRYPTED_STRING,...);\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nassertTrue($DECRYPTED_STRING !== false,...);\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\n$REFERENCE::assertTrue(false !== $DECRYPTED_STRING,...);\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\n$REFERENCE::assertTrue($DECRYPTED_STRING !== false,...);\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nassert(false !== $DECRYPTED_STRING,...);\n"
},
{
"pattern-not-inside": "$DECRYPTED_STRING = openssl_decrypt(...);\n...\nassert($DECRYPTED_STRING !== false,...);\n"
}
],
"severity": "WARNING"
},
{
"fix": "echo htmlentities($...VARS);",
"id": "vendored-rules.php.lang.security.injection.echoed-request",
"languages": [
"php"
],
"message": "`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/function.htmlentities.php",
"https://www.php.net/manual/en/reserved.variables.request.php",
"https://www.php.net/manual/en/reserved.variables.post.php",
"https://www.php.net/manual/en/reserved.variables.get.php",
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "htmlentities(...)"
},
{
"pattern": "htmlspecialchars(...)"
},
{
"pattern": "strip_tags(...)"
},
{
"pattern": "isset(...)"
},
{
"pattern": "empty(...)"
},
{
"pattern": "esc_html(...)"
},
{
"pattern": "esc_attr(...)"
},
{
"pattern": "wp_kses(...)"
},
{
"pattern": "e(...)"
},
{
"pattern": "twig_escape_filter(...)"
},
{
"pattern": "xss_clean(...)"
},
{
"pattern": "html_escape(...)"
},
{
"pattern": "Html::escape(...)"
},
{
"pattern": "Xss::filter(...)"
},
{
"pattern": "escapeHtml(...)"
},
{
"pattern": "escapeHtml(...)"
},
{
"pattern": "escapeHtmlAttr(...)"
}
],
"pattern-sinks": [
{
"pattern": "echo $...VARS;"
}
],
"pattern-sources": [
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
}
],
"severity": "ERROR"
},
{
"fix": "print(htmlentities($...VARS));",
"id": "vendored-rules.php.lang.security.injection.printed-request",
"languages": [
"php"
],
"message": "`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/function.htmlentities.php",
"https://www.php.net/manual/en/reserved.variables.request.php",
"https://www.php.net/manual/en/reserved.variables.post.php",
"https://www.php.net/manual/en/reserved.variables.get.php",
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "htmlentities(...)"
},
{
"pattern": "htmlspecialchars(...)"
},
{
"pattern": "strip_tags(...)"
},
{
"pattern": "isset(...)"
},
{
"pattern": "empty(...)"
},
{
"pattern": "esc_html(...)"
},
{
"pattern": "esc_attr(...)"
},
{
"pattern": "wp_kses(...)"
},
{
"pattern": "e(...)"
},
{
"pattern": "twig_escape_filter(...)"
},
{
"pattern": "xss_clean(...)"
},
{
"pattern": "html_escape(...)"
},
{
"pattern": "Html::escape(...)"
},
{
"pattern": "Xss::filter(...)"
},
{
"pattern": "escapeHtml(...)"
},
{
"pattern": "escapeHtml(...)"
},
{
"pattern": "escapeHtmlAttr(...)"
}
],
"pattern-sinks": [
{
"pattern": "print($...VARS);"
}
],
"pattern-sources": [
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.injection.tainted-callable",
"languages": [
"php"
],
"message": "Callable based on user input risks remote code execution.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.php.net/manual/en/language.types.callable.php"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$CALLABLE"
},
{
"pattern-either": [
{
"pattern-inside": "$ARRAYITERATOR->uasort($CALLABLE)"
},
{
"pattern-inside": "$ARRAYITERATOR->uksort($CALLABLE)"
},
{
"pattern-inside": "$EVENTHTTP->setCallback($CALLABLE, ...)"
},
{
"pattern-inside": "$EVENTHTTPCONNECTION->setCloseCallback($CALLABLE, ...)"
},
{
"pattern-inside": "$EVLOOP->fork($CALLABLE, ...)"
},
{
"pattern-inside": "$EVLOOP->idle($CALLABLE, ...)"
},
{
"pattern-inside": "$EVLOOP->prepare($CALLABLE, ...)"
},
{
"pattern-inside": "$EVWATCHER->setCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setClientCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setCompleteCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setCreatedCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setDataCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setExceptionCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setFailCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setStatusCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setWarningCallback($CALLABLE)"
},
{
"pattern-inside": "$GEARMANCLIENT->setWorkloadCallback($CALLABLE)"
},
{
"pattern-inside": "$IMAGICK->setProgressMonitor($CALLABLE)"
},
{
"pattern-inside": "$OAUTHPROVIDER->consumerHandler($CALLABLE)"
},
{
"pattern-inside": "$OAUTHPROVIDER->tokenHandler($CALLABLE)"
},
{
"pattern-inside": "$PDO->sqliteCreateCollation($NAME, $CALLABLE)"
},
{
"pattern-inside": "$PDOSTATEMENT->fetchAll(PDO::FETCH_FUNC, $CALLABLE)"
},
{
"pattern-inside": "$SQLITE3->createCollation($NAME, $CALLABLE)"
},
{
"pattern-inside": "$SQLITE3->setAuthorizer($CALLABLE)"
},
{
"pattern-inside": "$ZIPARCHIVE->registerCancelCallback($CALLABLE)"
},
{
"pattern-inside": "$ZIPARCHIVE->registerProgressCallback($RATE, $CALLABLE)"
},
{
"pattern-inside": "$ZMQDEVICE->setIdleCallback($CALLABLE, ...)"
},
{
"pattern-inside": "$ZMQDEVICE->setTimerCallback($CALLABLE, ...)"
},
{
"pattern-inside": "apcu_entry($KEY, $CALLABLE, ...)"
},
{
"pattern-inside": "array_filter($ARRAY, $CALLABLE, ...)"
},
{
"pattern-inside": "array_map($CALLABLE, ...)"
},
{
"pattern-inside": "array_reduce($ARRAY, $CALLABLE, ...)"
},
{
"pattern-inside": "array_walk_recursive($ARRAY, $CALLABLE, ...)"
},
{
"pattern-inside": "array_walk($ARRAY, $CALLABLE, ...)"
},
{
"pattern-inside": "call_user_func_array($CALLABLE, ...)"
},
{
"pattern-inside": "call_user_func($CALLABLE, ...)"
},
{
"pattern-inside": "Closure::fromCallable($CALLABLE)"
},
{
"pattern-inside": "createCollation($NAME, $CALLABLE)"
},
{
"pattern-inside": "eio_grp($CALLABLE, ...)"
},
{
"pattern-inside": "eio_nop($PRI, $CALLABLE, ...)"
},
{
"pattern-inside": "eio_sync($PRI, $CALLABLE, ...)"
},
{
"pattern-inside": "EvPrepare::createStopped($CALLABLE, ...)"
},
{
"pattern-inside": "fann_set_callback($ANN, $CALLABLE)"
},
{
"pattern-inside": "fdf_enum_values($FDF_DOCUMENT, $CALLABLE, ...)"
},
{
"pattern-inside": "forward_static_call_array($CALLABLE, ...)"
},
{
"pattern-inside": "forward_static_call($CALLABLE, ...)"
},
{
"pattern-inside": "header_register_callback($CALLABLE)"
},
{
"pattern-inside": "ibase_set_event_handler($CALLABLE, ...)"
},
{
"pattern-inside": "IntlChar::enumCharTypes($CALLABLE)"
},
{
"pattern-inside": "iterator_apply($ITERATOR, $CALLABLE)"
},
{
"pattern-inside": "ldap_set_rebind_proc($LDAP, $CALLABLE)"
},
{
"pattern-inside": "libxml_set_external_entity_loader($CALLABLE, ...)"
},
{
"pattern-inside": "new CallbackFilterIterator($ITERATOR, $CALLABLE)"
},
{
"pattern-inside": "new EvCheck($CALLABLE, ...)"
},
{
"pattern-inside": "new EventHttpRequest($CALLABLE, ...)"
},
{
"pattern-inside": "new EvFork($CALLABLE, ...)"
},
{
"pattern-inside": "new EvIdle($CALLABLE, ...)"
},
{
"pattern-inside": "new Fiber($CALLABLE)"
},
{
"pattern-inside": "new Memcached($PERSISTENT_ID, $CALLABLE, ...)"
},
{
"pattern-inside": "new RecursiveCallbackFilterIterator($ITERATOR, $CALLABLE)"
},
{
"pattern-inside": "new Zookeeper($HOST, $CALLABLE, ...)"
},
{
"pattern-inside": "ob_start($CALLABLE, ...)"
},
{
"pattern-inside": "oci_register_taf_callback($CONNECTION, $CALLABLE)"
},
{
"pattern-inside": "readline_callback_handler_install($PROMPT, $CALLABLE)"
},
{
"pattern-inside": "readline_completion_function($CALLABLE)"
},
{
"pattern-inside": "register_shutdown_function($CALLABLE, ...)"
},
{
"pattern-inside": "register_tick_function($CALLABLE, ...)"
},
{
"pattern-inside": "rnp_ffi_set_pass_provider($FFI, $CALLABLE)"
},
{
"pattern-inside": "sapi_windows_set_ctrl_handler($CALLABLE, ...)"
},
{
"pattern-inside": "set_error_handler($CALLABLE, ...)"
},
{
"pattern-inside": "set_exception_handler($CALLABLE)"
},
{
"pattern-inside": "setAuthorizer($CALLABLE)"
},
{
"pattern-inside": "spl_autoload_register($CALLABLE, ...)"
},
{
"pattern-inside": "uasort($ARRAY, $CALLABLE)"
},
{
"pattern-inside": "uksort($ARRAY, $CALLABLE)"
},
{
"pattern-inside": "usort($ARRAY, $CALLABLE)"
},
{
"pattern-inside": "xml_set_character_data_handler($PARSER, $CALLABLE)"
},
{
"pattern-inside": "xml_set_default_handler($PARSER, $CALLABLE)"
},
{
"pattern-inside": "xml_set_element_handler($PARSER, $CALLABLE, $CALLABLE)"
},
{
"pattern-inside": "xml_set_notation_decl_handler($PARSER, $CALLABLE)"
},
{
"pattern-inside": "Yar_Concurrent_Client::loop($CALLABLE, ...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
},
{
"pattern": "file_get_contents('php://input')"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.injection.tainted-exec",
"languages": [
"php"
],
"message": "User input is passed to a function that executes a shell command. This can lead to remote code execution.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "escapeshellcmd(...)"
},
{
"pattern": "escapeshellarg(...)"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "exec(...)"
},
{
"pattern": "system(...)"
},
{
"pattern": "passthru(...)"
},
{
"patterns": [
{
"pattern": "proc_open(...)"
},
{
"pattern-not": "proc_open([...], ...)"
}
]
},
{
"pattern": "popen(...)"
},
{
"pattern": "expect_popen(...)"
},
{
"pattern": "shell_exec(...)"
},
{
"pattern": "`...`\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
},
{
"pattern": "file_get_contents('php://input')"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.injection.tainted-filename",
"languages": [
"php"
],
"message": "File name based on user input risks server-side request forgery.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "basename($PATH, ...)"
},
{
"pattern-inside": "linkinfo($PATH, ...)"
},
{
"pattern-inside": "readlink($PATH, ...)"
},
{
"pattern-inside": "realpath($PATH, ...)"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "opcache_compile_file($FILENAME, ...)"
},
{
"pattern-inside": "opcache_invalidate($FILENAME, ...)"
},
{
"pattern-inside": "opcache_is_script_cached($FILENAME, ...)"
},
{
"pattern-inside": "runkit7_import($FILENAME, ...)"
},
{
"pattern-inside": "readline_read_history($FILENAME, ...)"
},
{
"pattern-inside": "readline_write_history($FILENAME, ...)"
},
{
"pattern-inside": "rar_open($FILENAME, ...)"
},
{
"pattern-inside": "zip_open($FILENAME, ...)"
},
{
"pattern-inside": "gzfile($FILENAME, ...)"
},
{
"pattern-inside": "gzopen($FILENAME, ...)"
},
{
"pattern-inside": "readgzfile($FILENAME, ...)"
},
{
"pattern-inside": "hash_file($ALGO, $FILENAME, ...)"
},
{
"pattern-inside": "hash_update_file($CONTEXT, $FILENAME, ...)"
},
{
"pattern-inside": "pg_trace($FILENAME, ...)"
},
{
"pattern-inside": "dio_open($FILENAME, ...)"
},
{
"pattern-inside": "finfo_file($FINFO, $FILENAME, ...)"
},
{
"pattern-inside": "mime_content_type($FILENAME, ...)"
},
{
"pattern-inside": "chgrp($FILENAME, ...)"
},
{
"pattern-inside": "chmod($FILENAME, ...)"
},
{
"pattern-inside": "chown($FILENAME, ...)"
},
{
"pattern-inside": "clearstatcache($CLEAR_REALPATH_CACHE, $FILENAME, ...)"
},
{
"pattern-inside": "file_exists($FILENAME, ...)"
},
{
"pattern-inside": "file_get_contents($FILENAME, ...)"
},
{
"pattern-inside": "file_put_contents($FILENAME, ...)"
},
{
"pattern-inside": "file($FILENAME, ...)"
},
{
"pattern-inside": "fileatime($FILENAME, ...)"
},
{
"pattern-inside": "filectime($FILENAME, ...)"
},
{
"pattern-inside": "filegroup($FILENAME, ...)"
},
{
"pattern-inside": "fileinode($FILENAME, ...)"
},
{
"pattern-inside": "filemtime($FILENAME, ...)"
},
{
"pattern-inside": "fileowner($FILENAME, ...)"
},
{
"pattern-inside": "fileperms($FILENAME, ...)"
},
{
"pattern-inside": "filesize($FILENAME, ...)"
},
{
"pattern-inside": "filetype($FILENAME, ...)"
},
{
"pattern-inside": "fnmatch($PATTERN, $FILENAME, ...)"
},
{
"pattern-inside": "fopen($FILENAME, ...)"
},
{
"pattern-inside": "is_dir($FILENAME, ...)"
},
{
"pattern-inside": "is_executable($FILENAME, ...)"
},
{
"pattern-inside": "is_file($FILENAME, ...)"
},
{
"pattern-inside": "is_link($FILENAME, ...)"
},
{
"pattern-inside": "is_readable($FILENAME, ...)"
},
{
"pattern-inside": "is_uploaded_file($FILENAME, ...)"
},
{
"pattern-inside": "is_writable($FILENAME, ...)"
},
{
"pattern-inside": "lchgrp($FILENAME, ...)"
},
{
"pattern-inside": "lchown($FILENAME, ...)"
},
{
"pattern-inside": "lstat($FILENAME, ...)"
},
{
"pattern-inside": "parse_ini_file($FILENAME, ...)"
},
{
"pattern-inside": "readfile($FILENAME, ...)"
},
{
"pattern-inside": "stat($FILENAME, ...)"
},
{
"pattern-inside": "touch($FILENAME, ...)"
},
{
"pattern-inside": "unlink($FILENAME, ...)"
},
{
"pattern-inside": "xattr_get($FILENAME, ...)"
},
{
"pattern-inside": "xattr_list($FILENAME, ...)"
},
{
"pattern-inside": "xattr_remove($FILENAME, ...)"
},
{
"pattern-inside": "xattr_set($FILENAME, ...)"
},
{
"pattern-inside": "xattr_supported($FILENAME, ...)"
},
{
"pattern-inside": "enchant_broker_request_pwl_dict($BROKER, $FILENAME, ...)"
},
{
"pattern-inside": "pspell_config_personal($CONFIG, $FILENAME, ...)"
},
{
"pattern-inside": "pspell_config_repl($CONFIG, $FILENAME, ...)"
},
{
"pattern-inside": "pspell_new_personal($FILENAME, ...)"
},
{
"pattern-inside": "exif_imagetype($FILENAME, ...)"
},
{
"pattern-inside": "getimagesize($FILENAME, ...)"
},
{
"pattern-inside": "image2wbmp($IMAGE, $FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromavif($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefrombmp($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromgd2($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromgd2part($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromgd($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromgif($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromjpeg($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefrompng($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromtga($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromwbmp($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromwebp($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromxbm($FILENAME, ...)"
},
{
"pattern-inside": "imagecreatefromxpm($FILENAME, ...)"
},
{
"pattern-inside": "imageloadfont($FILENAME, ...)"
},
{
"pattern-inside": "imagexbm($IMAGE, $FILENAME, ...)"
},
{
"pattern-inside": "iptcembed($IPTC_DATA, $FILENAME, ...)"
},
{
"pattern-inside": "mailparse_msg_extract_part_file($MIMEMAIL, $FILENAME, ...)"
},
{
"pattern-inside": "mailparse_msg_extract_whole_part_file($MIMEMAIL, $FILENAME, ...)"
},
{
"pattern-inside": "mailparse_msg_parse_file($FILENAME, ...)"
},
{
"pattern-inside": "fdf_add_template($FDF_DOCUMENT, $NEWPAGE, $FILENAME, ...)"
},
{
"pattern-inside": "fdf_get_ap($FDF_DOCUMENT, $FIELD, $FACE, $FILENAME, ...)"
},
{
"pattern-inside": "fdf_open($FILENAME, ...)"
},
{
"pattern-inside": "fdf_save($FDF_DOCUMENT, $FILENAME, ...)"
},
{
"pattern-inside": "fdf_set_ap($FDF_DOCUMENT, $FIELD_NAME, $FACE, $FILENAME, ...)"
},
{
"pattern-inside": "ps_add_launchlink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, ...)"
},
{
"pattern-inside": "ps_add_pdflink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, ...)"
},
{
"pattern-inside": "ps_open_file($PSDOC, $FILENAME, ...)"
},
{
"pattern-inside": "ps_open_image_file($PSDOC, $TYPE, $FILENAME, ...)"
},
{
"pattern-inside": "posix_access($FILENAME, ...)"
},
{
"pattern-inside": "posix_mkfifo($FILENAME, ...)"
},
{
"pattern-inside": "posix_mknod($FILENAME, ...)"
},
{
"pattern-inside": "ftok($FILENAME, ...)"
},
{
"pattern-inside": "fann_cascadetrain_on_file($ANN, $FILENAME, ...)"
},
{
"pattern-inside": "fann_read_train_from_file($FILENAME, ...)"
},
{
"pattern-inside": "fann_train_on_file($ANN, $FILENAME, ...)"
},
{
"pattern-inside": "highlight_file($FILENAME, ...)"
},
{
"pattern-inside": "php_strip_whitespace($FILENAME, ...)"
},
{
"pattern-inside": "stream_resolve_include_path($FILENAME, ...)"
},
{
"pattern-inside": "swoole_async_read($FILENAME, ...)"
},
{
"pattern-inside": "swoole_async_readfile($FILENAME, ...)"
},
{
"pattern-inside": "swoole_async_write($FILENAME, ...)"
},
{
"pattern-inside": "swoole_async_writefile($FILENAME, ...)"
},
{
"pattern-inside": "swoole_load_module($FILENAME, ...)"
},
{
"pattern-inside": "tidy_parse_file($FILENAME, ...)"
},
{
"pattern-inside": "tidy_repair_file($FILENAME, ...)"
},
{
"pattern-inside": "get_meta_tags($FILENAME, ...)"
},
{
"pattern-inside": "yaml_emit_file($FILENAME, ...)"
},
{
"pattern-inside": "yaml_parse_file($FILENAME, ...)"
},
{
"pattern-inside": "curl_file_create($FILENAME, ...)"
},
{
"pattern-inside": "ftp_chmod($FTP, $PERMISSIONS, $FILENAME, ...)"
},
{
"pattern-inside": "ftp_delete($FTP, $FILENAME, ...)"
},
{
"pattern-inside": "ftp_mdtm($FTP, $FILENAME, ...)"
},
{
"pattern-inside": "ftp_size($FTP, $FILENAME, ...)"
},
{
"pattern-inside": "rrd_create($FILENAME, ...)"
},
{
"pattern-inside": "rrd_fetch($FILENAME, ...)"
},
{
"pattern-inside": "rrd_graph($FILENAME, ...)"
},
{
"pattern-inside": "rrd_info($FILENAME, ...)"
},
{
"pattern-inside": "rrd_last($FILENAME, ...)"
},
{
"pattern-inside": "rrd_lastupdate($FILENAME, ...)"
},
{
"pattern-inside": "rrd_tune($FILENAME, ...)"
},
{
"pattern-inside": "rrd_update($FILENAME, ...)"
},
{
"pattern-inside": "snmp_read_mib($FILENAME, ...)"
},
{
"pattern-inside": "ssh2_sftp_chmod($SFTP, $FILENAME, ...)"
},
{
"pattern-inside": "ssh2_sftp_realpath($SFTP, $FILENAME, ...)"
},
{
"pattern-inside": "ssh2_sftp_unlink($SFTP, $FILENAME, ...)"
},
{
"pattern-inside": "apache_lookup_uri($FILENAME, ...)"
},
{
"pattern-inside": "md5_file($FILENAME, ...)"
},
{
"pattern-inside": "sha1_file($FILENAME, ...)"
},
{
"pattern-inside": "simplexml_load_file($FILENAME, ...)"
}
]
},
{
"pattern": "$FILENAME"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_SERVER"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.injection.tainted-object-instantiation",
"languages": [
"php"
],
"message": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "new $SINK(...)"
}
]
},
{
"pattern": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_SERVER"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.injection.tainted-session",
"languages": [
"php"
],
"message": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-284: Improper Access Control"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://en.wikipedia.org/wiki/Session_poisoning"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$A . $B"
},
{
"pattern": "bin2hex(...)"
},
{
"pattern": "crc32(...)"
},
{
"pattern": "crypt(...)"
},
{
"pattern": "filter_input(...)"
},
{
"pattern": "filter_var(...)"
},
{
"pattern": "hash(...)"
},
{
"pattern": "md5(...)"
},
{
"pattern": "preg_filter(...)"
},
{
"pattern": "preg_grep(...)"
},
{
"pattern": "preg_match_all(...)"
},
{
"pattern": "sha1(...)"
},
{
"pattern": "sprintf(...)"
},
{
"pattern": "str_contains(...)"
},
{
"pattern": "str_ends_with(...)"
},
{
"pattern": "str_starts_with(...)"
},
{
"pattern": "strcasecmp(...)"
},
{
"pattern": "strchr(...)"
},
{
"pattern": "stripos(...)"
},
{
"pattern": "stristr(...)"
},
{
"pattern": "strnatcasecmp(...)"
},
{
"pattern": "strnatcmp(...)"
},
{
"pattern": "strncmp(...)"
},
{
"pattern": "strpbrk(...)"
},
{
"pattern": "strpos(...)"
},
{
"pattern": "strripos(...)"
},
{
"pattern": "strrpos(...)"
},
{
"pattern": "strspn(...)"
},
{
"pattern": "strstr(...)"
},
{
"pattern": "strtok(...)"
},
{
"pattern": "substr_compare(...)"
},
{
"pattern": "substr_count(...)"
},
{
"pattern": "vsprintf(...)"
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$_SESSION[$KEY] = $VAL;"
},
{
"pattern": "$KEY"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.lang.security.injection.tainted-sql-string",
"languages": [
"php"
],
"message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "mysqli_real_escape_string(...)"
},
{
"pattern": "real_escape_string(...)"
},
{
"pattern": "$MYSQLI->real_escape_string(...)"
}
]
}
],
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "sprintf($SQLSTR, ...)\n"
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*"
}
}
]
},
{
"patterns": [
{
"pattern": "\"...$EXPR...\"\n"
},
{
"metavariable-regex": {
"metavariable": "$EXPR",
"regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*"
}
}
]
},
{
"patterns": [
{
"pattern": "\"$SQLSTR\".$EXPR\n"
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*"
}
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.lang.security.injection.tainted-url-host",
"languages": [
"php"
],
"message": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"php"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "sprintf($URLSTR, ...)\n"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$URLSTR",
"pattern": "$SCHEME://%s"
}
}
]
},
{
"patterns": [
{
"pattern": "\"...{$EXPR}...\"\n"
},
{
"pattern-regex": ".*://\\{.*\n"
}
]
},
{
"patterns": [
{
"pattern": "\"...$EXPR...\"\n"
},
{
"pattern-regex": ".*://\\$.*\n"
}
]
},
{
"patterns": [
{
"pattern": "\"...\".$EXPR\n"
},
{
"pattern-regex": ".*://[\"'].*\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.laravel.security.laravel-active-debug-code",
"languages": [
"php"
],
"message": "Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md",
"https://laravel.com/docs/9.x/configuration"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "putenv(\"APP_DEBUG=true\")\n"
},
{
"pattern": "config(['app.debug' => 'true'])\n"
},
{
"pattern": "$_ENV[\"APP_DEBUG\"] = 'true'\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.laravel.security.laravel-api-route-sql-injection",
"languages": [
"php"
],
"message": "HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md"
],
"subcategory": [
"vuln"
],
"technology": [
"php",
"laravel"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "DB::raw(\"...\",[...])\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "DB::raw(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": "$ARG"
},
{
"pattern-inside": "Route::$METHOD($ROUTE_NAME, function(...,$ARG,...){...})\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.laravel.security.laravel-blade-form-missing-csrf",
"languages": [
"generic"
],
"message": "Detected a form executing a state-changing HTTP method `$METHOD` to route definition `$...ROUTE` without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://laravel.com/docs/9.x/csrf"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel",
"blade"
]
},
"paths": {
"include": [
"*.blade.php"
]
},
"patterns": [
{
"pattern": "action=\"$...ROUTE\"\n"
},
{
"pattern-inside": "<form ... method=\"$METHOD\" ... >\n...\n"
},
{
"pattern-not-inside": "<!-- ... ... ... ... ... ... ... -->\n"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$...ROUTE",
"patterns": [
{
"pattern-not-regex": "\\A\\s*\\Z"
},
{
"pattern-not": "#"
}
]
}
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(?i)(post|put|patch|delete)"
}
},
{
"pattern-not-inside": "<form ...>\n...\n...\n...\n@csrf\n"
},
{
"pattern-not-inside": "<form ...>\n...\n...\n...\ncsrf_field()\n"
},
{
"pattern-not-inside": "<form ...>\n...\n...\n...\ncsrf_token()\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.laravel.security.laravel-cookie-http-only",
"languages": [
"php"
],
"message": "Found a configuration file where the HttpOnly attribute is not set to true. Setting `http_only` to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the 'http_only' like so: `http_only` => true ",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel"
]
},
"paths": {
"include": [
"*session.php"
]
},
"patterns": [
{
"pattern": "'cookie'\n"
},
{
"pattern-inside": "return [\n ...,\n 'cookie' => env(...),\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'http_only' => true,\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'http_only' => env('$NAME', $DEFAULT),\n ...\n];\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.laravel.security.laravel-cookie-long-timeout",
"languages": [
"php"
],
"message": "Found a configuration file where the lifetime attribute is over 30 minutes.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel"
]
},
"paths": {
"include": [
"*session.php"
]
},
"patterns": [
{
"pattern": "'lifetime'\n"
},
{
"pattern-inside": "return [\n ...,\n 'lifetime' => $TIME,\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'lifetime' => env(\"$VAR\", $DEFAULT),\n ...\n];\n"
},
{
"metavariable-comparison": {
"comparison": "$TIME > 30",
"metavariable": "$TIME"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.laravel.security.laravel-cookie-null-domain",
"languages": [
"php"
],
"message": "Found a configuration file where the domain attribute is not set to null. It is recommended (unless you are using sub-domain route registrations) to set this attribute to null so that only the same origin can set the cookie, thus protecting your cookies. ",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel"
]
},
"paths": {
"include": [
"*session.php"
]
},
"patterns": [
{
"pattern": "'cookie'\n"
},
{
"pattern-inside": "return [\n ...,\n 'cookie' => env(...),\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'domain' => null,\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'domain' => env('$NAME', $DEFAULT),\n ...\n];\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.laravel.security.laravel-cookie-same-site",
"languages": [
"php"
],
"message": "Found a configuration file where the same_site attribute is not set to 'lax' or 'strict'. Setting 'same_site' to 'lax' or 'strict' restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1275: Sensitive Cookie with Improper SameSite Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel"
]
},
"paths": {
"include": [
"*session.php"
]
},
"patterns": [
{
"pattern": "'cookie'\n"
},
{
"pattern-inside": "return [\n ...,\n 'cookie' => env(...),\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'same_site' => 'lax',\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'same_site' => 'strict',\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'same_site' => env('$NAME', $DEFAULT),\n ...\n];\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.laravel.security.laravel-cookie-secure-set",
"languages": [
"php"
],
"message": "Found a configuration file where the secure attribute is not set to 'true'. Setting 'secure' to 'true' prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks. ",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel"
]
},
"paths": {
"include": [
"*session.php"
]
},
"patterns": [
{
"pattern": "'cookie'\n"
},
{
"pattern-inside": "return [\n ...,\n 'cookie' => env(...),\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'secure' => true,\n ...\n];\n"
},
{
"pattern-not-inside": "return [\n ...,\n 'secure' => env('$NAME', $DEFAULT),\n ...\n];\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.laravel.security.laravel-dangerous-model-construction",
"languages": [
"php"
],
"message": "Setting `$guarded` to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent's safe-by-default mass assignment protections.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://laravel.com/docs/9.x/eloquent#allowing-mass-assignment",
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md"
],
"subcategory": [
"audit"
],
"technology": [
"php",
"laravel",
"eloquent"
]
},
"patterns": [
{
"pattern": "$guarded = [];\n"
},
{
"pattern-inside": "class $CLASS extends Model {\n ...\n}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.laravel.security.laravel-sql-injection",
"languages": [
"php"
],
"message": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://laravel.com/docs/8.x/queries"
],
"subcategory": [
"vuln"
],
"technology": [
"laravel"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$SQL"
},
{
"pattern-either": [
{
"pattern-inside": "DB::table(...)->whereRaw($SQL, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereRaw($SQL, ...)"
},
{
"pattern-inside": "DB::table(...)->groupByRaw($SQL, ...)"
},
{
"pattern-inside": "DB::table(...)->havingRaw($SQL, ...)"
},
{
"pattern-inside": "DB::table(...)->orHavingRaw($SQL, ...)"
},
{
"pattern-inside": "DB::table(...)->orderByRaw($SQL, ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$EXPRESSION"
},
{
"pattern-either": [
{
"pattern-inside": "DB::table(...)->selectRaw($EXPRESSION, ...)"
},
{
"pattern-inside": "DB::table(...)->fromRaw($EXPRESSION, ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$COLUMNS"
},
{
"pattern-either": [
{
"pattern-inside": "DB::table(...)->whereNull($COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereNull($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->whereNotNull($COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->whereRowValues($COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereRowValues($COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->find($ID, $COLUMNS)"
},
{
"pattern-inside": "DB::table(...)->paginate($PERPAGE, $COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->simplePaginate($PERPAGE, $COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->cursorPaginate($PERPAGE, $COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->getCountForPagination($COLUMNS)"
},
{
"pattern-inside": "DB::table(...)->aggregate($FUNCTION, $COLUMNS)"
},
{
"pattern-inside": "DB::table(...)->numericAggregate($FUNCTION, $COLUMNS)"
},
{
"pattern-inside": "DB::table(...)->insertUsing($COLUMNS, ...)"
},
{
"pattern-inside": "DB::table(...)->select($COLUMNS)"
},
{
"pattern-inside": "DB::table(...)->get($COLUMNS)"
},
{
"pattern-inside": "DB::table(...)->count($COLUMNS)"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$COLUMN"
},
{
"pattern-either": [
{
"pattern-inside": "DB::table(...)->whereIn($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereIn($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereNotIn($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereNotIn($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereIntegerInRaw($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereIntegerInRaw($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereIntegerNotInRaw($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereIntegerNotInRaw($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereBetweenColumns($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereBetween($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereBetweenColumns($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereNotBetween($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereNotBetweenColumns($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereNotBetween($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereNotBetweenColumns($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereNotNull($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->whereDate($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereDate($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereTime($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereTime($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereDay($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereDay($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereMonth($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereMonth($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereYear($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereYear($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereJsonContains($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereJsonContains($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereJsonDoesntContain($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereJsonDoesntContain($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->whereJsonLength($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhereJsonLength($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->having($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orHaving($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->havingBetween($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orderBy($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orderByDesc($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->latest($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->oldest($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->forPageBeforeId($PERPAGE, $LASTID, $COLUMN)"
},
{
"pattern-inside": "DB::table(...)->forPageAfterId($PERPAGE, $LASTID, $COLUMN)"
},
{
"pattern-inside": "DB::table(...)->value($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->pluck($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->implode($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->min($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->max($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->sum($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->avg($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->average($COLUMN)"
},
{
"pattern-inside": "DB::table(...)->increment($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->decrement($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->where($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->orWhere($COLUMN, ...)"
},
{
"pattern-inside": "DB::table(...)->addSelect($COLUMN)"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$QUERY"
},
{
"pattern-inside": "DB::unprepared($QUERY)"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$_GET"
},
{
"pattern": "$_POST"
},
{
"pattern": "$_COOKIE"
},
{
"pattern": "$_REQUEST"
},
{
"pattern": "$_SERVER"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.laravel.security.laravel-unsafe-validator",
"languages": [
"php"
],
"message": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://laravel.com/docs/9.x/validation#rule-unique"
],
"subcategory": [
"vuln"
],
"technology": [
"php",
"laravel"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "Illuminate\\Validation\\Rule::unique(...)->ignore(...,$IGNORE,...)\n"
},
{
"focus-metavariable": "$IGNORE"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "public function $F(...,Request $R,...){...}\n"
},
{
"focus-metavariable": "$R"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$this->$PROPERTY\n"
},
{
"pattern": "$this->$PROPERTY->$GET\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$PROPERTY",
"patterns": [
{
"pattern-either": [
{
"pattern": "query"
},
{
"pattern": "request"
},
{
"pattern": "headers"
},
{
"pattern": "cookies"
},
{
"pattern": "cookie"
},
{
"pattern": "files"
},
{
"pattern": "file"
},
{
"pattern": "allFiles"
},
{
"pattern": "input"
},
{
"pattern": "all"
},
{
"pattern": "post"
},
{
"pattern": "json"
}
]
}
]
}
},
{
"pattern-either": [
{
"pattern-inside": "class $CL extends Illuminate\\Http\\Request {...}\n"
},
{
"pattern-inside": "class $CL extends Illuminate\\Foundation\\Http\\FormRequest {...}\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.php.symfony.security.audit.symfony-csrf-protection-disabled",
"languages": [
"php"
],
"message": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://symfony.com/doc/current/security/csrf.html"
],
"subcategory": [
"audit"
],
"technology": [
"symfony"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$X->createForm($TYPE, $TASK, [..., 'csrf_protection' => false, ...], ...)"
},
{
"pattern": "$X->prependExtensionConfig('framework', [..., 'csrf_protection' => false, ...], ...)"
},
{
"pattern": "$X->loadFromExtension('framework', [..., 'csrf_protection' => false, ...], ...)"
},
{
"pattern": "$X->setDefaults([..., 'csrf_protection' => false, ...], ...)"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$X->createForm($TYPE, $TASK, [..., 'csrf_protection' => $VAL, ...], ...)"
},
{
"pattern": "$X->prependExtensionConfig('framework', [..., 'csrf_protection' => $VAL, ...], ...)"
},
{
"pattern": "$X->loadFromExtension('framework', [..., 'csrf_protection' => $VAL, ...], ...)"
},
{
"pattern": "$X->setDefaults([..., 'csrf_protection' => $VAL, ...], ...)"
}
]
},
{
"pattern-inside": "$VAL = false;\n...\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.symfony.security.audit.symfony-non-literal-redirect",
"languages": [
"php"
],
"message": "The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://symfony.com/doc/current/controller.html#redirecting",
"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"symfony"
]
},
"patterns": [
{
"pattern": "$this->redirect(...)"
},
{
"pattern-not": "$this->redirect(\"...\")"
},
{
"pattern-not": "$this->redirect()"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.symfony.security.audit.symfony-permissive-cors",
"languages": [
"php"
],
"message": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-346: Origin Validation Error"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"
],
"subcategory": [
"audit"
],
"technology": [
"symfony"
]
},
"patterns": [
{
"pattern-inside": "use Symfony\\Component\\HttpFoundation\\Response;\n...\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "new Symfony\\Component\\HttpFoundation\\Response($X, $Y, $HEADERS, ...)\n"
},
{
"pattern": "new Response($X, $Y, $HEADERS, ...)"
}
]
},
{
"pattern-either": [
{
"pattern": "new $R($X, $Y, [$KEY => $VALUE], ...)"
},
{
"pattern-inside": "$HEADERS = [$KEY => $VALUE];\n...\n"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$RES->headers->set($KEY, $VALUE)"
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$KEY",
"regex": "(\\'|\\\")\\s*(Access-Control-Allow-Origin|access-control-allow-origin)\\s*(\\'|\\\")"
}
},
{
"metavariable-regex": {
"metavariable": "$VALUE",
"regex": "(\\'|\\\")\\s*(\\*)\\s*(\\'|\\\")"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-ajax-no-auth-and-auth-hooks-audit",
"languages": [
"php"
],
"message": "These hooks allow the developer to handle the custom AJAX endpoints.\"wp_ajax_$action\" hook get fires for any authenticated user and \"wp_ajax_nopriv_$action\" hook get fires for non-authenticated users.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-285: Improper Authorization"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#authorisation",
"https://developer.wordpress.org/reference/hooks/wp_ajax_action/"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern": "add_action($HOOK,...)"
},
{
"metavariable-regex": {
"metavariable": "$HOOK",
"regex": "'wp_ajax_.*'"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-authorisation-checks-audit",
"languages": [
"php"
],
"message": "These are some of the patterns used for authorisation. Look properly if the authorisation is proper or not.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-285: Improper Authorization"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#authorisation"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern": "$FUNCTION(...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNCTION",
"regex": "current_user_can|is_admin|is_user_logged_in|is_user_admin"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-code-execution-audit",
"languages": [
"php"
],
"message": "These functions can lead to code injection if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#php-code-execution"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "eval(...)"
},
{
"pattern": "assert(...)"
},
{
"pattern": "call_user_func(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-command-execution-audit",
"languages": [
"php"
],
"message": "These functions can lead to command execution if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#command-execution"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "system(...)"
},
{
"pattern": "exec(...)"
},
{
"pattern": "passthru(...)"
},
{
"pattern": "shell_exec(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-csrf-audit",
"languages": [
"php"
],
"message": "Passing false or 0 as the third argument to this function will not cause the script to die, making the check useless.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#cross-site-request-forgery-csrf",
"https://developer.wordpress.org/reference/functions/check_ajax_referer/"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"pattern": "check_ajax_referer(...,...,false)",
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-file-download-audit",
"languages": [
"php"
],
"message": "These functions can be used to read to content of the files if the data inside is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-73: External Control of File Name or Path"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-download"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "file(...)"
},
{
"pattern": "readfile(...)"
},
{
"pattern": "file_get_contents(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-file-inclusion-audit",
"languages": [
"php"
],
"message": "These functions can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI) if the data inside is user-controlled. Validate the data properly before passing it to these functions.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.",
"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-inclusion"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "include(...)"
},
{
"pattern": "require(...)"
},
{
"pattern": "include_once(...)"
},
{
"pattern": "require_once(...)"
},
{
"pattern": "fread(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-file-manipulation-audit",
"languages": [
"php"
],
"message": "These functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.",
"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-manipulation"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "unlink(...)"
},
{
"pattern": "wp_delete_file(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-open-redirect-audit",
"languages": [
"php"
],
"message": "This function can be used to redirect to user supplied URLs. If user input is not sanitised or validated, this could lead to Open Redirect vulnerabilities. Use \"wp_safe_redirect()\" to prevent this kind of attack.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#open-redirect",
"https://developer.wordpress.org/reference/functions/wp_safe_redirect/"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"pattern": "wp_redirect(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-php-object-injection-audit",
"languages": [
"php"
],
"message": "If the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#php-object-injection",
"https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "unserialize(...)"
},
{
"pattern": "maybe_unserialize(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.php.wordpress-plugins.security.audit.wp-sql-injection-audit",
"languages": [
"php"
],
"message": "Detected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like \"$wpdb->prepare\" properly or escape/sanitize the data properly.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#sql-injection",
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"audit"
],
"technology": [
"Wordpress Plugins"
]
},
"paths": {
"include": [
"wp-content/plugins/**/*.php"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$wpdb->query(...)"
},
{
"pattern": "$wpdb->get_var(...)"
},
{
"pattern": "$wpdb->get_row(...)"
},
{
"pattern": "$wpdb->get_col(...)"
},
{
"pattern": "$wpdb->get_results(...)"
},
{
"pattern": "$wpdb->replace(...)"
}
]
},
{
"pattern-not": "$wpdb->prepare(...)"
},
{
"pattern-not": "$wpdb->delete(...)"
},
{
"pattern-not": "$wpdb->update(...)"
},
{
"pattern-not": "$wpdb->insert(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification",
"languages": [
"go"
],
"message": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "tls.Config{..., InsecureSkipVerify: true, ...}\n"
},
{
"pattern": "$CONFIG = &tls.Config{...}\n...\n$CONFIG.InsecureSkipVerify = true\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions",
"languages": [
"go"
],
"message": "Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern": "tls.Config{..., MinVersion: $TLS.$VERSION, ...}\n"
},
{
"pattern": "$CONFIG = &tls.Config{...}\n...\n$CONFIG.MinVersion = $TLS.$VERSION\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$VERSION",
"regex": "(VersionTLS10|VersionTLS11|VersionSSL30)"
}
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[fF][tT][pP]://",
"replacement": "sftp://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.ftp-request",
"languages": [
"go"
],
"message": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://godoc.org/github.com/jlaffaye/ftp#Dial",
"https://github.com/jlaffaye/ftp"
],
"subcategory": [
"vuln"
],
"technology": [
"ftp"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "ftp.Dial(\"=~/^[fF][tT][pP]://.*/\", ...)\n"
},
{
"pattern": "ftp.DialTimeout(\"=~/^[fF][tT][pP]://.*/\", ...)\n"
},
{
"pattern": "ftp.Connect(\"=~/^[fF][tT][pP]://.*/\")\n"
},
{
"pattern": "$URL = \"=~/^[fF][tT][pP]://.*/\"\n...\nftp.Dial($URL, ...)\n"
},
{
"pattern": "$URL = \"=~/^[fF][tT][pP]://.*/\"\n...\nftp.DialTimeout($URL, ...)\n"
},
{
"pattern": "$URL = \"=~/^[fF][tT][pP]://.*/\"\n...\nftp.Connect($URL)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request",
"languages": [
"go"
],
"message": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://github.com/parnurzeal/gorequest"
],
"subcategory": [
"vuln"
],
"technology": [
"gorequest"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$REQ = gorequest.New()\n...\n$RES = ...\n"
},
{
"pattern": "$REQ.$FUNC(\"=~/[hH][tT][tT][pP]://.*/\")\n"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Post|Delete|Head|Put|Patch)"
}
}
]
},
{
"patterns": [
{
"pattern": "gorequest.New().$FUNC(\"=~/[hH][tT][tT][pP]://.*/\")"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Post|Delete|Head|Put|Patch)"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.grequests-http-request",
"languages": [
"go"
],
"message": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://godoc.org/github.com/levigross/grequests#DoRegularRequest",
"https://github.com/levigross/grequests"
],
"subcategory": [
"vuln"
],
"technology": [
"grequests"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern": "grequests.$FUNC(...,\"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
},
{
"pattern": "$FUNC(...,\"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Head|Post|Put|Delete|Patch|Options|Req|DoRegularRequest)"
}
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.http-customized-request",
"languages": [
"go"
],
"message": "Checks for requests sent via http.NewRequest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://golang.org/pkg/net/http/#NewRequest"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
],
"vulnerability": "Insecure Transport"
},
"pattern": "http.NewRequest(..., \"=~/[hH][tT][tT][pP]://.*/\", ...)\n",
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.http-request",
"languages": [
"go"
],
"message": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://golang.org/pkg/net/http/#Get"
],
"subcategory": [
"vuln"
],
"technology": [
"go"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern": "http.$FUNC(\"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
},
{
"patterns": [
{
"pattern-inside": "$CLIENT := &http.Client{...}\n...\n"
},
{
"pattern": "client.$FUNC(\"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
}
]
}
]
},
{
"pattern-not": "http.$FUNC(\"=~/[hH][tT][tT][pP]://127.0.0.1.*/\", ...)"
},
{
"pattern-not": "client.$FUNC(\"=~/[hH][tT][tT][pP]://127.0.0.1.*/\", ...)"
},
{
"pattern-not": "http.$FUNC(\"=~/[hH][tT][tT][pP]://localhost.*/\", ...)"
},
{
"pattern-not": "client.$FUNC(\"=~/[hH][tT][tT][pP]://localhost.*/\", ...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Post|Head|PostForm)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.sling-http-request",
"languages": [
"go"
],
"message": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://godoc.org/github.com/dghubble/sling#Sling.Add",
"https://github.com/dghubble/sling"
],
"subcategory": [
"vuln"
],
"technology": [
"sling"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$REQ = sling.New()\n...\n$RES = ...\n"
},
{
"pattern": "$REQ.$FUNC(\"=~/[hH][tT][tT][pP]://.*/\")\n"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)"
}
}
]
},
{
"patterns": [
{
"pattern": "sling.New().$FUNC(\"=~/[hH][tT][tT][pP]://.*/\")"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "$REQ = sling.New()\n...\n$URL = \"=~/[hH][tT][tT][pP]://.*/\"\n...\n$RES = ...\n"
},
{
"pattern": "$REQ.$FUNC($URL)\n"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "$URL = \"=~/[hH][tT][tT][pP]://.*/\"\n...\n$RES = ...\n"
},
{
"pattern": "sling.New().$FUNC($URL)\n"
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(Get|Post|Delete|Head|Put|Options|Patch|Base|Connect)"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.go-stdlib.telnet-request",
"languages": [
"go"
],
"message": "Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://godoc.org/github.com/reiver/go-telnet"
],
"subcategory": [
"vuln"
],
"technology": [
"go-telnet"
],
"vulnerability": "Insecure Transport"
},
"pattern": "telnet.DialToAndCall(...)\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.java-spring.bypass-tls-verification",
"languages": [
"java"
],
"message": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate",
"https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "new HostnameVerifier() {\n ...\n public boolean verify(String hostname, SSLSession session) {\n ...\n }\n ...\n};\n"
},
{
"pattern": "public RestTemplate restTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {\n ...\n TrustStrategy $FUNCNAME = (X509Certificate[] chain, String authType) -> ...;\n ...\n}\n"
},
{
"pattern": "TrustStrategy $FUNCNAME= new TrustStrategy() {\n ...\n public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {\n ...\n }\n ...\n};\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[fF][tT][pP]://",
"replacement": "sftp://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-spring.spring-ftp-request",
"languages": [
"java"
],
"message": "Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://docs.spring.io/spring-integration/api/org/springframework/integration/ftp/session/AbstractFtpSessionFactory.html#setClientMode-int-"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "$SF = new DefaultFtpSessionFactory(...);\n...\n$SF.setHost(\"=~/^[fF][tT][pP]://.*/\");\n...\n$SF.$FUNC(...);\n"
},
{
"pattern": "$SF = new DefaultFtpSessionFactory(...);\n...\nString $URL = \"=~/^[fF][tT][pP]://.*/\";\n...\n$SF.setHost($URL);\n...\n$SF.$FUNC(...);\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-spring.spring-http-request",
"languages": [
"java"
],
"message": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-",
"https://www.baeldung.com/rest-template"
],
"subcategory": [
"vuln"
],
"technology": [
"spring"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$RESTTEMP = new RestTemplate(...);\n...\n$RESTTEMP.$FUNC(\"=~/[hH][tT][tT][pP]://.*/\", ...);\n"
},
{
"pattern": "$RESTTEMP = new RestTemplate(...);\n...\nString $URL = \"=~/[hH][tT][tT][pP]://.*/\";\n...\n$RESTTEMP.$FUNC($URL, ...);\n"
},
{
"pattern": "$RESTTEMP = new RestTemplate(...);\n...\n$URL = new URI(..., \"=~/[hH][tT][tT][pP]://.*/\", ...);\n...\n$RESTTEMP.$FUNC($URL, ...);\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "(delete|doExecute|exchange|getForEntity|getForObject|headForHeaders|optionsForAllow|patchForObject|postForEntity|postForLocation|postForObject|put)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification",
"languages": [
"java"
],
"message": "Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-",
"https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern": "new X509TrustManager() {\n ...\n public void checkClientTrusted(X509Certificate[] certs, String authType) {...}\n ...\n}\n"
},
{
"pattern-not": "new X509TrustManager() {\n ...\n public void checkServerTrusted(X509Certificate[] certs, String authType) {\n ...\n throw new CertificateException(...);\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "new X509TrustManager() {\n ...\n public void checkServerTrusted(X509Certificate[] certs, String authType) {\n ...\n throw new IllegalArgumentException(...);\n ...\n }\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1",
"languages": [
"java"
],
"message": "Detects direct creations of SSLConnectionSocketFactories that don't disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern": "new SSLConnectionSocketFactory(...);\n"
},
{
"pattern-not": "new SSLConnectionSocketFactory(..., new String[] {\"TLSv1.2\", \"TLSv1.3\"}, ...);\n"
},
{
"pattern-not": "new SSLConnectionSocketFactory(..., new String[] {\"TLSv1.3\", \"TLSv1.2\"}, ...);\n"
},
{
"pattern-not": "new SSLConnectionSocketFactory(..., new String[] {\"TLSv1.3\"}, ...);\n"
},
{
"pattern-not": "new SSLConnectionSocketFactory(..., new String[] {\"TLSv1.2\"}, ...);\n"
},
{
"pattern-not-inside": "(SSLConnectionSocketFactory $SF) = new SSLConnectionSocketFactory(...); ... (TlsConfig $TLSCONFIG) = TlsConfig.custom(). ... .setSupportedProtocols(TLS.V_1_2). ... .build(); ... HttpClientConnectionManager cm = $CM.create(). ... .setSSLSocketFactory($SF). ... .setDefaultTlsConfig($TLSCONFIG). ... .build();\n"
},
{
"pattern-not-inside": "(SSLConnectionSocketFactory $SF) = new SSLConnectionSocketFactory(...); ... (TlsConfig $TLSCONFIG) = TlsConfig.custom(). ... .setSupportedProtocols(TLS.V_1_3). ... .build(); ... HttpClientConnectionManager cm = $CM.create(). ... .setSSLSocketFactory($SF). ... .setDefaultTlsConfig($TLSCONFIG). ... .build();\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2",
"languages": [
"java"
],
"message": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern": "$VALUE. ... .setProperty(\"jdk.tls.client.protocols\", \"$PATTERNS\");"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$PATTERNS",
"patterns": [
{
"pattern-either": [
{
"pattern": "TLS1"
},
{
"pattern-regex": "^(.*TLSv1|.*SSLv.*)$"
},
{
"pattern-regex": "^(.*TLSv1,.*)"
}
]
}
]
}
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[fF][tT][pP]://",
"replacement": "sftp://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.ftp-request",
"languages": [
"java"
],
"message": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server",
"https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "FTPClient $FTPCLIENT = new FTPClient();\n...\n$FTPCLIENT.connect(...);\n"
},
{
"pattern": "URL $URL = new URL(\"=~/^[fF][tT][pP]://.*/\");\n...\nURLConnection $CONN = $URL.openConnection(...);\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.http-components-request",
"languages": [
"java"
],
"message": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://hc.apache.org/httpcomponents-client-ga/quickstart.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "$HTTPCLIENT = HttpClients.$CREATE(...);\n...\n$HTTPREQ = new $HTTPFUNC(\"=~/[hH][tT][tT][pP]://.*/\");\n...\n$RESPONSE = $HTTPCLIENT.execute($HTTPREQ);\n"
},
{
"pattern": "$HTTPCLIENT = HttpClients.$CREATE(...);\n...\n$RESPONSE = $HTTPCLIENT.execute(new $HTTPFUNC(\"=~/[hH][tT][tT][pP]://.*/\"));\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request",
"languages": [
"java"
],
"message": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://openjdk.java.net/groups/net/httpclient/intro.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"patterns": [
{
"pattern": "URI.create(\"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
},
{
"pattern-inside": "HttpClient $CLIENT = ...;\n...\nHttpRequest $REQ = ...;\n...\n$CLIENT.sendAsync(...);\n"
}
]
},
{
"patterns": [
{
"pattern": "URI.create(\"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
},
{
"pattern-inside": "HttpClient $CLIENT = ...;\n...\nHttpRequest $REQ = ...;\n...\n$CLIENT.send(...);\n"
}
]
},
{
"patterns": [
{
"pattern": "URI.create($URI)\n"
},
{
"pattern-inside": "String $URI = \"=~/[hH][tT][tT][pP]://.*/\";\n...\nHttpClient $CLIENT = ...;\n...\nHttpRequest $REQ = ...;\n...\n$CLIENT.send(...);\n"
}
]
},
{
"patterns": [
{
"pattern": "URI.create($URI)\n"
},
{
"pattern-inside": "String $URI = \"=~/[hH][tT][tT][pP]://.*/\";\n...\nHttpClient $CLIENT = ...;\n...\nHttpRequest $REQ = ...;\n...\n$CLIENT.sendAsync(...);\n"
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.httpget-http-request",
"languages": [
"java"
],
"message": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html",
"https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern": "\"=~/[Hh][Tt][Tt][Pp]://.*/\"\n"
},
{
"pattern-inside": "$R = new HttpGet(\"=~/[Hh][Tt][Tt][Pp]://.*/\");\n...\n$CLIENT. ... .execute($R, ...);\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request",
"languages": [
"java"
],
"message": "Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html",
"https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern": "\"=~/[Hh][Tt][Tt][Pp]://.*/\"\n"
},
{
"pattern-either": [
{
"pattern-inside": "URL $URL = new URL (\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...);\n...\n$CON = (HttpURLConnection) $URL.openConnection(...);\n...\n$CON.$FUNC(...);\n"
},
{
"pattern-inside": "URL $URL = new URL (\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...);\n...\n$CON = $URL.openConnection(...);\n...\n$CON.$FUNC(...);\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.socket-request",
"languages": [
"java"
],
"message": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html"
],
"subcategory": [
"audit"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "$SOCKET = new Socket(\"=~/[tT][eE][lL][nN][eE][tT]://.*/\", ...);\n...\n$OUT = new PrintWriter($SOCKET.getOutputStream(...), ...);\n...\n$OUT.$FUNC(...);\n"
},
{
"pattern": "$SOCKET = new Socket(\"=~/^[fF][tT][pP]://.*/\", ...);\n...\n$OUT = new PrintWriter($SOCKET.getOutputStream(...), ...);\n...\n$OUT.$FUNC(...);\n"
},
{
"pattern": "$SOCKET = new Socket(\"=~/[hH][tT][tT][pP]://.*/\", ...);\n...\n$OUT = new PrintWriter($SOCKET.getOutputStream(...), ...);\n...\n$OUT.$FUNC(...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.telnet-request",
"languages": [
"java"
],
"message": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"pattern": "$TELNETCLIENT = new TelnetClient(...);\n...\n$TELNETCLIENT.connect(...);\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation",
"languages": [
"java"
],
"message": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://www.oracle.com/java/technologies/javase/tlsreadme.html"
],
"subcategory": [
"vuln"
],
"technology": [
"java"
],
"vulnerability": "Insecure Transport"
},
"pattern": "java.lang.System.setProperty(\"sun.security.ssl.allowUnsafeRenegotiation\", true);\n",
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.problem-based-packs.insecure-transport.java-stdlib.unirest-http-request",
"languages": [
"java"
],
"message": "Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://kong.github.io/unirest-java/#requests"
],
"subcategory": [
"vuln"
],
"technology": [
"unirest"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "Unirest.get(\"=~/[hH][tT][tT][pP]://.*/\")\n"
},
{
"pattern": "Unirest.post(\"=~/[hH][tT][tT][pP]://.*/\")\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.bypass-tls-verification",
"languages": [
"js",
"ts"
],
"message": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://nodejs.org/api/https.html#https_https_request_options_callback",
"https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "process.env[\"NODE_TLS_REJECT_UNAUTHORIZED\"] = 0;\n"
},
{
"pattern": "{rejectUnauthorized:false}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1",
"languages": [
"js",
"ts"
],
"message": "Detects direct creations of $HTTPS servers that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://us-cert.cisa.gov/ncas/alerts/TA14-290A",
"https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs",
"https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$CONST = require('crypto');\n...\n"
},
{
"pattern-inside": "$CONST = require('constants');\n...\n"
}
]
},
{
"pattern-inside": "$HTTPS = require('https');\n...\n"
},
{
"pattern": "$HTTPS.createServer(...).$FUNC(...);\n"
},
{
"pattern-not": "$HTTPS.createServer({secureOptions: $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_SSLv2 }, ...).$FUNC(...);\n"
},
{
"pattern-not": "$HTTPS.createServer({secureOptions: $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv2 |$CONST.SSL_OP_NO_SSLv3 }, ...).$FUNC(...);\n"
},
{
"pattern-not": "$HTTPS.createServer({secureOptions: $CONST.SSL_OP_NO_SSLv2 |$CONST.SSL_OP_NO_SSLv3 |$CONST.SSL_OP_NO_TLSv1 }, ...).$FUNC(...);\n"
},
{
"pattern-not": "$HTTPS.createServer({secureOptions: $CONST.SSL_OP_NO_SSLv2 |$CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv3}, ...).$FUNC(...);\n"
},
{
"pattern-not": "$HTTPS.createServer({secureOptions:$CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_SSLv2 |$CONST.SSL_OP_NO_TLSv1}, ...).$FUNC(...);\n"
},
{
"pattern-not": "$HTTPS.createServer({secureOptions:$CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_TLSv1| $CONST.SSL_OP_NO_SSLv2}, ...).$FUNC(...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2",
"languages": [
"js",
"ts"
],
"message": "Detects creations of $HTTPS servers from option objects that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://us-cert.cisa.gov/ncas/alerts/TA14-290A",
"https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs",
"https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$CONST = require('crypto');\n...\n"
},
{
"pattern-inside": "$CONST = require('constants');\n...\n"
}
]
},
{
"pattern-inside": "$HTTPS = require('https');\n...\n"
},
{
"pattern": "$OPTIONS = {};\n...\n$HTTPS.createServer($OPTIONS, ...);\n"
},
{
"pattern-not": "$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_SSLv2};\n...\n$HTTPS.createServer($OPTIONS, ...);\n"
},
{
"pattern-not": "$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_SSLv3};\n...\n$HTTPS.createServer($OPTIONS, ...);\n"
},
{
"pattern-not": "$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv3};\n...\n$HTTPS.createServer($OPTIONS, ...);\n"
},
{
"pattern-not": "$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_TLSv1};\n...\n$HTTPS.createServer($OPTIONS, ...);\n"
},
{
"pattern-not": "$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_SSLv2 | $CONST.SSL_OP_NO_TLSv1};\n...\n$HTTPS.createServer($OPTIONS, ...);\n"
},
{
"pattern-not": "$OPTIONS = {secureOptions: $CONST.SSL_OP_NO_SSLv3 | $CONST.SSL_OP_NO_TLSv1 | $CONST.SSL_OP_NO_SSLv2};\n...\n$HTTPS.createServer($OPTIONS, ...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.ftp-request",
"languages": [
"js",
"ts"
],
"message": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://www.npmjs.com/package/ftp",
"https://openbase.io/js/ftp"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-inside": "$X = require('ftp');\n...\n$C = new $X();\n...\n"
},
{
"pattern-not-inside": "$OPTIONS = {secure: true};\n...\n"
},
{
"pattern": "$C.connect($OPTIONS,...);\n"
},
{
"pattern-not": "$C.connect({...,secure: true});\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.http-request",
"languages": [
"js",
"ts"
],
"message": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://nodejs.org/api/http.html#http_http_request_options_callback"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-inside": "$HTTP = require('http');\n...\n"
},
{
"pattern-either": [
{
"pattern": "$HTTP.request(\"=~/http://.*/\",...);\n"
},
{
"pattern": "$HTTP.get(\"=~/http://.*/\", ...)\n"
},
{
"pattern": "$VAR = new URL(\"=~/http://.*/\");\n...\n$HTTP.request($VAR, ...);\n"
},
{
"pattern": "$VAR = {...,hostname: \"...\"};\n...\n$HTTP.request(..., $VAR, ...);\n"
},
{
"pattern": "$HTTP.request(..., {...,hostname: \"...\"}, ...);\n"
}
]
},
{
"pattern-not": "$VAR = {...,protocol: \"https\"};\n...\n$HTTP.request(..., $VAR, ...);\n"
},
{
"pattern-not": "$HTTP.request(..., {...,protocol: \"https\"}, ...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.rest-http-client-support",
"languages": [
"js",
"ts"
],
"message": "Checks for requests to http (unencrypted) sites using some of node js's most popular REST/HTTP libraries, including node-rest-client, axios, and got.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://www.npmjs.com/package/axios",
"https://www.npmjs.com/package/got",
"https://www.npmjs.com/package/node-rest-client"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$CLIENT = require('node-rest-client').Client;\n...\n$C = new $CLIENT();\n...\n"
},
{
"pattern-inside": "$C = require('axios');\n...\n"
},
{
"pattern-inside": "$C = require('got');\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$C.$REQ(\"=~/http://.*/\", ...)\n"
},
{
"pattern": "$C(\"=~/http://.*/\", ...)\n"
},
{
"pattern": "$C({...,url: \"=~/http://.*/\"})\n"
},
{
"pattern": "$C.$REQ({...,url: \"=~/http://.*/\"})\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.telnet-request",
"languages": [
"js",
"ts"
],
"message": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://www.npmjs.com/package/telnet",
"https://www.npmjs.com/package/telnet-client"
],
"subcategory": [
"vuln"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$TEL = require('telnet-client');\n...\n$SERVER = new $TEL();\n...\n"
},
{
"pattern-inside": "$SERVER = require('telnet');\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$SERVER.on(...)\n"
},
{
"pattern": "$SERVER.connect(...)\n"
},
{
"pattern": "$SERVER.createServer(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.js-node.using-http-server",
"languages": [
"js",
"ts"
],
"message": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures",
"A03:2017 - Sensitive Data Exposure"
],
"references": [
"https://nodejs.org/api/http.html#http_class_http_agent",
"https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY"
],
"subcategory": [
"audit"
],
"technology": [
"node.js"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-inside": "$HTTP = require('http');\n...\n"
},
{
"pattern-either": [
{
"pattern": "$HTTP.$FUNC(...);\n"
},
{
"pattern": "new $HTTP.$FUNC2(...);\n"
}
]
},
{
"pattern": "$HTTP"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests",
"languages": [
"ruby"
],
"message": "Checks for requests to http (unencrypted) sites using some of ruby's most popular REST/HTTP libraries, including httparty and restclient.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://github.com/rest-client/rest-client",
"https://github.com/jnunemaker/httparty/tree/master/docs"
],
"subcategory": [
"vuln"
],
"technology": [
"httparty",
"rest-client"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "HTTParty.$PARTYVERB(\"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
},
{
"pattern": "$STRING = \"=~/[hH][tT][tT][pP]://.*/\"\n...\nHTTParty.$PARTYVERB($STRING, ...)\n"
},
{
"pattern": "RestClient.$RESTVERB \"=~/[hH][tT][tT][pP]://.*/\", ...\n"
},
{
"pattern": "RestClient::Request.execute(..., url: \"=~/[hH][tT][tT][pP]://.*/\", ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request",
"languages": [
"ruby"
],
"message": "Checks for outgoing connections to ftp servers with the 'net/ftp' package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "$FTP = Net::FTP.new('...')\n...\n$FTP.login\n"
},
{
"pattern": "Net::FTP.open('...') do |ftp|\n ...\n ftp.login\nend\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.ruby-stdlib.net-http-request",
"languages": [
"ruby"
],
"message": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$URI = URI('=~/[hH][tT][tT][pP]://.*/')\n...\nNet::HTTP::$FUNC.new $URI\n"
},
{
"pattern": "$URI = URI('=~/[hH][tT][tT][pP]://.*/')\n...\nNet::HTTP.$FUNC($URI, ...)\n"
},
{
"pattern": "Net::HTTP.$FUNC(URI('=~/[hH][tT][tT][pP]://.*/'), ...)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FUNC",
"regex": "([gG]et|post_form|[pP]ost|get_response|get_print|Head|Patch|Put|Proppatch|Lock|Unlock|Options|Propfind|Delete|Move|Copy|Trace|Mkcol)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request",
"languages": [
"ruby"
],
"message": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html",
"https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "Net::Telnet::new(...)\n"
},
{
"pattern": "Net::SSH::Telnet.new(...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.problem-based-packs.insecure-transport.ruby-stdlib.openuri-request",
"languages": [
"ruby"
],
"message": "Checks for requests to http and ftp (unencrypted) sites using OpenURI.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-319: Cleartext Transmission of Sensitive Information",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": "A03:2017 - Sensitive Data Exposure",
"references": [
"https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html"
],
"subcategory": [
"vuln"
],
"technology": [
"open-uri"
],
"vulnerability": "Insecure Transport"
},
"pattern-either": [
{
"pattern": "URI.open('=~/[hH][tT][tT][pP]://.*/', ...)\n"
},
{
"pattern": "$URI = URI.parse('=~/[hH][tT][tT][pP]://.*/', ...)\n...\n$URI.open\n"
},
{
"pattern": "URI.open('=~/^[fF][tT][pP]://.*/', ...)\n"
},
{
"pattern": "$URI = URI.parse('=~/^[fF][tT][pP]://.*/', ...)\n...\n$URI.open\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.airflow.security.audit.formatted-string-bashoperator",
"languages": [
"python"
],
"message": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"airflow"
]
},
"pattern-either": [
{
"pattern": "airflow.operators.bash_operator.BashOperator(..., bash_command=\"...\" + $CONCAT, ...)\n"
},
{
"pattern": "airflow.operators.bash_operator.BashOperator(..., bash_command=\"...\".format(...), ...)\n"
},
{
"pattern": "airflow.operators.bash_operator.BashOperator(..., bash_command=f\"...\", ...)\n"
},
{
"pattern": "airflow.operators.bash_operator.BashOperator(..., bash_command=\"...\" % $PARAMS, ...)\n"
},
{
"pattern": "$CMD = \"...\" % $PARAMS\n...\nairflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)\n"
},
{
"pattern": "$CMD = $STR.format(...)\n...\nairflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)\n"
},
{
"pattern": "$CMD = f\"...\"\n...\nairflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)\n"
},
{
"pattern": "$CMD = \"...\" + $CONCAT\n...\nairflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)\n"
},
{
"pattern": "$CMD = \"...\"\n...\n$CMD += $CONCAT\n...\nairflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.dangerous-asyncio-create-exec",
"languages": [
"python"
],
"message": "Detected 'create_subprocess_exec' function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec",
"https://docs.python.org/3/library/shlex.html"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$CMD"
},
{
"pattern-either": [
{
"pattern": "asyncio.create_subprocess_exec($PROG, $CMD, ...)"
},
{
"pattern": "asyncio.create_subprocess_exec($PROG, [$CMD, ...], ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, $CMD, ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, [$CMD, ...], ...)"
},
{
"pattern": "asyncio.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $CMD, ...)"
},
{
"pattern": "asyncio.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $CMD, ...], ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $CMD, ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $CMD, ...], ...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.dangerous-asyncio-exec",
"languages": [
"python"
],
"message": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec",
"https://docs.python.org/3/library/shlex.html"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$CMD"
},
{
"pattern-either": [
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, $CMD, ...)"
},
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, [$CMD, ...], ...)"
},
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $CMD, ...)"
},
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", $CMD, ...], ...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.dangerous-asyncio-shell",
"languages": [
"python"
],
"message": "Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-subprocess.html",
"https://docs.python.org/3/library/shlex.html"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$CMD"
},
{
"pattern-either": [
{
"pattern": "$LOOP.subprocess_shell($PROTOCOL, $CMD)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_shell($CMD, ...)"
},
{
"pattern": "asyncio.create_subprocess_shell($CMD, ...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.dangerous-spawn-process",
"languages": [
"python"
],
"message": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"vuln"
],
"technology": [
"python",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$CMD"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern": "os.$METHOD($MODE, $CMD, ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile)"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "os.$METHOD($MODE, $BASH, [\"-c\", $CMD,...],...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "os.$METHOD($MODE, $BASH, \"-c\", $CMD,...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.dangerous-subprocess-use",
"languages": [
"python"
],
"message": "Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using 'shlex.split()' for this purpose.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/subprocess.html",
"https://docs.python.org/3/library/shlex.html"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "shlex.split(...)"
},
{
"pattern": "pipes.quote(...)"
},
{
"pattern": "shlex.quote(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "subprocess.$FUNC(..., shell=True, ...)"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.dangerous-system-call",
"languages": [
"python"
],
"message": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dyanmic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$CMD"
},
{
"pattern-either": [
{
"pattern": "os.system($CMD,...)"
},
{
"pattern": "os.popen($CMD,...)"
},
{
"pattern": "os.popen2($CMD,...)"
},
{
"pattern": "os.popen3($CMD,...)"
},
{
"pattern": "os.popen4($CMD,...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.dynamodb-filter-injection",
"languages": [
"python"
],
"message": "Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-943: Improper Neutralization of Special Elements in Data Query Logic"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection"
],
"references": [
"https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"boto3",
"aws-lambda",
"dynamodb"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "{...}\n"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern-either": [
{
"pattern": "$TABLE.scan(..., ScanFilter = $SINK, ...)"
},
{
"pattern": "$TABLE.query(..., QueryFilter = $SINK, ...)"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$TABLE = $DB.Table(...)\n...\n"
},
{
"pattern-inside": "$DB = boto3.resource('dynamodb', ...)\n...\n"
}
]
},
{
"pattern-inside": "$TABLE = boto3.client('dynamodb', ...)\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.aws-lambda.security.mysql-sqli",
"languages": [
"python"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html",
"https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"mysql"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$CURSOR.execute($QUERY,...)"
},
{
"pattern": "$CURSOR.executemany($QUERY,...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "import mysql\n...\n"
},
{
"pattern-inside": "import mysql.cursors\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.psycopg-sqli",
"languages": [
"python"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.psycopg.org/docs/cursor.html#cursor.execute",
"https://www.psycopg.org/docs/cursor.html#cursor.executemany",
"https://www.psycopg.org/docs/cursor.html#cursor.mogrify"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"psycopg",
"psycopg2"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$CURSOR.execute($QUERY,...)"
},
{
"pattern": "$CURSOR.executemany($QUERY,...)"
},
{
"pattern": "$CURSOR.mogrify($QUERY,...)"
}
]
},
{
"pattern-inside": "import psycopg2\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.pymssql-sqli",
"languages": [
"python"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://pypi.org/project/pymssql/"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"pymssql"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern": "$CURSOR.execute($QUERY,...)"
},
{
"pattern-inside": "import pymssql\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.pymysql-sqli",
"languages": [
"python"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', ('active'))`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://pypi.org/project/PyMySQL/#id4"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"pymysql"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern": "$CURSOR.execute($QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "import pymysql\n...\n"
},
{
"pattern-inside": "import pymysql.cursors\n...\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.sqlalchemy-sqli",
"languages": [
"python"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"sqlalchemy"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$QUERY"
},
{
"pattern": "$CURSOR.execute($QUERY,...)"
},
{
"pattern-inside": "import sqlalchemy\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.tainted-code-exec",
"languages": [
"python"
],
"message": "Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dyanmic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "eval($CODE, ...)"
},
{
"pattern": "exec($CODE, ...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.tainted-html-response",
"languages": [
"python"
],
"message": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$BODY"
},
{
"pattern-inside": "{..., \"headers\": {..., \"Content-Type\": \"text/html\", ...}, \"body\": $BODY, ... }\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.tainted-html-string",
"languages": [
"python"
],
"message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$HTMLSTR\" % ..."
},
{
"pattern": "\"$HTMLSTR\".format(...)"
},
{
"pattern": "\"$HTMLSTR\" + ..."
},
{
"pattern": "f\"$HTMLSTR{...}...\""
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$HTML = \"$HTMLSTR\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "$HTML % ..."
},
{
"pattern": "$HTML.format(...)"
},
{
"pattern": "$HTML + ..."
}
]
}
]
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$HTMLSTR",
"pattern": "<$TAG ..."
}
},
{
"pattern-not-inside": "print(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.tainted-pickle-deserialization",
"languages": [
"python"
],
"message": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/pickle.html",
"https://davidhamann.de/2020/04/05/exploiting-python-pickle/"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$SINK"
},
{
"pattern-either": [
{
"pattern": "pickle.load($SINK,...)"
},
{
"pattern": "pickle.loads($SINK,...)"
},
{
"pattern": "_pickle.load($SINK,...)"
},
{
"pattern": "_pickle.loads($SINK,...)"
},
{
"pattern": "cPickle.load($SINK,...)"
},
{
"pattern": "cPickle.loads($SINK,...)"
},
{
"pattern": "dill.load($SINK,...)"
},
{
"pattern": "dill.loads($SINK,...)"
},
{
"pattern": "shelve.open($SINK,...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.aws-lambda.security.tainted-sql-string",
"languages": [
"python"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"pattern": "\"$SQLSTR\" % ...\n"
},
{
"pattern": "\"$SQLSTR\".format(...)\n"
},
{
"pattern": "f\"$SQLSTR{...}...\"\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "\\s*(?i)(select|delete|insert|create|update|alter|drop)\\b.*="
}
},
{
"pattern-not-inside": "print(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context):\n ...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.boto3.security.hardcoded-token",
"languages": [
"python"
],
"message": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html",
"https://bento.dev/checks/boto3/hardcoded-access-token/",
"https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/"
],
"subcategory": [
"vuln"
],
"technology": [
"boto3",
"secrets"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$W(...,$TOKEN=\"$VALUE\",...)"
},
{
"pattern": "$BOTO. ... .$W(...,$TOKEN=\"$VALUE\",...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$TOKEN",
"regex": "(aws_session_token|aws_access_key_id|aws_secret_access_key)"
}
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$VALUE",
"patterns": [
{
"pattern-either": [
{
"pattern-regex": "^AKI"
},
{
"pattern-regex": "^[A-Za-z0-9/+=]+$"
}
]
}
]
}
},
{
"metavariable-analysis": {
"analyzer": "entropy",
"metavariable": "$VALUE"
}
}
]
}
],
"pattern-sources": [
{
"pattern": "\"...\"\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.cryptography.security.empty-aes-key",
"languages": [
"python"
],
"message": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"CWE-310: Cryptographic Issues"
],
"functional-categories": [
"crypto::search::key-length::pycrypto",
"crypto::search::key-length::pycryptodome"
],
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": "A6:2017 misconfiguration",
"references": [
"https://cwe.mitre.org/data/definitions/327.html",
"https://cwe.mitre.org/data/definitions/310.html"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"pycrypto",
"pycryptodome"
]
},
"patterns": [
{
"pattern": "AES.new(\"\",...)"
}
],
"severity": "WARNING"
},
{
"fix": "AES",
"id": "vendored-rules.python.cryptography.security.insecure-cipher-algorithm-arc4",
"languages": [
"python"
],
"message": "ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::cryptography"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98",
"subcategory": [
"vuln"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern": "cryptography.hazmat.primitives.ciphers.algorithms.$ARC4($KEY)"
},
{
"pattern-inside": "cryptography.hazmat.primitives.ciphers.Cipher(...)"
},
{
"metavariable-regex": {
"metavariable": "$ARC4",
"regex": "^(ARC4)$"
}
},
{
"focus-metavariable": "$ARC4"
}
],
"severity": "WARNING"
},
{
"fix": "AES",
"id": "vendored-rules.python.cryptography.security.insecure-cipher-algorithm-blowfish",
"languages": [
"python"
],
"message": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::cryptography"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers",
"https://tools.ietf.org/html/rfc5469"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98",
"subcategory": [
"vuln"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern": "cryptography.hazmat.primitives.ciphers.algorithms.$BLOWFISH($KEY)"
},
{
"metavariable-regex": {
"metavariable": "$BLOWFISH",
"regex": "^(Blowfish)$"
}
},
{
"focus-metavariable": "$BLOWFISH"
}
],
"severity": "WARNING"
},
{
"fix": "AES",
"id": "vendored-rules.python.cryptography.security.insecure-cipher-algorithm-idea",
"languages": [
"python"
],
"message": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::cryptography"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/html/rfc5469",
"https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98",
"subcategory": [
"vuln"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern": "cryptography.hazmat.primitives.ciphers.algorithms.$IDEA($KEY)"
},
{
"metavariable-regex": {
"metavariable": "$IDEA",
"regex": "^(IDEA)$"
}
},
{
"focus-metavariable": "$IDEA"
}
],
"severity": "WARNING"
},
{
"fix": "cryptography.hazmat.primitives.ciphers.modes.GCM($IV)",
"id": "vendored-rules.python.cryptography.security.insecure-cipher-mode-ecb",
"languages": [
"python"
],
"message": "ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM.",
"metadata": {
"bandit-code": "B305",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::mode::cryptography"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes",
"https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101",
"subcategory": [
"audit"
],
"technology": [
"cryptography"
]
},
"pattern": "cryptography.hazmat.primitives.ciphers.modes.ECB($IV)",
"severity": "WARNING"
},
{
"fix": "SHA256",
"id": "vendored-rules.python.cryptography.security.insecure-hash-algorithm-md5",
"languages": [
"python"
],
"message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"bandit-code": "B303",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::cryptography"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5",
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern": "cryptography.hazmat.primitives.hashes.$MD5()"
},
{
"metavariable-regex": {
"metavariable": "$MD5",
"regex": "^(MD5)$"
}
},
{
"focus-metavariable": "$MD5"
}
],
"severity": "WARNING"
},
{
"fix": "SHA256\n",
"id": "vendored-rules.python.cryptography.security.insecure-hash-algorithm-sha1",
"languages": [
"python"
],
"message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"bandit-code": "B303",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::cryptography"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1",
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern": "cryptography.hazmat.primitives.hashes.$SHA(...)"
},
{
"metavariable-pattern": {
"metavariable": "$SHA",
"pattern": "SHA1\n"
}
},
{
"focus-metavariable": "$SHA"
}
],
"severity": "WARNING"
},
{
"fix": "2048\n",
"id": "vendored-rules.python.cryptography.security.insufficient-dsa-key-size",
"languages": [
"python"
],
"message": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::key-length::cryptography"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf",
"https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py",
"subcategory": [
"vuln"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key(..., key_size=$SIZE, ...)"
},
{
"pattern": "cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key($SIZE, ...)"
}
]
},
{
"metavariable-comparison": {
"comparison": "$SIZE < 2048",
"metavariable": "$SIZE"
}
},
{
"focus-metavariable": "$SIZE"
}
],
"severity": "WARNING"
},
{
"fix": "SECP256R1\n",
"id": "vendored-rules.python.cryptography.security.insufficient-ec-key-size",
"languages": [
"python"
],
"message": "Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::key-length::cryptography"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf",
"https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py",
"subcategory": [
"audit"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern-inside": "cryptography.hazmat.primitives.asymmetric.ec.generate_private_key(...)"
},
{
"pattern": "cryptography.hazmat.primitives.asymmetric.ec.$SIZE"
},
{
"metavariable-pattern": {
"metavariable": "$SIZE",
"pattern-either": [
{
"pattern": "SECP192R1"
},
{
"pattern": "SECT163K1"
},
{
"pattern": "SECT163R2"
}
]
}
},
{
"focus-metavariable": "$SIZE"
}
],
"severity": "WARNING"
},
{
"fix": "2048\n",
"id": "vendored-rules.python.cryptography.security.insufficient-rsa-key-size",
"languages": [
"python"
],
"message": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::key-length::cryptography"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py",
"subcategory": [
"audit"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(..., key_size=$SIZE, ...)"
},
{
"pattern": "cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key($EXP, $SIZE, ...)"
}
]
},
{
"metavariable-comparison": {
"comparison": "$SIZE < 2048",
"metavariable": "$SIZE"
}
},
{
"focus-metavariable": "$SIZE"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.cryptography.security.crypto-mode-without-authentication",
"languages": [
"python"
],
"message": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. ",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "Cipher(..., $HAZMAT_MODE(...),...)\n"
},
{
"pattern-not-inside": "Cipher(..., $HAZMAT_MODE(...),...)\n...\nHMAC(...)\n"
},
{
"pattern-not-inside": "Cipher(..., $HAZMAT_MODE(...),...)\n...\nhmac.HMAC(...)\n"
}
]
}
]
},
{
"metavariable-pattern": {
"metavariable": "$HAZMAT_MODE",
"patterns": [
{
"pattern-either": [
{
"pattern": "modes.CTR"
},
{
"pattern": "modes.CBC"
},
{
"pattern": "modes.CFB"
},
{
"pattern": "modes.OFB"
}
]
}
]
}
}
],
"severity": "ERROR"
},
{
"fix": "True\n",
"id": "vendored-rules.python.distributed.require-encryption",
"languages": [
"python"
],
"message": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters"
],
"subcategory": [
"vuln"
],
"technology": [
"distributed"
]
},
"patterns": [
{
"pattern": "distributed.security.Security(..., require_encryption=$VAL, ...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$VAL",
"pattern": "False\n"
}
},
{
"focus-metavariable": "$VAL"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.django-no-csrf-token",
"languages": [
"generic"
],
"message": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-352: Cross-Site Request Forgery (CSRF)",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://docs.djangoproject.com/en/4.2/howto/csrf/"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"paths": {
"include": [
"*.html"
]
},
"patterns": [
{
"pattern": "<form...>...</form>"
},
{
"pattern-either": [
{
"pattern": "<form ... method=\"$METHOD\" ...>...</form>\n"
},
{
"pattern": "<form ... method='$METHOD' ...>...</form>\n"
},
{
"pattern": "<form ... method=$METHOD ...>...</form>\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(?i)(post|put|delete|patch)"
}
},
{
"pattern-not-inside": "<form...>...{% csrf_token %}...</form>"
},
{
"pattern-not-inside": "<form...>...{{ $VAR.csrf_token }}...</form>"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.django-using-request-post-after-is-valid",
"languages": [
"python"
],
"message": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-20: Improper Input Validation",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-inside": "if $FORM.is_valid():\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.POST[...]"
},
{
"pattern": "request.POST.get(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.globals-as-template-context",
"languages": [
"python"
],
"message": "Using 'globals()' as a context to 'render(...)' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use 'globals()'. Instead, specify each variable in a dictionary or 'django.template.Context' object, like '{\"var1\": \"hello\"}' and use that instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.2/ref/settings/#templates",
"https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates",
"https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "django.shortcuts.render(..., globals(...), ...)"
},
{
"pattern": "django.template.Template.render(..., globals(...), ...)"
},
{
"patterns": [
{
"pattern-inside": "$CONTEXT = globals(...)\n...\n"
},
{
"pattern-either": [
{
"pattern": "django.shortcuts.render(..., $CONTEXT, ...)"
},
{
"pattern": "django.template.Template.render(..., $CONTEXT, ...)"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.hashids-with-django-secret",
"languages": [
"python"
],
"message": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A02:2021 \u2013 Cryptographic Failures"
],
"references": [
"https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY",
"http://carnage.github.io/2015/08/cryptanalysis-of-hashids"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "hashids.Hashids(..., salt=django.conf.settings.SECRET_KEY, ...)"
},
{
"pattern": "hashids.Hashids(django.conf.settings.SECRET_KEY, ...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.locals-as-template-context",
"languages": [
"python"
],
"message": "Using 'locals()' as a context to 'render(...)' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use 'locals()'. Instead, specify each variable in a dictionary or 'django.template.Context' object, like '{\"var1\": \"hello\"}' and use that instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.2/ref/settings/#templates",
"https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates",
"https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "django.shortcuts.render(..., locals(...), ...)"
},
{
"pattern": "django.template.Template.render(..., locals(...), ...)"
},
{
"patterns": [
{
"pattern-inside": "$CONTEXT = locals(...)\n...\n"
},
{
"pattern-either": [
{
"pattern": "django.shortcuts.render(..., $CONTEXT, ...)"
},
{
"pattern": "django.template.Template.render(..., $CONTEXT, ...)"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.nan-injection",
"languages": [
"python"
],
"message": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-704: Incorrect Type Conversion or Cast"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868",
"https://blog.bitdiscovery.com/2021/12/python-nan-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"not_conflicting": true,
"pattern": "$ANYTHING(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "float(...)"
},
{
"pattern": "bool(...)"
},
{
"pattern": "complex(...)"
}
]
},
{
"pattern-not-inside": "if $COND:\n ...\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.audit.avoid-insecure-deserialization",
"languages": [
"python"
],
"message": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/pickle.html"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "pickle.$PICKLEFUNC(...)\n"
},
{
"pattern": "_pickle.$PICKLEFUNC(...)\n"
},
{
"pattern": "cPickle.$PICKLEFUNC(...)\n"
},
{
"pattern": "shelve.$PICKLEFUNC(...)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$PICKLEFUNC",
"regex": "dumps|dump|load|loads"
}
}
]
},
{
"patterns": [
{
"pattern": "dill.$DILLFUNC(...)"
},
{
"metavariable-regex": {
"metavariable": "$DILLFUNC",
"regex": "dump|dump_session|dumps|load|load_session|loads"
}
}
]
},
{
"patterns": [
{
"pattern": "yaml.$YAMLFUNC(...)"
},
{
"pattern-not": "yaml.$YAMLFUNC(..., Dumper=SafeDumper, ...)"
},
{
"pattern-not": "yaml.$YAMLFUNC(..., Dumper=yaml.SafeDumper, ...)"
},
{
"pattern-not": "yaml.$YAMLFUNC(..., Loader=SafeLoader, ...)"
},
{
"pattern-not": "yaml.$YAMLFUNC(..., Loader=yaml.SafeLoader, ...)"
},
{
"metavariable-regex": {
"metavariable": "$YAMLFUNC",
"regex": "dump|dump_all|load|load_all"
}
}
]
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "def $INSIDE(..., $PARAM, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$REQFUNC(...)"
},
{
"pattern": "request.$REQFUNC.get(...)"
},
{
"pattern": "request.$REQFUNC[...]"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.audit.avoid-mark-safe",
"languages": [
"python"
],
"message": "'mark_safe()' is used to mark a string as \"safe\" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe",
"https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html",
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-not-inside": "django.utils.html.format_html(...)"
},
{
"pattern-not": "django.utils.safestring.mark_safe(\"...\")"
},
{
"pattern": "django.utils.safestring.mark_safe(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.no-csrf-exempt",
"languages": [
"python"
],
"message": "Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user's account and exfiltration of private data. Instead, create a function without this decorator.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"pattern": "@django.views.decorators.csrf.csrf_exempt\ndef $R(...):\n ...\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.custom-expression-as-sql",
"languages": [
"python"
],
"message": "Detected a Custom Expression ''$EXPRESSION'' calling ''as_sql(...).'' This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql",
"https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern": "$EXPRESSION.as_sql(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.extends-custom-expression",
"languages": [
"python"
],
"message": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection",
"https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "class $CLASS(..., django.db.models.Func, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Func, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Expression, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Expression, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Value, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Value, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.DurationValue, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.DurationValue, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.RawSQL, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.RawSQL, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Star, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Star, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Random, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Random, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Col, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Col, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Ref, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Ref, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.ExpressionList, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.ExpressionList, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.ExpressionWrapper, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.ExpressionWrapper, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.When, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.When, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Case, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Case, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Subquery, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Subquery, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Exists, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Exists, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.Window, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.Window, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.WindowFrame, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.WindowFrame, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.RowRange, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.RowRange, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.ValueRange, ...):\n ...\n"
},
{
"pattern": "class $CLASS(..., django.db.models.expressions.ValueRange, ...):\n ...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.avoid-query-set-extra",
"languages": [
"python"
],
"message": "QuerySet.extra' does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using '.extra', use the Django ORM and parameterized queries such as `People.objects.get(name='Bob')`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra",
"https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html",
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern": "$MODEL.extra(...)"
},
{
"pattern-not-inside": "$MODEL.extra(select = {$KEY: \"...\"})"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.avoid-raw-sql",
"languages": [
"python"
],
"message": "Detected the use of 'RawSQL' or 'raw' indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name='Bob')`",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions",
"https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html",
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$MODEL.objects.raw($QUERY, ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(...)"
}
]
},
{
"pattern-not": "$MODEL.objects.raw(\"...\")"
},
{
"pattern-not": "django.db.models.expressions.RawSQL(\"...\")"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.django-secure-set-cookie",
"languages": [
"python"
],
"message": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.",
"metadata": {
"asvs": {
"control_id": "3.4 Missing Cookie Attributes",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management",
"section": "V3: Session Management Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie",
"https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/",
"https://bento.dev/checks/flask/secure-set-cookie/"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import django.http.HttpResponse\n...\n"
},
{
"pattern-inside": "import django.shortcuts.render\n...\n"
}
]
},
{
"pattern-not-inside": "LANGUAGE_QUERY_PARAMETER = 'language'\n...\ndef set_language(request):\n ...\n# Exclude vendored contrib/messages/storage/cookie.py\n"
},
{
"pattern-not-inside": "class CookieStorage(django.contrib.messages.storage.base.BaseStorage):\n ...\n# Exclude cookies handled by vendored middleware\n"
},
{
"pattern-not": "response.set_cookie(django.conf.settings.SESSION_COOKIE_NAME, ...)"
},
{
"pattern-not": "response.set_cookie(django.conf.settings.CSRF_COOKIE_NAME, ...)"
},
{
"pattern-not": "response.set_cookie(django.conf.settings.LANGUAGE_COOKIE_NAME, ...)"
},
{
"pattern-not": "response.set_cookie(rest_framework_jwt.settings.api_settings.JWT_AUTH_COOKIE, ...)"
},
{
"pattern-not": "response.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...)"
},
{
"pattern-not": "response.set_cookie(..., **$A)"
},
{
"pattern": "response.set_cookie(...)"
}
],
"severity": "WARNING"
},
{
"fix": "if django.contrib.auth.password_validation.validate_password($X, user=$MODEL):\n $MODEL.set_password($X)\n",
"id": "vendored-rules.python.django.security.audit.unvalidated-password",
"languages": [
"python"
],
"message": "The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-521: Weak Password Requirements"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-not-inside": "if <... django.contrib.auth.password_validation.validate_password(...) ...>:\n ...\n"
},
{
"pattern-not-inside": "django.contrib.auth.password_validation.validate_password(...)\n...\n"
},
{
"pattern-not-inside": "try:\n ...\n django.contrib.auth.password_validation.validate_password(...)\n ...\nexcept $EX:\n ...\n...\n"
},
{
"pattern-not-inside": "try:\n ...\n django.contrib.auth.password_validation.validate_password(...)\n ...\nexcept $EX as $E:\n ...\n...\n"
},
{
"pattern-not": "UserModel().set_password($X)"
},
{
"pattern": "$MODEL.set_password($X)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.django-rest-framework.missing-throttle-config",
"languages": [
"python"
],
"message": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-400: Uncontrolled Resource Consumption"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"references": [
"https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-not-inside": "REST_FRAMEWORK = {\n ...,\n \"DEFAULT_THROTTLE_RATES\": ...\n}\n"
},
{
"pattern-inside": "REST_FRAMEWORK = ...\n"
},
{
"pattern": "REST_FRAMEWORK"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.templates.debug-template-tag",
"languages": [
"regex"
],
"message": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": "A06:2017 - Security Misconfiguration",
"references": [
"https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug",
"https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"paths": {
"include": [
"*.html"
]
},
"pattern-regex": "({% debug %})",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.class-extends-safestring",
"languages": [
"python"
],
"message": "Found a class extending 'SafeString', 'SafeText' or 'SafeData'. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use 'mark_safe' instead and ensure no user data can reach it.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping",
"https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "class $CLASS(django.utils.safestring.SafeString):\n ...\n"
},
{
"pattern": "class $CLASS(django.utils.safestring.SafeText):\n ...\n"
},
{
"pattern": "class $CLASS(django.utils.safestring.SafeData):\n ..."
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.django.security.audit.xss.context-autoescape-off",
"languages": [
"python"
],
"message": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.1/ref/settings/#templates",
"https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "{..., \"autoescape\": $FALSE, ...}\n"
},
{
"pattern": "$D[\"autoescape\"] = $FALSE\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$FALSE",
"pattern": "False\n"
}
},
{
"focus-metavariable": "$FALSE"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.direct-use-of-httpresponse",
"languages": [
"python"
],
"message": "Detected data rendered directly to the end user via 'HttpResponse' or a similar object. This bypasses Django's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django's template engine to safely render HTML.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render",
"https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-not": "django.http.$ANY(\"...\", ...)"
},
{
"pattern-not": "django.http.$ANY()"
},
{
"pattern-not": "django.http.$ANY(..., content=None, ...)"
},
{
"pattern-not": "django.http.$ANY(status=...)"
},
{
"pattern-not": "django.http.HttpResponseNotAllowed([...])"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "django.http.HttpResponse(...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(...)"
},
{
"pattern": "django.http.HttpResponseNotFound(...)"
},
{
"pattern": "django.http.HttpResponseForbidden(...)"
},
{
"pattern": "django.http.HttpResponseNotAllowed(...)"
},
{
"pattern": "django.http.HttpResponseGone(...)"
},
{
"pattern": "django.http.HttpResponseServerError(...)"
}
]
},
{
"pattern-not": "django.http.$ANY(...,content_type=$TYPE,...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "django.http.HttpResponse(...,content_type=$TYPE,...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(...,content_type=$TYPE,...)"
},
{
"pattern": "django.http.HttpResponseNotFound(...,content_type=$TYPE,...)"
},
{
"pattern": "django.http.HttpResponseForbidden(...,content_type=$TYPE,...)"
},
{
"pattern": "django.http.HttpResponseNotAllowed(...,content_type=$TYPE,...)"
},
{
"pattern": "django.http.HttpResponseGone(...,content_type=$TYPE,...)"
},
{
"pattern": "django.http.HttpResponseServerError(...,content_type=$TYPE,...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": ".*[tT][eE][xX][tT]/[hH][tT][mM][lL].*"
}
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.filter-with-is-safe",
"languages": [
"python"
],
"message": "Detected Django filters flagged with 'is_safe'. 'is_safe' tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, 'is_safe' could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing 'is_safe' and explicitly marking safe content with 'mark_safe()'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection",
"https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping",
"https://stackoverflow.com/questions/7665512/why-use-is-safe"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern": "@register.filter(..., is_safe=True, ...)\ndef $FILTER(...):\n ...",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.formathtml-fstring-parameter",
"languages": [
"python"
],
"message": "Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "format_html(<... f\"...\" ...>, ...)"
},
{
"pattern": "format_html(\"...\" % ..., ...)"
},
{
"pattern": "format_html(\"...\".format(...), ...)"
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.django.security.audit.xss.global-autoescape-off",
"languages": [
"python"
],
"message": "Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.1/ref/settings/#templates",
"https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern": "{..., 'BACKEND': ..., 'OPTIONS': {..., 'autoescape': $FALSE, ...}, ...}\n"
},
{
"metavariable-pattern": {
"metavariable": "$FALSE",
"pattern": "False\n"
}
},
{
"focus-metavariable": "$FALSE"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.html-magic-method",
"languages": [
"python"
],
"message": "The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape",
"https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "class $CLASS(...):\n ...\n"
},
{
"pattern": "def __html__(...):\n ...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.html-safe",
"languages": [
"python"
],
"message": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe",
"https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "django.utils.html.html_safe(...)"
},
{
"pattern": "@django.utils.html.html_safe\nclass $CLASS(...):\n ...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.template-autoescape-off",
"languages": [
"regex"
],
"message": "Detected a template block where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"paths": {
"include": [
"*.html"
]
},
"pattern-regex": "{%\\s+autoescape\\s+off\\s+%}",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.audit.xss.template-blocktranslate-no-escape",
"languages": [
"generic"
],
"message": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates",
"https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "{% blocktranslate...%}\n"
},
{
"pattern": "{% blocktrans...%}\n"
}
]
},
{
"pattern-not-inside": "{%...filter...force_escape...%}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{%...endfilter...%}\n"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.python.django.security.audit.xss.template-translate-as-no-escape",
"languages": [
"generic"
],
"message": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates",
"https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "{% translate ... as $TRANS ... %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{{ ... $TRANS ... }}\n"
},
{
"pattern": "{% trans ... as $TRANS ... %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{{ ... $TRANS ... }}\n"
}
]
},
{
"pattern-not": "{% translate ... as $TRANS ... %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{{ ... $TRANS ... | ... force_escape ... }}\n"
},
{
"pattern-not": "{% trans ... as $TRANS ... %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{{ ... $TRANS ... | ... force_escape ... }}\n"
},
{
"pattern-not": "{% translate ... as $TRANS ... %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{% filter force_escape %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{{ ... $TRANS ... }}\n"
},
{
"pattern-not": "{% trans ... as $TRANS ... %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{% filter force_escape %}\n...\n...\n...\n...\n...\n...\n...\n...\n...\n...\n{{ ... $TRANS ... }}\n"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.python.django.security.audit.xss.template-var-unescaped-with-safeseq",
"languages": [
"regex"
],
"message": "Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"paths": {
"include": [
"*.html"
]
},
"pattern-regex": "{{.*?\\|\\s+safeseq(\\s+}})?",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.csv-writer-injection",
"languages": [
"python"
],
"message": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1236: Improper Neutralization of Formula Elements in a CSV File"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/raphaelm/defusedcsv",
"https://owasp.org/www-community/attacks/CSV_Injection",
"https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities"
],
"subcategory": [
"vuln"
],
"technology": [
"django",
"python"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$WRITER = csv.writer(...)\n\n...\n\n$WRITER.$WRITE(...)\n"
},
{
"pattern": "$WRITER.$WRITE(...)"
},
{
"metavariable-regex": {
"metavariable": "$WRITE",
"regex": "^(writerow|writerows|writeheader)$"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $REQUEST, ...):\n ...\n"
},
{
"focus-metavariable": "$REQUEST"
},
{
"metavariable-pattern": {
"metavariable": "$REQUEST",
"patterns": [
{
"pattern": "request"
},
{
"pattern-not-inside": "request.build_absolute_uri"
}
]
}
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.injection.mass-assignment",
"languages": [
"python"
],
"message": "Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using '**request.$W', assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"owaspapi": "API6: Mass Assignment",
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "$MODEL.objects.create(**request.$W)"
},
{
"pattern": "$OBJ.update(**request.$W)\n...\n$OBJ.save()\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.open-redirect",
"languages": [
"python"
],
"message": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/",
"https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-not-inside": "def $FUNC(...):\n ...\n django.utils.http.is_safe_url(...)\n ...\n"
},
{
"pattern-not-inside": "def $FUNC(...):\n ...\n if <... django.utils.http.is_safe_url(...) ...>:\n ...\n"
},
{
"pattern-not-inside": "def $FUNC(...):\n ...\n django.utils.http.url_has_allowed_host_and_scheme(...)\n ...\n"
},
{
"pattern-not-inside": "def $FUNC(...):\n ...\n if <... django.utils.http.url_has_allowed_host_and_scheme(...) ...>:\n ...\n"
},
{
"pattern-either": [
{
"pattern": "django.shortcuts.redirect(..., request.$W.get(...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.shortcuts.redirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.shortcuts.redirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.shortcuts.redirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.shortcuts.redirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.shortcuts.redirect(..., request.$W.get(...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., request.$W.get(...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "django.shortcuts.redirect(..., request.$W(...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S % request.$W(...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.shortcuts.redirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.shortcuts.redirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.shortcuts.redirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.shortcuts.redirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.shortcuts.redirect(..., request.$W(...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S % request.$W(...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., request.$W(...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S % request.$W(...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "django.shortcuts.redirect(..., request.$W[...], ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S % request.$W[...], ...)"
},
{
"pattern": "django.shortcuts.redirect(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.shortcuts.redirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.shortcuts.redirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.shortcuts.redirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.shortcuts.redirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.shortcuts.redirect(..., request.$W[...], ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S % request.$W[...], ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., request.$W[...], ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S % request.$W[...], ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "django.shortcuts.redirect(..., request.$W, ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "django.shortcuts.redirect(..., $S % request.$W, ...)"
},
{
"pattern": "django.shortcuts.redirect(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.shortcuts.redirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.shortcuts.redirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.shortcuts.redirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.shortcuts.redirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\ndjango.shortcuts.redirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.shortcuts.redirect(..., request.$W, ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., $S % request.$W, ...)"
},
{
"pattern": "$A = django.shortcuts.redirect(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., request.$W, ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., $S % request.$W, ...)"
},
{
"pattern": "return django.shortcuts.redirect(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., request.$W.get(...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseRedirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseRedirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseRedirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseRedirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., request.$W.get(...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., request.$W.get(...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., request.$W(...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S % request.$W(...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseRedirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseRedirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseRedirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseRedirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., request.$W(...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S % request.$W(...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., request.$W(...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S % request.$W(...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., request.$W[...], ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S % request.$W[...], ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseRedirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseRedirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseRedirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseRedirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., request.$W[...], ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S % request.$W[...], ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., request.$W[...], ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S % request.$W[...], ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., request.$W, ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., $S % request.$W, ...)"
},
{
"pattern": "django.http.HttpResponseRedirect(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseRedirect(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseRedirect(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseRedirect(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseRedirect(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseRedirect(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., request.$W, ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., $S % request.$W, ...)"
},
{
"pattern": "$A = django.http.HttpResponseRedirect(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., request.$W, ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., $S % request.$W, ...)"
},
{
"pattern": "return django.http.HttpResponseRedirect(..., f\"...{request.$W}...\", ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$W",
"regex": "(?!get_full_path)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.raw-html-format",
"languages": [
"python"
],
"message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render",
"https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "django.utils.html.escape(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$HTMLSTR\" % ..."
},
{
"pattern": "\"$HTMLSTR\".format(...)"
},
{
"pattern": "\"$HTMLSTR\" + ..."
},
{
"pattern": "f\"$HTMLSTR{...}...\""
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$HTML = \"$HTMLSTR\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "$HTML % ..."
},
{
"pattern": "$HTML.format(...)"
},
{
"pattern": "$HTML + ..."
}
]
}
]
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$HTMLSTR",
"pattern": "<$TAG ..."
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "request.$ANYTHING"
},
{
"pattern-not": "request.build_absolute_uri"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.reflected-data-httpresponse",
"languages": [
"python"
],
"message": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "django.http.HttpResponse(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "django.http.HttpResponse(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponse(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponse(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponse(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponse(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponse(..., request.$W.get(...), ...)"
},
{
"pattern": "return django.http.HttpResponse(..., request.$W.get(...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., $S % request.$W(...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "django.http.HttpResponse(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponse(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponse(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponse(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponse(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponse(..., request.$W(...), ...)"
},
{
"pattern": "return django.http.HttpResponse(..., request.$W(...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., $S % request.$W[...], ...)"
},
{
"pattern": "django.http.HttpResponse(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "django.http.HttpResponse(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponse(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponse(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponse(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponse(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponse(..., request.$W[...], ...)"
},
{
"pattern": "return django.http.HttpResponse(..., request.$W[...], ...)"
},
{
"pattern": "django.http.HttpResponse(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "django.http.HttpResponse(..., $S % request.$W, ...)"
},
{
"pattern": "django.http.HttpResponse(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "django.http.HttpResponse(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponse(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponse(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponse(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$A = django.http.HttpResponse(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\n$A = django.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "return django.http.HttpResponse(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponse(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponse(..., $INTERM, ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.reflected-data-httpresponsebadrequest",
"languages": [
"python"
],
"message": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "django.http.HttpResponseBadRequest(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseBadRequest(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseBadRequest(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseBadRequest(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.HttpResponseBadRequest(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)"
},
{
"pattern": "return django.http.HttpResponseBadRequest(..., request.$W.get(...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., $S % request.$W(...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseBadRequest(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseBadRequest(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseBadRequest(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.HttpResponseBadRequest(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseBadRequest(..., request.$W(...), ...)"
},
{
"pattern": "return django.http.HttpResponseBadRequest(..., request.$W(...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., $S % request.$W[...], ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseBadRequest(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseBadRequest(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseBadRequest(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.HttpResponseBadRequest(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseBadRequest(..., request.$W[...], ...)"
},
{
"pattern": "return django.http.HttpResponseBadRequest(..., request.$W[...], ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., $S % request.$W, ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "django.http.HttpResponseBadRequest(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseBadRequest(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseBadRequest(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseBadRequest(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.HttpResponseBadRequest(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\ndjango.http.HttpResponseBadRequest(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.HttpResponseBadRequest(..., request.$W, ...)"
},
{
"pattern": "return django.http.HttpResponseBadRequest(..., request.$W, ...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.request-data-fileresponse",
"languages": [
"python"
],
"message": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "django.http.FileResponse(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.http.FileResponse(..., open($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = open($DATA, ...)\n...\ndjango.http.FileResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.FileResponse(..., request.$W.get(...), ...)"
},
{
"pattern": "return django.http.FileResponse(..., request.$W.get(...), ...)"
},
{
"pattern": "django.http.FileResponse(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.http.FileResponse(..., open($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = open($DATA, ...)\n...\ndjango.http.FileResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.FileResponse(..., request.$W(...), ...)"
},
{
"pattern": "return django.http.FileResponse(..., request.$W(...), ...)"
},
{
"pattern": "django.http.FileResponse(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.http.FileResponse(..., open($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = open($DATA, ...)\n...\ndjango.http.FileResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.FileResponse(..., request.$W[...], ...)"
},
{
"pattern": "return django.http.FileResponse(..., request.$W[...], ...)"
},
{
"pattern": "django.http.FileResponse(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.http.FileResponse(..., open($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = open($DATA, ...)\n...\ndjango.http.FileResponse(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.http.FileResponse(..., request.$W, ...)"
},
{
"pattern": "return django.http.FileResponse(..., request.$W, ...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.request-data-write",
"languages": [
"python"
],
"message": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"pattern-either": [
{
"pattern": "$F.write(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$F.write(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$F.write(..., $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$F.write(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$F.write(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $F.write(..., request.$W.get(...), ...)"
},
{
"pattern": "return $F.write(..., request.$W.get(...), ...)"
},
{
"pattern": "$F.write(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$F.write(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$F.write(..., $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$F.write(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$F.write(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $F.write(..., request.$W(...), ...)"
},
{
"pattern": "return $F.write(..., request.$W(...), ...)"
},
{
"pattern": "$F.write(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$F.write(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$F.write(..., $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$F.write(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$F.write(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $F.write(..., request.$W[...], ...)"
},
{
"pattern": "return $F.write(..., request.$W[...], ...)"
},
{
"pattern": "$F.write(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\n$F.write(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$F.write(..., $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$F.write(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$F.write(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$F.write(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $F.write(..., request.$W, ...)"
},
{
"pattern": "return $F.write(..., request.$W, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.tainted-sql-string",
"languages": [
"python"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "LOW",
"likelihood": "MEDIUM",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"pattern": "\"$SQLSTR\" % ...\n"
},
{
"pattern": "\"$SQLSTR\".format(...)\n"
},
{
"pattern": "f\"$SQLSTR{...}...\"\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "\\s*(?i)(select|delete|insert|create|update|alter|drop)\\b.*"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "request.$ANYTHING"
},
{
"pattern-not": "request.build_absolute_uri"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.injection.tainted-url-host",
"languages": [
"python"
],
"message": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "\"$URLSTR\" % ..."
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$URLSTR",
"patterns": [
{
"pattern-either": [
{
"pattern": "$SCHEME://%s"
},
{
"pattern": "$SCHEME://%r"
}
]
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "\"$URLSTR\".format(...)"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$URLSTR",
"pattern": "$SCHEME:// { ... }"
}
}
]
},
{
"patterns": [
{
"pattern": "\"$URLSTR\" + ..."
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*://$"
}
}
]
},
{
"patterns": [
{
"pattern": "f\"$URLSTR{...}...\""
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*://$"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "$URL = \"$URLSTR\"\n...\n"
},
{
"pattern": "$URL += ..."
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*://$"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "request.$ANYTHING"
},
{
"pattern-not": "request.build_absolute_uri"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.code.globals-misuse-code-execution",
"languages": [
"python"
],
"message": "Found request data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals().get($DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals().get(\"...\" % $DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals().get(f\"...{$DATA}...\", ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals().get(\"...\".format(..., $DATA, ...), ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals()[$DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals()[\"...\" % $DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals()[f\"...{$DATA}...\"]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = globals()[\"...\".format(..., $DATA, ...)]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals().get($DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals().get(\"...\" % $DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals().get(f\"...{$DATA}...\", ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals().get(\"...\".format(..., $DATA, ...), ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals()[$DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals()[\"...\" % $DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals()[f\"...{$DATA}...\"]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = globals()[\"...\".format(..., $DATA, ...)]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals().get($DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals().get(\"...\" % $DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals().get(f\"...{$DATA}...\", ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals().get(\"...\".format(..., $DATA, ...), ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals()[$DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals()[\"...\" % $DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals()[f\"...{$DATA}...\"]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = globals()[\"...\".format(..., $DATA, ...)]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals().get($DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals().get(\"...\" % $DATA, ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals().get(f\"...{$DATA}...\", ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals().get(\"...\".format(..., $DATA, ...), ...)\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals()[$DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals()[\"...\" % $DATA]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals()[f\"...{$DATA}...\"]\n...\n$INTERM(...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = globals()[\"...\".format(..., $DATA, ...)]\n...\n$INTERM(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.code.user-eval-format-string",
"languages": [
"python"
],
"message": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $F(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "eval(..., $STR % request.$W.get(...), ...)"
},
{
"pattern": "$V = request.$W.get(...)\n...\neval(..., $STR % $V, ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\n$S = $STR % $V\n...\neval(..., $S, ...)\n"
},
{
"pattern": "eval(..., \"...\" % request.$W(...), ...)"
},
{
"pattern": "$V = request.$W(...)\n...\neval(..., $STR % $V, ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\n$S = $STR % $V\n...\neval(..., $S, ...)\n"
},
{
"pattern": "eval(..., $STR % request.$W[...], ...)"
},
{
"pattern": "$V = request.$W[...]\n...\neval(..., $STR % $V, ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\n$S = $STR % $V\n...\neval(..., $S, ...)\n"
},
{
"pattern": "eval(..., $STR.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$V = request.$W.get(...)\n...\neval(..., $STR.format(..., $V, ...), ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\n$S = $STR.format(..., $V, ...)\n...\neval(..., $S, ...)\n"
},
{
"pattern": "eval(..., $STR.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$V = request.$W(...)\n...\neval(..., $STR.format(..., $V, ...), ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\n$S = $STR.format(..., $V, ...)\n...\neval(..., $S, ...)\n"
},
{
"pattern": "eval(..., $STR.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$V = request.$W[...]\n...\neval(..., $STR.format(..., $V, ...), ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\n$S = $STR.format(..., $V, ...)\n...\neval(..., $S, ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\neval(..., f\"...{$V}...\", ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\n$S = f\"...{$V}...\"\n...\neval(..., $S, ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\neval(..., f\"...{$V}...\", ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\n$S = f\"...{$V}...\"\n...\neval(..., $S, ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\neval(..., f\"...{$V}...\", ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\n$S = f\"...{$V}...\"\n...\neval(..., $S, ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.code.user-eval",
"languages": [
"python"
],
"message": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html",
"https://owasp.org/www-community/attacks/Code_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $F(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "eval(..., request.$W.get(...), ...)"
},
{
"pattern": "$V = request.$W.get(...)\n...\neval(..., $V, ...)\n"
},
{
"pattern": "eval(..., request.$W(...), ...)"
},
{
"pattern": "$V = request.$W(...)\n...\neval(..., $V, ...)\n"
},
{
"pattern": "eval(..., request.$W[...], ...)"
},
{
"pattern": "$V = request.$W[...]\n...\neval(..., $V, ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.code.user-exec-format-string",
"languages": [
"python"
],
"message": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/Code_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $F(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "exec(..., $STR % request.$W.get(...), ...)"
},
{
"pattern": "$V = request.$W.get(...)\n...\nexec(..., $STR % $V, ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\n$S = $STR % $V\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "exec(..., \"...\" % request.$W(...), ...)"
},
{
"pattern": "$V = request.$W(...)\n...\nexec(..., $STR % $V, ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\n$S = $STR % $V\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "exec(..., $STR % request.$W[...], ...)"
},
{
"pattern": "$V = request.$W[...]\n...\nexec(..., $STR % $V, ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\n$S = $STR % $V\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "exec(..., $STR.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$V = request.$W.get(...)\n...\nexec(..., $STR.format(..., $V, ...), ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\n$S = $STR.format(..., $V, ...)\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "exec(..., $STR.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$V = request.$W(...)\n...\nexec(..., $STR.format(..., $V, ...), ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\n$S = $STR.format(..., $V, ...)\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "exec(..., $STR.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$V = request.$W[...]\n...\nexec(..., $STR.format(..., $V, ...), ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\n$S = $STR.format(..., $V, ...)\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\nexec(..., f\"...{$V}...\", ...)\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\n$S = f\"...{$V}...\"\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\nexec(..., f\"...{$V}...\", ...)\n"
},
{
"pattern": "$V = request.$W(...)\n...\n$S = f\"...{$V}...\"\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\nexec(..., f\"...{$V}...\", ...)\n"
},
{
"pattern": "$V = request.$W[...]\n...\n$S = f\"...{$V}...\"\n...\nexec(..., $S, ...)\n"
},
{
"pattern": "exec(..., base64.decodestring($S.format(..., request.$W.get(...), ...), ...), ...)"
},
{
"pattern": "exec(..., base64.decodestring($S % request.$W.get(...), ...), ...)"
},
{
"pattern": "exec(..., base64.decodestring(f\"...{request.$W.get(...)}...\", ...), ...)"
},
{
"pattern": "exec(..., base64.decodestring(request.$W.get(...), ...), ...)"
},
{
"pattern": "exec(..., base64.decodestring(bytes($S.format(..., request.$W.get(...), ...), ...), ...), ...)"
},
{
"pattern": "exec(..., base64.decodestring(bytes($S % request.$W.get(...), ...), ...), ...)"
},
{
"pattern": "exec(..., base64.decodestring(bytes(f\"...{request.$W.get(...)}...\", ...), ...), ...)"
},
{
"pattern": "exec(..., base64.decodestring(bytes(request.$W.get(...), ...), ...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nexec(..., base64.decodestring($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = base64.decodestring($DATA, ...)\n...\nexec(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nexec(..., base64.decodestring(bytes($DATA, ...), ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = base64.decodestring(bytes($DATA, ...), ...)\n...\nexec(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nexec(..., base64.decodestring($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = base64.decodestring($DATA, ...)\n...\nexec(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nexec(..., base64.decodestring(bytes($DATA, ...), ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = base64.decodestring(bytes($DATA, ...), ...)\n...\nexec(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nexec(..., base64.decodestring($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = base64.decodestring($DATA, ...)\n...\nexec(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nexec(..., base64.decodestring(bytes($DATA, ...), ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = base64.decodestring(bytes($DATA, ...), ...)\n...\nexec(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nexec(..., base64.decodestring($DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = base64.decodestring($DATA, ...)\n...\nexec(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nexec(..., base64.decodestring(bytes($DATA, ...), ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = base64.decodestring(bytes($DATA, ...), ...)\n...\nexec(..., $INTERM, ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.code.user-exec",
"languages": [
"python"
],
"message": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/Code_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $F(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "exec(..., request.$W.get(...), ...)"
},
{
"pattern": "$V = request.$W.get(...)\n...\nexec(..., $V, ...)\n"
},
{
"pattern": "exec(..., request.$W(...), ...)"
},
{
"pattern": "$V = request.$W(...)\n...\nexec(..., $V, ...)\n"
},
{
"pattern": "exec(..., request.$W[...], ...)"
},
{
"pattern": "$V = request.$W[...]\n...\nexec(..., $V, ...)\n"
},
{
"pattern": "loop = asyncio.get_running_loop()\n...\nawait loop.run_in_executor(None, exec, request.$W[...])\n"
},
{
"pattern": "$V = request.$W[...]\n...\nloop = asyncio.get_running_loop()\n...\nawait loop.run_in_executor(None, exec, $V)\n"
},
{
"pattern": "loop = asyncio.get_running_loop()\n...\nawait loop.run_in_executor(None, exec, request.$W.get(...))\n"
},
{
"pattern": "$V = request.$W.get(...)\n...\nloop = asyncio.get_running_loop()\n...\nawait loop.run_in_executor(None, exec, $V)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.command.command-injection-os-system",
"languages": [
"python"
],
"message": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/Command_Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "os.system(..., request.$W.get(...), ...)"
},
{
"pattern": "os.system(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "os.system(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "os.system(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nos.system(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nos.system(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nos.system(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nos.system(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nos.system(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$A = os.system(..., request.$W.get(...), ...)"
},
{
"pattern": "$A = os.system(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$A = os.system(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "$A = os.system(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "return os.system(..., request.$W.get(...), ...)"
},
{
"pattern": "return os.system(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "return os.system(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "return os.system(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "os.system(..., request.$W(...), ...)"
},
{
"pattern": "os.system(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "os.system(..., $S % request.$W(...), ...)"
},
{
"pattern": "os.system(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\nos.system(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nos.system(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nos.system(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nos.system(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nos.system(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$A = os.system(..., request.$W(...), ...)"
},
{
"pattern": "$A = os.system(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$A = os.system(..., $S % request.$W(...), ...)"
},
{
"pattern": "$A = os.system(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "return os.system(..., request.$W(...), ...)"
},
{
"pattern": "return os.system(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "return os.system(..., $S % request.$W(...), ...)"
},
{
"pattern": "return os.system(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "os.system(..., request.$W[...], ...)"
},
{
"pattern": "os.system(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "os.system(..., $S % request.$W[...], ...)"
},
{
"pattern": "os.system(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\nos.system(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nos.system(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nos.system(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nos.system(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nos.system(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$A = os.system(..., request.$W[...], ...)"
},
{
"pattern": "$A = os.system(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$A = os.system(..., $S % request.$W[...], ...)"
},
{
"pattern": "$A = os.system(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "return os.system(..., request.$W[...], ...)"
},
{
"pattern": "return os.system(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "return os.system(..., $S % request.$W[...], ...)"
},
{
"pattern": "return os.system(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "os.system(..., request.$W, ...)"
},
{
"pattern": "os.system(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "os.system(..., $S % request.$W, ...)"
},
{
"pattern": "os.system(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "$DATA = request.$W\n...\nos.system(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nos.system(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nos.system(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nos.system(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nos.system(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\nos.system(..., $INTERM, ...)\n"
},
{
"pattern": "$A = os.system(..., request.$W, ...)"
},
{
"pattern": "$A = os.system(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "$A = os.system(..., $S % request.$W, ...)"
},
{
"pattern": "$A = os.system(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "return os.system(..., request.$W, ...)"
},
{
"pattern": "return os.system(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "return os.system(..., $S % request.$W, ...)"
},
{
"pattern": "return os.system(..., f\"...{request.$W}...\", ...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.injection.command.subprocess-injection",
"languages": [
"python"
],
"message": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "$DICT[$KEY]"
},
{
"focus-metavariable": "$KEY"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "subprocess.$FUNC(...)"
},
{
"pattern-not": "subprocess.$FUNC(\"...\", ...)"
},
{
"pattern-not": "subprocess.$FUNC([\"...\", ...], ...)"
},
{
"pattern-not-inside": "$CMD = [\"...\", ...]\n...\nsubprocess.$FUNC($CMD, ...)\n"
}
]
},
{
"patterns": [
{
"pattern": "subprocess.$FUNC([\"$SHELL\", \"-c\", ...], ...)"
},
{
"metavariable-regex": {
"metavariable": "$SHELL",
"regex": "^(sh|bash|ksh|csh|tcsh|zsh)$"
}
}
]
},
{
"patterns": [
{
"pattern": "subprocess.$FUNC([\"$INTERPRETER\", ...], ...)"
},
{
"metavariable-regex": {
"metavariable": "$INTERPRETER",
"regex": "^(python|python\\d)$"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $REQUEST, ...):\n ...\n"
},
{
"focus-metavariable": "$REQUEST"
},
{
"metavariable-pattern": {
"metavariable": "$REQUEST",
"patterns": [
{
"pattern": "request"
},
{
"pattern-not-inside": "request.build_absolute_uri"
}
]
}
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.injection.email.xss-html-email-body",
"languages": [
"python"
],
"message": "Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.damonkohler.com/2008/12/email-injection.html"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n $EMAIL.content_subtype = \"html\"\n ...\n"
},
{
"pattern-either": [
{
"pattern": "django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...)"
},
{
"pattern": "return django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...)"
},
{
"pattern": "django.core.mail.EmailMessage($SUBJ, request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.EmailMessage($SUBJ, f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.EmailMessage($SUBJ, request.$W(...), ...)"
},
{
"pattern": "return django.core.mail.EmailMessage($SUBJ, request.$W(...), ...)"
},
{
"pattern": "django.core.mail.EmailMessage($SUBJ, request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.EmailMessage($SUBJ, $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.EmailMessage($SUBJ, f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.EmailMessage($SUBJ, request.$W[...], ...)"
},
{
"pattern": "return django.core.mail.EmailMessage($SUBJ, request.$W[...], ...)"
},
{
"pattern": "django.core.mail.EmailMessage($SUBJ, request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.EmailMessage($SUBJ, $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $B.$C(..., $DATA, ...)\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.EmailMessage($SUBJ, f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.EmailMessage($SUBJ, $INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.EmailMessage($SUBJ, request.$W, ...)"
},
{
"pattern": "return django.core.mail.EmailMessage($SUBJ, request.$W, ...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.email.xss-send-mail-html-message",
"languages": [
"python"
],
"message": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.damonkohler.com/2008/12/email-injection.html"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "django.core.mail.send_mail(..., html_message=request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.send_mail(..., html_message=$DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.send_mail(..., html_message=$STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.send_mail(..., html_message=f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.core.mail.send_mail(..., html_message=$STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.send_mail(..., html_message=request.$W.get(...), ...)"
},
{
"pattern": "return django.core.mail.send_mail(..., html_message=request.$W.get(...), ...)"
},
{
"pattern": "django.core.mail.send_mail(..., html_message=request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.send_mail(..., html_message=$DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.send_mail(..., html_message=$STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.send_mail(..., html_message=f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.core.mail.send_mail(..., html_message=$STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.send_mail(..., html_message=request.$W(...), ...)"
},
{
"pattern": "return django.core.mail.send_mail(..., html_message=request.$W(...), ...)"
},
{
"pattern": "django.core.mail.send_mail(..., html_message=request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.send_mail(..., html_message=$DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.send_mail(..., html_message=$STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.send_mail(..., html_message=f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.core.mail.send_mail(..., html_message=$STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.send_mail(..., html_message=request.$W[...], ...)"
},
{
"pattern": "return django.core.mail.send_mail(..., html_message=request.$W[...], ...)"
},
{
"pattern": "django.core.mail.send_mail(..., html_message=request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.send_mail(..., html_message=$DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.send_mail(..., html_message=$STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.send_mail(..., html_message=f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.core.mail.send_mail(..., html_message=$STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\ndjango.core.mail.send_mail(..., html_message=$INTERM, ...)\n"
},
{
"pattern": "$A = django.core.mail.send_mail(..., html_message=request.$W, ...)"
},
{
"pattern": "return django.core.mail.send_mail(..., html_message=request.$W, ...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.path-traversal.path-traversal-file-name",
"languages": [
"python"
],
"message": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $F(...):\n ...\n"
},
{
"pattern-not-inside": "def $F(...):\n ...\n os.path.realpath(...)\n ...\n"
},
{
"pattern-not-inside": "def $F(...):\n ...\n os.path.abspath(...)\n ...\n"
},
{
"pattern-either": [
{
"pattern": "$V = request.$W.get($X)\n...\n$FILE % ($V)\n"
},
{
"pattern": "$V = request.$W[$X]\n...\n$FILE % ($V)\n"
},
{
"pattern": "$V = request.$W($X)\n...\n$FILE % ($V)\n"
},
{
"pattern": "$V = request.$W\n...\n$FILE % ($V)\n# match format use cases\n"
},
{
"pattern": "$V = request.$W.get($X)\n...\n$FILE.format(..., $V, ...)\n"
},
{
"pattern": "$V = request.$W[$X]\n...\n$FILE.format(..., $V, ...)\n"
},
{
"pattern": "$V = request.$W($X)\n...\n$FILE.format(..., $V, ...)\n"
},
{
"pattern": "$V = request.$W\n...\n$FILE.format(..., $V, ...)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FILE",
"regex": ".*\\.(log|zip|txt|csv|xml|html).*"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.path-traversal.path-traversal-join",
"languages": [
"python"
],
"message": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"subcategory": [
"audit"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $F(...):\n ...\n"
},
{
"pattern-not-inside": "def $F(...):\n ...\n os.path.abspath(...)\n ...\n"
},
{
"pattern-not-inside": "def $F(...):\n ...\n os.path.realpath(...)\n ...\n"
},
{
"pattern-either": [
{
"pattern": "open(os.path.join(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "open(os.path.join(..., request.$W(...), ...), ...)"
},
{
"pattern": "open(os.path.join(..., request.$W, ...), ...)"
},
{
"pattern": "open(os.path.join(..., request.$W[...], ...), ...)"
},
{
"pattern": "$P = os.path.join(..., request.$W.get(...), ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$P = os.path.join(..., request.$W(...), ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$P = os.path.join(..., request.$W, ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$P = os.path.join(..., request.$W[...], ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$V = request.$W.get($X)\n...\n$P = os.path.join(..., $V, ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$V = request.$W($X)\n...\n$P = os.path.join(..., $V, ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$V = request.$W[$X]\n...\n$P = os.path.join(..., $V, ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$V = request.$W\n...\n$P = os.path.join(..., $V, ...)\n...\nopen($P, ...)\n"
},
{
"pattern": "$P = request.$W.get(...)\n...\nopen(os.path.join(..., $P, ...), ...)\n"
},
{
"pattern": "$P = request.$W(...)\n...\nopen(os.path.join(..., $P, ...), ...)\n"
},
{
"pattern": "$P = request.$W\n...\nopen(os.path.join(..., $P, ...), ...)\n"
},
{
"pattern": "$P = request.$W[...]\n...\nopen(os.path.join(..., $P, ...), ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.path-traversal.path-traversal-open",
"languages": [
"python"
],
"message": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "open(..., request.$W.get(...), ...)"
},
{
"pattern": "open(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "open(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "open(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$A = open(..., request.$W.get(...), ...)"
},
{
"pattern": "$A = open(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$A = open(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "$A = open(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "return open(..., request.$W.get(...), ...)"
},
{
"pattern": "return open(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "return open(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "return open(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nwith open(..., $DATA, ...) as $FD:\n ...\n"
},
{
"pattern": "open(..., request.$W(...), ...)"
},
{
"pattern": "open(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "open(..., $S % request.$W(...), ...)"
},
{
"pattern": "open(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\nopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$A = open(..., request.$W(...), ...)"
},
{
"pattern": "$A = open(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$A = open(..., $S % request.$W(...), ...)"
},
{
"pattern": "$A = open(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "return open(..., request.$W(...), ...)"
},
{
"pattern": "return open(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "return open(..., $S % request.$W(...), ...)"
},
{
"pattern": "return open(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\nwith open(..., $DATA, ...) as $FD:\n ...\n"
},
{
"pattern": "open(..., request.$W[...], ...)"
},
{
"pattern": "open(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "open(..., $S % request.$W[...], ...)"
},
{
"pattern": "open(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\nopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$A = open(..., request.$W[...], ...)"
},
{
"pattern": "$A = open(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$A = open(..., $S % request.$W[...], ...)"
},
{
"pattern": "$A = open(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "return open(..., request.$W[...], ...)"
},
{
"pattern": "return open(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "return open(..., $S % request.$W[...], ...)"
},
{
"pattern": "return open(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\nwith open(..., $DATA, ...) as $FD:\n ...\n"
},
{
"pattern": "open(..., request.$W, ...)"
},
{
"pattern": "open(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "open(..., $S % request.$W, ...)"
},
{
"pattern": "open(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "$DATA = request.$W\n...\nopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W\n...\nopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W\n...\nopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W\n...\nopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$DATA = request.$W\n...\nopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\nopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\nwith open(..., $INTERM, ...) as $FD:\n ...\n"
},
{
"pattern": "$A = open(..., request.$W, ...)"
},
{
"pattern": "$A = open(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "$A = open(..., $S % request.$W, ...)"
},
{
"pattern": "$A = open(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "return open(..., request.$W, ...)"
},
{
"pattern": "return open(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "return open(..., $S % request.$W, ...)"
},
{
"pattern": "return open(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "$DATA = request.$W\n...\nwith open(..., $DATA, ...) as $FD:\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.sql.sql-injection-using-extra-where",
"languages": [
"python"
],
"message": "User-controlled data from a request is passed to 'extra()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S.format(..., request.$W.get(...), ...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S % request.$W.get(...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., f\"...{request.$W.get(...)}...\", ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.extra(..., where=[..., $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.extra(..., where=[..., f\"...{$DATA}...\", ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$A = $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...)"
},
{
"pattern": "return $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S.format(..., request.$W(...), ...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S % request.$W(...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., f\"...{request.$W(...)}...\", ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.extra(..., where=[..., $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.extra(..., where=[..., f\"...{$DATA}...\", ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$A = $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...)"
},
{
"pattern": "return $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S.format(..., request.$W[...], ...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S % request.$W[...], ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., f\"...{request.$W[...]}...\", ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.extra(..., where=[..., $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.extra(..., where=[..., f\"...{$DATA}...\", ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$A = $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...)"
},
{
"pattern": "return $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S.format(..., request.$W, ...), ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., $S % request.$W, ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., f\"...{request.$W}...\", ...], ...)"
},
{
"pattern": "$MODEL.objects.extra(..., where=[..., request.$W, ...], ...)"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.extra(..., where=[..., $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.extra(..., where=[..., f\"...{$DATA}...\", ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$A = $MODEL.objects.extra(..., where=[..., request.$W, ...], ...)"
},
{
"pattern": "return $MODEL.objects.extra(..., where=[..., request.$W, ...], ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.extra(..., where=[..., $INTERM, ...], ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.sql.sql-injection-using-rawsql",
"languages": [
"python"
],
"message": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "django.db.models.expressions.RawSQL(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.db.models.expressions.RawSQL(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.db.models.expressions.RawSQL(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.db.models.expressions.RawSQL(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.db.models.expressions.RawSQL(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.db.models.expressions.RawSQL(..., request.$W.get(...), ...)"
},
{
"pattern": "return django.db.models.expressions.RawSQL(..., request.$W.get(...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., $S % request.$W(...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.db.models.expressions.RawSQL(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.db.models.expressions.RawSQL(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.db.models.expressions.RawSQL(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.db.models.expressions.RawSQL(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.db.models.expressions.RawSQL(..., request.$W(...), ...)"
},
{
"pattern": "return django.db.models.expressions.RawSQL(..., request.$W(...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., $S % request.$W[...], ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.db.models.expressions.RawSQL(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.db.models.expressions.RawSQL(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.db.models.expressions.RawSQL(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.db.models.expressions.RawSQL(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.db.models.expressions.RawSQL(..., request.$W[...], ...)"
},
{
"pattern": "return django.db.models.expressions.RawSQL(..., request.$W[...], ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., $S % request.$W, ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "django.db.models.expressions.RawSQL(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.db.models.expressions.RawSQL(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.db.models.expressions.RawSQL(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.db.models.expressions.RawSQL(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.db.models.expressions.RawSQL(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\ndjango.db.models.expressions.RawSQL(..., $INTERM, ...)\n"
},
{
"pattern": "$A = django.db.models.expressions.RawSQL(..., request.$W, ...)"
},
{
"pattern": "return django.db.models.expressions.RawSQL(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\ndjango.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\ndjango.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\ndjango.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\ndjango.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\ndjango.db.models.expressions.RawSQL($INTERM, ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.sql.sql-injection-db-cursor-execute",
"languages": [
"python"
],
"message": "User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "$CURSOR.execute(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$CURSOR.execute(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "$CURSOR.execute(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "$CURSOR.execute(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$CURSOR.execute(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$CURSOR.execute(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$CURSOR.execute(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$CURSOR.execute(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $CURSOR.execute(..., request.$W.get(...), ...)"
},
{
"pattern": "return $CURSOR.execute(..., request.$W.get(...), ...)"
},
{
"pattern": "$CURSOR.execute(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$CURSOR.execute(..., $S % request.$W(...), ...)"
},
{
"pattern": "$CURSOR.execute(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "$CURSOR.execute(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$CURSOR.execute(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$CURSOR.execute(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$CURSOR.execute(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$CURSOR.execute(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $CURSOR.execute(..., request.$W(...), ...)"
},
{
"pattern": "return $CURSOR.execute(..., request.$W(...), ...)"
},
{
"pattern": "$CURSOR.execute(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$CURSOR.execute(..., $S % request.$W[...], ...)"
},
{
"pattern": "$CURSOR.execute(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "$CURSOR.execute(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$CURSOR.execute(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$CURSOR.execute(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$CURSOR.execute(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$CURSOR.execute(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $CURSOR.execute(..., request.$W[...], ...)"
},
{
"pattern": "return $CURSOR.execute(..., request.$W[...], ...)"
},
{
"pattern": "$CURSOR.execute(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "$CURSOR.execute(..., $S % request.$W, ...)"
},
{
"pattern": "$CURSOR.execute(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "$CURSOR.execute(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\n$CURSOR.execute(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$CURSOR.execute(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$CURSOR.execute(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$CURSOR.execute(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$CURSOR.execute(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\n$CURSOR.execute(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $CURSOR.execute(..., request.$W, ...)"
},
{
"pattern": "return $CURSOR.execute(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$CURSOR.execute($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$CURSOR.execute($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$CURSOR.execute($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$CURSOR.execute($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$CURSOR.execute($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$CURSOR.execute($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$CURSOR.execute($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$CURSOR.execute($INTERM, ...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.sql.sql-injection-using-raw",
"languages": [
"python"
],
"message": "Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "$MODEL.objects.raw(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "$MODEL.objects.raw(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.raw(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.raw(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.raw(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.raw(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $MODEL.objects.raw(..., request.$W.get(...), ...)"
},
{
"pattern": "return $MODEL.objects.raw(..., request.$W.get(...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., $S % request.$W(...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "$MODEL.objects.raw(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.raw(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.raw(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.raw(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.raw(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $MODEL.objects.raw(..., request.$W(...), ...)"
},
{
"pattern": "return $MODEL.objects.raw(..., request.$W(...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., $S % request.$W[...], ...)"
},
{
"pattern": "$MODEL.objects.raw(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "$MODEL.objects.raw(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.raw(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.raw(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.raw(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.raw(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $MODEL.objects.raw(..., request.$W[...], ...)"
},
{
"pattern": "return $MODEL.objects.raw(..., request.$W[...], ...)"
},
{
"pattern": "$MODEL.objects.raw(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "$MODEL.objects.raw(..., $S % request.$W, ...)"
},
{
"pattern": "$MODEL.objects.raw(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "$MODEL.objects.raw(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.raw(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.raw(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.raw(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.raw(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\n$MODEL.objects.raw(..., $INTERM, ...)\n"
},
{
"pattern": "$A = $MODEL.objects.raw(..., request.$W, ...)"
},
{
"pattern": "return $MODEL.objects.raw(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$MODEL.objects.raw($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$MODEL.objects.raw($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$MODEL.objects.raw($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$MODEL.objects.raw($STR % (..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.raw($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.raw($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.raw($INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % (..., $DATA, ...)\n...\n$MODEL.objects.raw($INTERM, ...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.django.security.injection.ssrf.ssrf-injection-requests",
"languages": [
"python"
],
"message": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "requests.$METHOD(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "requests.$METHOD(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "requests.$METHOD(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "requests.$METHOD(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nrequests.$METHOD(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nrequests.$METHOD(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nrequests.$METHOD(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nrequests.$METHOD(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nrequests.$METHOD(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$A = requests.$METHOD(..., request.$W.get(...), ...)"
},
{
"pattern": "return requests.$METHOD(..., request.$W.get(...), ...)"
},
{
"pattern": "requests.$METHOD(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "requests.$METHOD(..., $S % request.$W(...), ...)"
},
{
"pattern": "requests.$METHOD(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "requests.$METHOD(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\nrequests.$METHOD(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nrequests.$METHOD(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nrequests.$METHOD(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nrequests.$METHOD(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nrequests.$METHOD(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$A = requests.$METHOD(..., request.$W(...), ...)"
},
{
"pattern": "return requests.$METHOD(..., request.$W(...), ...)"
},
{
"pattern": "requests.$METHOD(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "requests.$METHOD(..., $S % request.$W[...], ...)"
},
{
"pattern": "requests.$METHOD(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "requests.$METHOD(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\nrequests.$METHOD(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nrequests.$METHOD(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nrequests.$METHOD(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nrequests.$METHOD(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nrequests.$METHOD(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$A = requests.$METHOD(..., request.$W[...], ...)"
},
{
"pattern": "return requests.$METHOD(..., request.$W[...], ...)"
},
{
"pattern": "requests.$METHOD(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "requests.$METHOD(..., $S % request.$W, ...)"
},
{
"pattern": "requests.$METHOD(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "requests.$METHOD(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\nrequests.$METHOD(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nrequests.$METHOD(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nrequests.$METHOD(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nrequests.$METHOD(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nrequests.$METHOD(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\nrequests.$METHOD(..., $INTERM, ...)\n"
},
{
"pattern": "$A = requests.$METHOD(..., request.$W, ...)"
},
{
"pattern": "return requests.$METHOD(..., request.$W, ...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.injection.ssrf.ssrf-injection-urllib",
"languages": [
"python"
],
"message": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "urllib.request.urlopen(..., $S.format(..., request.$W.get(...), ...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., $S % request.$W.get(...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., f\"...{request.$W.get(...)}...\", ...)"
},
{
"pattern": "urllib.request.urlopen(..., request.$W.get(...), ...)"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nurllib.request.urlopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nurllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nurllib.request.urlopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR % $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nurllib.request.urlopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\nurllib.request.urlopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W.get(...)\n...\n$INTERM = $STR + $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$A = urllib.request.urlopen(..., request.$W.get(...), ...)"
},
{
"pattern": "return urllib.request.urlopen(..., request.$W.get(...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., $S.format(..., request.$W(...), ...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., $S % request.$W(...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., f\"...{request.$W(...)}...\", ...)"
},
{
"pattern": "urllib.request.urlopen(..., request.$W(...), ...)"
},
{
"pattern": "$DATA = request.$W(...)\n...\nurllib.request.urlopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nurllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nurllib.request.urlopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR % $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nurllib.request.urlopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = f\"...{$DATA}...\"\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\nurllib.request.urlopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W(...)\n...\n$INTERM = $STR + $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$A = urllib.request.urlopen(..., request.$W(...), ...)"
},
{
"pattern": "return urllib.request.urlopen(..., request.$W(...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., $S.format(..., request.$W[...], ...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., $S % request.$W[...], ...)"
},
{
"pattern": "urllib.request.urlopen(..., f\"...{request.$W[...]}...\", ...)"
},
{
"pattern": "urllib.request.urlopen(..., request.$W[...], ...)"
},
{
"pattern": "$DATA = request.$W[...]\n...\nurllib.request.urlopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nurllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nurllib.request.urlopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR % $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nurllib.request.urlopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = f\"...{$DATA}...\"\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\nurllib.request.urlopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W[...]\n...\n$INTERM = $STR + $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$A = urllib.request.urlopen(..., request.$W[...], ...)"
},
{
"pattern": "return urllib.request.urlopen(..., request.$W[...], ...)"
},
{
"pattern": "urllib.request.urlopen(..., $S.format(..., request.$W, ...), ...)"
},
{
"pattern": "urllib.request.urlopen(..., $S % request.$W, ...)"
},
{
"pattern": "urllib.request.urlopen(..., f\"...{request.$W}...\", ...)"
},
{
"pattern": "urllib.request.urlopen(..., request.$W, ...)"
},
{
"pattern": "$DATA = request.$W\n...\nurllib.request.urlopen(..., $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nurllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR.format(..., $DATA, ...)\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nurllib.request.urlopen(..., $STR % $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR % $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nurllib.request.urlopen(..., f\"...{$DATA}...\", ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = f\"...{$DATA}...\"\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\nurllib.request.urlopen(..., $STR + $DATA, ...)\n"
},
{
"pattern": "$DATA = request.$W\n...\n$INTERM = $STR + $DATA\n...\nurllib.request.urlopen(..., $INTERM, ...)\n"
},
{
"pattern": "$A = urllib.request.urlopen(..., request.$W, ...)"
},
{
"pattern": "return urllib.request.urlopen(..., request.$W, ...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.django.security.passwords.password-empty-string",
"languages": [
"python"
],
"message": "'$VAR' is the empty string and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the password to None or call 'set_unusable_password()'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-521: Weak Password Requirements"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$MODEL.set_password($EMPTY)\n...\n$MODEL.save()\n"
},
{
"pattern": "$VAR = $EMPTY\n...\n$MODEL.set_password($VAR)\n...\n$MODEL.save()\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$EMPTY",
"regex": "(\\'\\'|\\\"\\\")"
}
}
],
"severity": "ERROR"
},
{
"fix": "None\n",
"id": "vendored-rules.python.django.security.passwords.use-none-for-password-default",
"languages": [
"python"
],
"message": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-521: Weak Password Requirements"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password"
],
"subcategory": [
"vuln"
],
"technology": [
"django"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$VAR = request.$W.get($X, $EMPTY)\n...\n$MODEL.set_password($VAR)\n...\n$MODEL.save(...)\n"
},
{
"pattern": "def $F(..., $VAR=$EMPTY, ...):\n ...\n $MODEL.set_password($VAR)\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$EMPTY",
"pattern": "\"\""
}
},
{
"focus-metavariable": "$EMPTY"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.docker.security.audit.docker-arbitrary-container-run",
"languages": [
"python"
],
"message": "If unverified user data can reach the `run` or `create` method it can result in running arbitrary container.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-250: Execution with Unnecessary Privileges"
],
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/250.html"
],
"subcategory": [
"audit"
],
"technology": [
"docker"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$CLIENT = docker.from_env()\n...\n"
},
{
"pattern-inside": "$CLIENT = docker.DockerClient(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$CLIENT.containers.run(...)\n"
},
{
"pattern": "$CLIENT.containers.create(...)\n"
}
]
},
{
"pattern-not": "$CLIENT.containers.run(\"...\",...)\n"
},
{
"pattern-not": "$CLIENT.containers.create(\"...\",...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.fastapi.security.wildcard-cors",
"languages": [
"python"
],
"message": "CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
],
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration",
"https://cwe.mitre.org/data/definitions/942.html"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"fastapi"
],
"vulnerability_class": [
"Configuration"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$APP.add_middleware(\n CORSMiddleware,\n allow_origins=$ORIGIN,\n ...);\n"
},
{
"focus-metavariable": "$ORIGIN"
}
]
}
],
"pattern-sources": [
{
"pattern": "[..., \"*\", ...]"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.dangerous-template-string",
"languages": [
"python"
],
"message": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html",
"https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "$V = \"...\".format(...)\n...\nflask.render_template_string($V, ...)\n"
},
{
"pattern": "$V = \"...\".format(...)\n...\nreturn flask.render_template_string($V, ...), $MORE\n"
},
{
"pattern": "$V = \"...\" % $S\n...\nflask.render_template_string($V, ...)\n"
},
{
"pattern": "$V = \"...\" % $S\n...\nreturn flask.render_template_string($V, ...), $MORE\n"
},
{
"pattern": "$V = \"...\"\n...\n$V += $O\n...\nflask.render_template_string($V, ...)\n"
},
{
"pattern": "$V = \"...\"\n...\n$V += $O\n...\nreturn flask.render_template_string($V, ...), $MORE\n"
},
{
"pattern": "$V = f\"...{$X}...\"\n...\nflask.render_template_string($V, ...)\n"
},
{
"pattern": "$V = f\"...{$X}...\"\n...\nreturn flask.render_template_string($V, ...), $CODE\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.flask-api-method-string-format",
"languages": [
"python"
],
"message": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-134: Use of Externally-Controlled Format String"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/134.html"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "def $METHOD(...,$ARG,...):\n ...\n $STRING = \"...\".format(...,$ARG,...)\n ...\n ... = requests.$REQMETHOD($STRING,...)\n"
},
{
"pattern": "def $METHOD(...,$ARG,...):\n ...\n ... = requests.$REQMETHOD(\"...\".format(...,$ARG,...),...)\n"
}
]
},
{
"pattern-inside": "class $CLASS(...):\n method_decorators = ...\n ...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.hashids-with-flask-secret",
"languages": [
"python"
],
"message": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A02:2021 \u2013 Cryptographic Failures"
],
"references": [
"https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY",
"http://carnage.github.io/2015/08/cryptanalysis-of-hashids"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)"
},
{
"pattern": "hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)"
},
{
"patterns": [
{
"pattern-inside": "$APP = flask.Flask(...)\n...\n"
},
{
"pattern-either": [
{
"pattern": "hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)"
},
{
"pattern": "hashids.Hashids($APP.config['SECRET_KEY'], ...)"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.insecure-deserialization",
"languages": [
"python"
],
"message": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/pickle.html"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-inside": "@app.route(...)\ndef $X(...):\n ...\n"
},
{
"pattern-not": "$MODULE.$FUNC(\"...\")"
},
{
"pattern-not": "$MODULE.$FUNC(open(\"...\", ...))"
},
{
"pattern-either": [
{
"pattern": "pickle.$FUNC(...)"
},
{
"pattern": "_pickle.$FUNC(...)"
},
{
"pattern": "cPickle.$FUNC(...)"
},
{
"pattern": "dill.$FUNC(...)"
},
{
"pattern": "shelve.$FUNC(...)"
},
{
"pattern": "yaml.load(...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.open-redirect",
"languages": [
"python"
],
"message": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using 'url_for()' to generate links to known locations. If you must use a URL to unknown pages, consider using 'urlparse()' or similar and checking if the 'netloc' property is the same as your site's host name. See the references for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://flask-login.readthedocs.io/en/latest/#login-example",
"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1",
"https://docs.python.org/3/library/urllib.parse.html#url-parsing"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $X(...):\n ...\n"
},
{
"pattern-not-inside": "@$APP.route(...)\ndef $X(...):\n ...\n if <... werkzeug.urls.url_parse($V) ...>:\n ...\n"
},
{
"pattern-either": [
{
"pattern": "flask.redirect(<... flask.request.$W.get(...) ...>, ...)"
},
{
"pattern": "flask.redirect(<... flask.request.$W[...] ...>, ...)"
},
{
"pattern": "flask.redirect(<... flask.request.$W(...) ...>, ...)"
},
{
"pattern": "flask.redirect(<... flask.request.$W ...>, ...)"
},
{
"pattern": "$V = flask.request.$W.get(...)\n...\nflask.redirect(<... $V ...>, ...)\n"
},
{
"pattern": "$V = flask.request.$W[...]\n...\nflask.redirect(<... $V ...>, ...)\n"
},
{
"pattern": "$V = flask.request.$W(...)\n...\nflask.redirect(<... $V ...>, ...)\n"
},
{
"pattern": "$V = flask.request.$W\n...\nflask.redirect(<... $V ...>, ...)\n"
}
]
},
{
"pattern-not": "flask.redirect(flask.request.path)"
},
{
"pattern-not": "flask.redirect(flask.request.path + ...)"
},
{
"pattern-not": "flask.redirect(f\"{flask.request.path}...\")"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.avoid_send_file_without_path_sanitization",
"languages": [
"python"
],
"message": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-73: External Control of File Name or Path"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-inside": "@app.route(...)\ndef $X(filename):\n ...\n"
},
{
"pattern": "flask.send_file(filename, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.unescaped-template-extension",
"languages": [
"python"
],
"message": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup",
"https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/",
"https://bento.dev/checks/flask/unescaped-file-extension/"
],
"source-rule-url": "https://pypi.org/project/flake8-flask/",
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-not": "flask.render_template(\"=~/.+\\.html$/\", ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.xml$/\", ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.htm$/\", ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.xhtml$/\", ...)"
},
{
"pattern-not": "flask.render_template($X + \"=~/\\.html$/\", ...)"
},
{
"pattern-not": "flask.render_template($X + \"=~/\\.xml$/\", ...)"
},
{
"pattern-not": "flask.render_template($X + \"=~/\\.htm$/\", ...)"
},
{
"pattern-not": "flask.render_template($X + \"=~/\\.xhtml$/\", ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.html$/\" % $X, ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.xml$/\" % $X, ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.htm$/\" % $X, ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.xhtml$/\" % $X, ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.html$/\".format(...), ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.xml$/\".format(...), ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.htm$/\".format(...), ...)"
},
{
"pattern-not": "flask.render_template(\"=~/.+\\.xhtml$/\".format(...), ...)"
},
{
"pattern-not": "flask.render_template($TEMPLATE)"
},
{
"pattern-either": [
{
"pattern": "flask.render_template(\"...\", ...)"
},
{
"pattern": "flask.render_template($X + \"...\", ...)"
},
{
"pattern": "flask.render_template(\"...\" % $Y, ...)"
},
{
"pattern": "flask.render_template(\"...\".format(...), ...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.response-contains-unsanitized-input",
"languages": [
"python"
],
"message": "Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user's browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.0.x/security/",
"https://owasp.org/www-community/attacks/xss/"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "$X = flask.request.args.get(...)\n...\nflask.make_response(\"...\".format($X))\n"
},
{
"pattern": "$X = flask.request.args.get(...)\n...\nflask.make_response(f\"...{$X}...\")\n"
},
{
"pattern": "$X = flask.request.args.get(...)\n...\nflask.make_response(f\"...{$X}\")\n"
},
{
"pattern": "$X = flask.request.args.get(...)\n...\nflask.make_response(f\"{$X}...\")\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.avoid_app_run_with_bad_host",
"languages": [
"python"
],
"message": "Running flask app with host 0.0.0.0 could expose the server publicly.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-668: Exposure of Resource to Wrong Sphere"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "app.run(..., host=\"0.0.0.0\", ...)"
},
{
"pattern": "app.run(..., \"0.0.0.0\", ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.avoid_using_app_run_directly",
"languages": [
"python"
],
"message": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-668: Exposure of Resource to Wrong Sphere"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-not-inside": "if __name__ == '__main__':\n ...\n"
},
{
"pattern-not-inside": "def $X(...):\n ...\n"
},
{
"pattern": "app.run(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.debug-enabled",
"languages": [
"python"
],
"message": "Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": "A06:2017 - Security Misconfiguration",
"references": [
"https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-inside": "import flask\n...\n"
},
{
"pattern": "$APP.run(..., debug=True, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.directly-returned-format-string",
"languages": [
"python"
],
"message": "Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with 'render_template()'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-not-inside": "return \"...\""
},
{
"pattern-either": [
{
"pattern": "return \"...\".format(...)"
},
{
"pattern": "return \"...\" % ..."
},
{
"pattern": "return \"...\" + ..."
},
{
"pattern": "return ... + \"...\""
},
{
"pattern": "return f\"...{...}...\""
},
{
"patterns": [
{
"pattern": "return $X"
},
{
"pattern-either": [
{
"pattern-inside": "$X = \"...\".format(...)\n...\n"
},
{
"pattern-inside": "$X = \"...\" % ...\n...\n"
},
{
"pattern-inside": "$X = \"...\" + ...\n...\n"
},
{
"pattern-inside": "$X = ... + \"...\"\n...\n"
},
{
"pattern-inside": "$X = f\"...{...}...\"\n...\n"
}
]
},
{
"pattern-not-inside": "$X = \"...\"\n...\n"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $PARAM, ...):\n ...\n"
},
{
"pattern": "$PARAM"
}
]
},
{
"pattern": "request.$FUNC.get(...)\n"
},
{
"pattern": "request.$FUNC(...)\n"
},
{
"pattern": "request.$FUNC[...]"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.flask-cors-misconfiguration",
"languages": [
"python"
],
"message": "Setting 'support_credentials=True' together with 'origin=\"*\"' is a CORS misconfiguration that can allow third party origins to read sensitive data. Using this configuration, flask_cors will dynamically reflects the Origin of each request in the Access-Control-Allow-Origin header, allowing all origins and allowing cookies and credentials to be sent along with request. It is recommended to specify allowed origins instead of using \"*\" when setting 'support_credentials=True'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-942: Permissive Cross-domain Policy with Untrusted Domains"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://pypi.org/project/Flask-Cors/",
"https://flask-cors.readthedocs.io/en/latest/index.html"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "@cross_origin(..., origins=\"*\", supports_credentials=True, ...)\n"
},
{
"pattern": "CORS(..., supports_credentials=True, origins=\"*\", ...)\n"
},
{
"pattern": "CORS(..., resources={\"...\": {...,\"origins\": \"*\",\n\"supports_credentials\": True,...}})\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.avoid_hardcoded_config_TESTING",
"languages": [
"python"
],
"message": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://bento.dev/checks/flask/avoid-hardcoded-config/",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "$M.config['TESTING'] = True"
},
{
"pattern": "$M.config['TESTING'] = False"
},
{
"pattern": "$M.update(TESTING=True, ...)"
},
{
"pattern": "$M.update(TESTING=False, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.avoid_hardcoded_config_SECRET_KEY",
"languages": [
"python"
],
"message": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://bento.dev/checks/flask/avoid-hardcoded-config/",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "$M.update(SECRET_KEY=\"=~/.*/\")"
},
{
"pattern": "$M.config['SECRET_KEY'] = \"=~/.*/\""
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.audit.avoid_hardcoded_config_ENV",
"languages": [
"python"
],
"message": "Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://bento.dev/checks/flask/avoid-hardcoded-config/",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "$M.update(ENV=\"=~/^development|production$/\")"
},
{
"pattern": "$M.config['ENV'] = \"=~/^development|production$/\""
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.avoid_hardcoded_config_DEBUG",
"languages": [
"python"
],
"message": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://bento.dev/checks/flask/avoid-hardcoded-config/",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values",
"https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "$M.update(DEBUG=True)"
},
{
"pattern": "$M.update(DEBUG=False)"
},
{
"pattern": "$M.config['DEBUG'] = True"
},
{
"pattern": "$M.config['DEBUG'] = False"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.host-header-injection-python",
"languages": [
"python"
],
"message": "The `flask.request.host` is used to construct an HTTP request. This can lead to host header injection issues. Vulnerabilities that generally occur due to this issue are authentication bypasses, password reset issues, Server-Side-Request-Forgery (SSRF), and many more. It is recommended to validate the URL before passing it to a request library, or using application logic such as authentication or password resets.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-20: Improper Input Validation"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection",
"https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$X = <... \"=~/.*http[s]*:///\" + flask.request.host ...>;\n"
},
{
"pattern": "$X = <... \"=~/.*http[s]*:///\" + flask.request[\"host\"] ...>;\n"
},
{
"pattern": "$Z = flask.request.host;\n...\n$X = <... \"=~/.*http[s]*:///\" + $Z ...>;\n"
},
{
"pattern": "$Z = flask.request[\"host\"];\n...\n$X = <... \"=~/.*http[s]*:///\" + $Z ...>;\n"
}
]
},
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC():\n ...\n"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.python.flask.security.audit.render-template-string",
"languages": [
"python"
],
"message": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern": "flask.render_template_string(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.secure-set-cookie",
"languages": [
"python"
],
"message": "Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite='Lax'` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite='Lax'` arguments or set these to be true in the Flask configuration.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"functional-categories": [
"web::search::cookie-config::flask"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie",
"https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options"
],
"subcategory": [
"audit"
],
"technology": [
"python",
"flask"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$RESP = flask.make_response(...)\n...\n"
},
{
"pattern-inside": "$RESP = flask.Response(...)\n...\n"
}
]
},
{
"pattern-not": "$RESP.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...)"
},
{
"pattern-not": "$RESP.set_cookie(..., **$A)"
},
{
"pattern": "$RESP.set_cookie(...)"
}
],
"severity": "WARNING"
},
{
"fix": "True",
"id": "vendored-rules.python.flask.security.audit.flask-wtf-csrf-disabled",
"languages": [
"python"
],
"message": "Setting 'WTF_CSRF_ENABLED' to 'False' explicitly disables CSRF protection.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"functional-categories": [
"web::search::csrf-config::flask",
"web::search::csrf-config::flask-wtf"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://flask-wtf.readthedocs.io/en/1.2.x/csrf/"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"options": {
"symbolic_propagation": true
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$APP.config[\"WTF_CSRF_ENABLED\"] = $FALSE"
},
{
"pattern": "$APP.config.WTF_CSRF_ENABLED = $FALSE"
},
{
"patterns": [
{
"pattern": "$APP.config.$UPDATE(\n ...,\n WTF_CSRF_ENABLED = $FALSE,\n ...\n)\n"
},
{
"pattern-not-inside": "$APP.config.$UPDATE(\n ...,\n TESTING=True,\n ...\n)\n"
},
{
"pattern-not-inside": "$APP.config.$UPDATE(\n ...,\n DEBUG=True,\n ...\n)\n"
},
{
"metavariable-regex": {
"metavariable": "$UPDATE",
"regex": "^(update|from_mapping)$"
}
}
]
},
{
"pattern": "$OBJ = $CLASS()\n...\n$OBJ.WTF_CSRF_ENABLED = $FALSE\n...\n$APP.config.from_object($OBJ, ...)\n"
},
{
"pattern": "WTF_CSRF_ENABLED = $FALSE\n...\n$APP.config.from_object(__name__)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$FALSE",
"regex": "^(False)$"
}
},
{
"focus-metavariable": "$FALSE"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.audit.xss.make-response-with-unknown-content",
"languages": [
"python"
],
"message": "Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11",
"https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response",
"https://flask.palletsprojects.com/en/1.1.x/api/#response-objects"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"patterns": [
{
"pattern": "flask.make_response(...)"
},
{
"pattern-not-inside": "flask.make_response()"
},
{
"pattern-not-inside": "flask.make_response(\"...\", ...)"
},
{
"pattern-not-inside": "flask.make_response({\"...\": \"...\"}, ...)"
},
{
"pattern-not-inside": "flask.make_response(flask.redirect(...), ...)"
},
{
"pattern-not-inside": "flask.make_response(flask.render_template(...), ...)"
},
{
"pattern-not-inside": "flask.make_response(flask.jsonify(...), ...)"
},
{
"pattern-not-inside": "flask.make_response(json.dumps(...), ...)"
},
{
"pattern-not-inside": "$X = flask.render_template(...)\n...\nflask.make_response($X, ...)\n"
},
{
"pattern-not-inside": "$X = flask.jsonify(...)\n...\nflask.make_response($X, ...)\n"
},
{
"pattern-not-inside": "$X = json.dumps(...)\n...\nflask.make_response($X, ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.injection.csv-writer-injection",
"languages": [
"python"
],
"message": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1236: Improper Neutralization of Formula Elements in a CSV File"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/raphaelm/defusedcsv",
"https://owasp.org/www-community/attacks/CSV_Injection",
"https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities"
],
"subcategory": [
"vuln"
],
"technology": [
"python",
"flask"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$WRITER = csv.writer(...)\n\n...\n\n$WRITER.$WRITE(...)\n"
},
{
"pattern": "$WRITER.$WRITE(...)"
},
{
"metavariable-regex": {
"metavariable": "$WRITE",
"regex": "^(writerow|writerows|writeheader)$"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.nan-injection",
"languages": [
"python"
],
"message": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-704: Incorrect Type Conversion or Cast"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868",
"https://blog.bitdiscovery.com/2021/12/python-nan-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"not_conflicting": true,
"pattern": "$ANYTHING(...)"
}
],
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "float(...)"
},
{
"pattern": "bool(...)"
},
{
"pattern": "complex(...)"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "flask.request.$SOMETHING.get(...)"
},
{
"pattern": "flask.request.$SOMETHING[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"pattern": "$ROUTEVAR"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.os-system-injection",
"languages": [
"python"
],
"message": "User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/Command_Injection"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "os.system(...)"
},
{
"pattern-either": [
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n os.system(..., <... $ROUTEVAR ...>, ...)\n"
},
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n $INTERM = <... $ROUTEVAR ...>\n ...\n os.system(..., <... $INTERM ...>, ...)\n"
}
]
}
]
},
{
"pattern": "os.system(..., <... flask.request.$W.get(...) ...>, ...)"
},
{
"pattern": "os.system(..., <... flask.request.$W[...] ...>, ...)"
},
{
"pattern": "os.system(..., <... flask.request.$W(...) ...>, ...)"
},
{
"pattern": "os.system(..., <... flask.request.$W ...>, ...)"
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W.get(...) ...>\n...\nos.system(<... $INTERM ...>)\n"
},
{
"pattern": "os.system(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W[...] ...>\n...\nos.system(<... $INTERM ...>)\n"
},
{
"pattern": "os.system(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W(...) ...>\n...\nos.system(<... $INTERM ...>)\n"
},
{
"pattern": "os.system(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W ...>\n...\nos.system(<... $INTERM ...>)\n"
},
{
"pattern": "os.system(...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.path-traversal-open",
"languages": [
"python"
],
"message": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "open(...)"
},
{
"pattern-either": [
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n open(..., <... $ROUTEVAR ...>, ...)\n"
},
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n with open(..., <... $ROUTEVAR ...>, ...) as $FD:\n ...\n"
},
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n $INTERM = <... $ROUTEVAR ...>\n ...\n open(..., <... $INTERM ...>, ...)\n"
}
]
}
]
},
{
"pattern": "open(..., <... flask.request.$W.get(...) ...>, ...)"
},
{
"pattern": "open(..., <... flask.request.$W[...] ...>, ...)"
},
{
"pattern": "open(..., <... flask.request.$W(...) ...>, ...)"
},
{
"pattern": "open(..., <... flask.request.$W ...>, ...)"
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W.get(...) ...>\n...\nopen(<... $INTERM ...>, ...)\n"
},
{
"pattern": "open(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W[...] ...>\n...\nopen(<... $INTERM ...>, ...)\n"
},
{
"pattern": "open(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W(...) ...>\n...\nopen(<... $INTERM ...>, ...)\n"
},
{
"pattern": "open(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W ...>\n...\nopen(<... $INTERM ...>, ...)\n"
},
{
"pattern": "open(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W.get(...) ...>\n...\nwith open(<... $INTERM ...>, ...) as $F:\n ...\n"
},
{
"pattern": "open(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W[...] ...>\n...\nwith open(<... $INTERM ...>, ...) as $F:\n ...\n"
},
{
"pattern": "open(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W(...) ...>\n...\nwith open(<... $INTERM ...>, ...) as $F:\n ...\n"
},
{
"pattern": "open(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W ...>\n...\nwith open(<... $INTERM ...>, ...) as $F:\n ...\n"
},
{
"pattern": "open(...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.raw-html-format",
"languages": [
"python"
],
"message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "jinja2.escape(...)"
},
{
"pattern": "flask.escape(...)"
},
{
"patterns": [
{
"pattern": "flask.render_template($TPL, ...)"
},
{
"metavariable-regex": {
"metavariable": "$TPL",
"regex": ".*\\.html"
}
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$HTMLSTR\" % ..."
},
{
"pattern": "\"$HTMLSTR\".format(...)"
},
{
"pattern": "\"$HTMLSTR\" + ..."
},
{
"pattern": "f\"$HTMLSTR{...}...\""
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$HTML = \"$HTMLSTR\"\n...\n"
},
{
"pattern-either": [
{
"pattern": "$HTML % ..."
},
{
"pattern": "$HTML.format(...)"
},
{
"pattern": "$HTML + ..."
}
]
}
]
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$HTMLSTR",
"pattern": "<$TAG ..."
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.$ANYTHING"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"pattern": "$ROUTEVAR"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.injection.ssrf-requests",
"languages": [
"python"
],
"message": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "requests.$FUNC(...)"
},
{
"pattern-either": [
{
"pattern-inside": "@$APP.$ROUTE_METHOD($ROUTE, ...)\ndef $ROUTE_FUNC(..., $ROUTEVAR, ...):\n ...\n requests.$FUNC(..., <... $ROUTEVAR ...>, ...)\n"
},
{
"pattern-inside": "@$APP.$ROUTE_METHOD($ROUTE, ...)\ndef $ROUTE_FUNC(..., $ROUTEVAR, ...):\n ...\n $INTERM = <... $ROUTEVAR ...>\n ...\n requests.$FUNC(..., <... $INTERM ...>, ...)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$ROUTE_METHOD",
"regex": "^(route|get|post|put|delete|patch)$"
}
}
]
},
{
"pattern": "requests.$FUNC(..., <... flask.request.$W.get(...) ...>, ...)"
},
{
"pattern": "requests.$FUNC(..., <... flask.request.$W[...] ...>, ...)"
},
{
"pattern": "requests.$FUNC(..., <... flask.request.$W(...) ...>, ...)"
},
{
"pattern": "requests.$FUNC(..., <... flask.request.$W ...>, ...)"
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W.get(...) ...>\n...\nrequests.$FUNC(<... $INTERM ...>, ...)\n"
},
{
"pattern": "requests.$FUNC(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W[...] ...>\n...\nrequests.$FUNC(<... $INTERM ...>, ...)\n"
},
{
"pattern": "requests.$FUNC(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W(...) ...>\n...\nrequests.$FUNC(<... $INTERM ...>, ...)\n"
},
{
"pattern": "requests.$FUNC(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W ...>\n...\nrequests.$FUNC(<... $INTERM ...>, ...)\n"
},
{
"pattern": "requests.$FUNC(...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.subprocess-injection",
"languages": [
"python"
],
"message": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "$DICT[$KEY]"
},
{
"focus-metavariable": "$KEY"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "subprocess.$FUNC(...)"
},
{
"pattern-not": "subprocess.$FUNC(\"...\", ...)"
},
{
"pattern-not": "subprocess.$FUNC([\"...\", ...], ...)"
},
{
"pattern-not-inside": "$CMD = [\"...\", ...]\n...\nsubprocess.$FUNC($CMD, ...)\n"
}
]
},
{
"patterns": [
{
"pattern": "subprocess.$FUNC([\"$SHELL\", \"-c\", ...], ...)"
},
{
"metavariable-regex": {
"metavariable": "$SHELL",
"regex": "^(sh|bash|ksh|csh|tcsh|zsh)$"
}
}
]
},
{
"patterns": [
{
"pattern": "subprocess.$FUNC([\"$INTERPRETER\", ...], ...)"
},
{
"metavariable-regex": {
"metavariable": "$INTERPRETER",
"regex": "^(python|python\\d)$"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.tainted-sql-string",
"languages": [
"python"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-704: Incorrect Type Conversion or Cast"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql",
"https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm",
"https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"
],
"subcategory": [
"vuln"
],
"technology": [
"sqlalchemy",
"flask"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"pattern": "\"$SQLSTR\" % ...\n"
},
{
"pattern": "\"$SQLSTR\".format(...)\n"
},
{
"pattern": "f\"$SQLSTR{...}...\"\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "\\s*(?i)(select|delete|insert|create|update|alter|drop)\\b.*"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.$ANYTHING"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"pattern": "$ROUTEVAR"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.tainted-url-host",
"languages": [
"python"
],
"message": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "\"$URLSTR\" % ..."
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$URLSTR",
"patterns": [
{
"pattern-either": [
{
"pattern": "$SCHEME://%s"
},
{
"pattern": "$SCHEME://%r"
}
]
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "\"$URLSTR\".format(...)"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$URLSTR",
"pattern": "$SCHEME:// { ... }"
}
}
]
},
{
"patterns": [
{
"pattern": "\"$URLSTR\" + ..."
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*://$"
}
}
]
},
{
"patterns": [
{
"pattern": "f\"$URLSTR{...}...\""
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*://$"
}
}
]
},
{
"patterns": [
{
"pattern-inside": "$URL = \"$URLSTR\"\n...\n"
},
{
"pattern": "$URL += ..."
},
{
"metavariable-regex": {
"metavariable": "$URLSTR",
"regex": ".*://$"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.$ANYTHING"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"pattern": "$ROUTEVAR"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.injection.eval-injection",
"languages": [
"python"
],
"message": "Detected user data flowing into eval. This is code injection and should be avoided.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "eval(...)"
},
{
"pattern-either": [
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n eval(..., <... $ROUTEVAR ...>, ...)\n"
},
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n $INTERM = <... $ROUTEVAR ...>\n ...\n eval(..., <... $INTERM ...>, ...)\n"
}
]
}
]
},
{
"pattern": "eval(..., <... flask.request.$W.get(...) ...>, ...)"
},
{
"pattern": "eval(..., <... flask.request.$W[...] ...>, ...)"
},
{
"pattern": "eval(..., <... flask.request.$W(...) ...>, ...)"
},
{
"pattern": "eval(..., <... flask.request.$W ...>, ...)"
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W.get(...) ...>\n...\neval(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "eval(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W[...] ...>\n...\neval(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "eval(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W(...) ...>\n...\neval(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "eval(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W ...>\n...\neval(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "eval(...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.injection.exec-injection",
"languages": [
"python"
],
"message": "Detected user data flowing into exec. This is code injection and should be avoided.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html"
],
"subcategory": [
"vuln"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern": "exec(...)"
},
{
"pattern-either": [
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n exec(..., <... $ROUTEVAR ...>, ...)\n"
},
{
"pattern-inside": "@$APP.route($ROUTE, ...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n $INTERM = <... $ROUTEVAR ...>\n ...\n exec(..., <... $INTERM ...>, ...)\n"
}
]
}
]
},
{
"pattern": "exec(..., <... flask.request.$W.get(...) ...>, ...)"
},
{
"pattern": "exec(..., <... flask.request.$W[...] ...>, ...)"
},
{
"pattern": "exec(..., <... flask.request.$W(...) ...>, ...)"
},
{
"pattern": "exec(..., <... flask.request.$W ...>, ...)"
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W.get(...) ...>\n...\nexec(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "exec(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W[...] ...>\n...\nexec(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "exec(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W(...) ...>\n...\nexec(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "exec(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$INTERM = <... flask.request.$W ...>\n...\nexec(..., <... $INTERM ...>, ...)\n"
},
{
"pattern": "exec(...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.flask.security.xss.audit.direct-use-of-jinja2",
"languages": [
"python"
],
"message": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://jinja.palletsprojects.com/en/2.11.x/api/#basics"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "jinja2.Environment(...)"
},
{
"pattern": "jinja2.Template.render(...)"
},
{
"patterns": [
{
"pattern-inside": "$TEMPLATE = $ENV.get_template(...)\n...\n"
},
{
"pattern": "$TEMPLATE.render(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$TEMPLATE = jinja2.Template(...)\n...\n"
},
{
"pattern": "$TEMPLATE.render(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.xss.audit.explicit-unescape-with-markup",
"languages": [
"python"
],
"message": "Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://tedboy.github.io/flask/generated/generated/flask.Markup.html"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"pattern-either": [
{
"pattern": "flask.Markup.unescape(...)"
},
{
"pattern": "$MARKUPOBJ.unescape()"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.Markup($Q)"
},
{
"pattern": "markupsafe.Markup($Q)"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$Q",
"patterns": [
{
"pattern-not": "\"...\""
}
]
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.xss.audit.template-autoescape-off",
"languages": [
"regex"
],
"message": "Detected a segment of a Flask template where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping",
"https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"paths": {
"include": [
"*.html"
]
},
"pattern-regex": "{%\\s*autoescape\\s+false\\s*%}",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.flask.security.xss.audit.template-unescaped-with-safe",
"languages": [
"regex"
],
"message": "Detected a segment of a Flask template where autoescaping is explicitly disabled with '| safe' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"paths": {
"include": [
"*.html"
]
},
"pattern-regex": "{{.*?\\|\\s*safe(\\s*}})?",
"severity": "WARNING"
},
{
"fix": "=\"{{$...VAR}}\"\n",
"id": "vendored-rules.python.flask.security.xss.audit.template-unquoted-attribute-var",
"languages": [
"generic"
],
"message": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ $...VAR }}\".",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"
],
"subcategory": [
"audit"
],
"technology": [
"flask"
]
},
"paths": {
"include": [
"*.html",
"*.py"
]
},
"patterns": [
{
"pattern": "={{$...VAR}}"
},
{
"pattern-inside": "<$TAG ... >\n"
},
{
"metavariable-pattern": {
"metavariable": "$...VAR",
"pattern-either": [
{
"pattern": "request.$VALUE.get(...)\n"
},
{
"pattern": "request.$VALUE['...']\n"
},
{
"patterns": [
{
"pattern": "$REQ"
},
{
"pattern-either": [
{
"pattern-inside": "$REQ = request.$VALUE.get(...)\n... \n"
},
{
"pattern-inside": "$REQ = request.$VALUE['...']\n... \n"
}
]
}
]
}
]
}
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.jinja2.security.audit.incorrect-autoescape-disabled",
"languages": [
"python"
],
"message": "Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://jinja.palletsprojects.com/en/2.11.x/api/#basics"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html",
"subcategory": [
"vuln"
],
"technology": [
"jinja2"
]
},
"patterns": [
{
"pattern": "jinja2.Environment(... , autoescape=$VAL, ...)"
},
{
"pattern-not": "jinja2.Environment(... , autoescape=True, ...)"
},
{
"pattern-not": "jinja2.Environment(... , autoescape=jinja2.select_autoescape(...), ...)"
},
{
"focus-metavariable": "$VAL"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*)\\)",
"replacement": "\\1, autoescape=True)"
},
"id": "vendored-rules.python.jinja2.security.audit.missing-autoescape-disabled",
"languages": [
"python"
],
"message": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://jinja.palletsprojects.com/en/2.11.x/api/#basics"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html",
"subcategory": [
"vuln"
],
"technology": [
"jinja2"
]
},
"patterns": [
{
"pattern-not": "jinja2.Environment(..., autoescape=$VAL, ...)"
},
{
"pattern": "jinja2.Environment(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.jwt.security.jwt-python-exposed-credentials",
"languages": [
"python"
],
"message": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://cwe.mitre.org/data/definitions/522.html"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"pattern-either": [
{
"pattern": "jwt.encode({...,\"password\":$P,...},...)\n"
},
{
"pattern": "$PAYLOAD = {...,\"password\":$P,...}\n...\njwt.encode($PAYLOAD,...)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.jwt.security.jwt-python-hardcoded-secret",
"languages": [
"python"
],
"message": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/"
],
"subcategory": [
"vuln"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern": "jwt.encode($X, $SECRET, ...)\n"
},
{
"focus-metavariable": "$SECRET"
},
{
"pattern": "\"...\"\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.jwt.security.jwt-python-none-alg",
"languages": [
"python"
],
"message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"vuln"
],
"technology": [
"jwt"
]
},
"pattern-either": [
{
"pattern": "jwt.encode(...,algorithm=\"none\",...)\n"
},
{
"pattern": "jwt.decode(...,algorithms=[...,\"none\",...],...)"
}
],
"severity": "ERROR"
},
{
"fix": "True\n",
"id": "vendored-rules.python.jwt.security.unverified-jwt-decode",
"languages": [
"python"
],
"message": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-287: Improper Authentication"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2017 - Broken Authentication",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96"
],
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "jwt.decode(..., options={..., \"verify_signature\": $BOOL, ...}, ...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$BOOL",
"pattern": "False\n"
}
},
{
"focus-metavariable": "$BOOL"
}
]
},
{
"patterns": [
{
"pattern": "$OPTS = {..., \"verify_signature\": $BOOL, ...}\n...\njwt.decode(..., options=$OPTS, ...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$BOOL",
"pattern": "False\n"
}
},
{
"focus-metavariable": "$BOOL"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.jwt.security.audit.jwt-python-exposed-data",
"languages": [
"python"
],
"message": "The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "def $FUNC(...,$INPUT,...):\n ...\n"
},
{
"pattern": "jwt.encode($INPUT,...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.dangerous-interactive-code-run",
"languages": [
"python"
],
"message": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$X = code.InteractiveConsole(...)\n...\n"
},
{
"pattern-inside": "$X = code.InteractiveInterpreter(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$X.push($PAYLOAD,...)\n"
},
{
"pattern": "$X.runsource($PAYLOAD,...)\n"
},
{
"pattern": "$X.runcode(code.compile_command($PAYLOAD),...)\n"
},
{
"pattern": "$PL = code.compile_command($PAYLOAD,...)\n...\n$X.runcode($PL,...)\n"
}
]
},
{
"focus-metavariable": "$PAYLOAD"
},
{
"pattern-not": "$X.push(\"...\",...)\n"
},
{
"pattern-not": "$X.runsource(\"...\",...)\n"
},
{
"pattern-not": "$X.runcode(code.compile_command(\"...\"),...)\n"
},
{
"pattern-not": "$PL = code.compile_command(\"...\",...)\n...\n$X.runcode($PL,...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@rest_framework.decorators.api_view(...)\ndef $FUNC($REQ, ...):\n ...\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $VIEW(..., rest_framework.views.APIView, ...):\n ...\n"
},
{
"pattern-inside": "class $VIEW(..., rest_framework.generics.GenericAPIView, ...):\n ... \n"
}
]
},
{
"pattern-inside": "def $METHOD(self, $REQ, ...):\n ...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(get|post|put|patch|delete|head)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.POST.get(...)"
},
{
"pattern": "$REQ.POST[...]"
},
{
"pattern": "$REQ.FILES.get(...)"
},
{
"pattern": "$REQ.FILES[...]"
},
{
"pattern": "$REQ.DATA.get(...)"
},
{
"pattern": "$REQ.DATA[...]"
},
{
"pattern": "$REQ.QUERY_PARAMS.get(...)"
},
{
"pattern": "$REQ.QUERY_PARAMS[...]"
},
{
"pattern": "$REQ.data.get(...)"
},
{
"pattern": "$REQ.data[...]"
},
{
"pattern": "$REQ.query_params.get(...)"
},
{
"pattern": "$REQ.query_params[...]"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.stream"
},
{
"pattern": "$REQ.stream"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $SERVER(..., http.server.BaseHTTPRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.StreamRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.DatagramRequestHandler, ...):\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "self.requestline"
},
{
"pattern": "self.path"
},
{
"pattern": "self.headers[...]"
},
{
"pattern": "self.headers.get(...)"
},
{
"pattern": "self.rfile"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.dangerous-globals-use",
"languages": [
"python"
],
"message": "Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "globals().get(...)"
},
{
"pattern": "locals().get(...)"
},
{
"pattern": "globals()[...]"
},
{
"pattern": "locals()[...]"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$G = globals()\n...\n"
},
{
"pattern-inside": "$G = locals()\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$G.get(...)"
},
{
"pattern": "$G[...]"
}
]
}
]
},
{
"pattern": "$FUNC.__globals__[...]"
}
]
},
{
"pattern-not": "globals().get(\"...\")"
},
{
"pattern-not": "locals().get(\"...\")"
},
{
"pattern-not": "globals()[\"...\"]"
},
{
"pattern-not": "locals()[\"...\"]"
},
{
"pattern-not": "$G.get(\"...\")"
},
{
"pattern-not": "$G.get[\"...\"]"
},
{
"pattern-not": "$G[\"...\"]"
},
{
"pattern-not": "$FUNC.__globals__[\"...\"]"
},
{
"pattern-not-inside": "globals()[...] = ..."
},
{
"pattern-not-inside": "locals()[...] = ..."
},
{
"pattern-not-inside": "$G[...] = ..."
},
{
"pattern-not-inside": "$FUNC.__globals__[...] = ..."
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.dangerous-os-exec",
"languages": [
"python"
],
"message": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", ...)"
},
{
"pattern": "os.$METHOD(...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execl|execle|execlp|execlpe|execv|execve|execvp|execvpe)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", [$PATH,\"...\",\"...\",...],...)"
},
{
"pattern-inside": "os.$METHOD($BASH,[$PATH,\"-c\",$CMD,...],...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execv|execve|execvp|execvpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", $PATH, \"...\", \"...\",...)"
},
{
"pattern-inside": "os.$METHOD($BASH, $PATH, \"-c\", $CMD,...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execl|execle|execlp|execlpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@rest_framework.decorators.api_view(...)\ndef $FUNC($REQ, ...):\n ...\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $VIEW(..., rest_framework.views.APIView, ...):\n ...\n"
},
{
"pattern-inside": "class $VIEW(..., rest_framework.generics.GenericAPIView, ...):\n ... \n"
}
]
},
{
"pattern-inside": "def $METHOD(self, $REQ, ...):\n ...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(get|post|put|patch|delete|head)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.POST.get(...)"
},
{
"pattern": "$REQ.POST[...]"
},
{
"pattern": "$REQ.FILES.get(...)"
},
{
"pattern": "$REQ.FILES[...]"
},
{
"pattern": "$REQ.DATA.get(...)"
},
{
"pattern": "$REQ.DATA[...]"
},
{
"pattern": "$REQ.QUERY_PARAMS.get(...)"
},
{
"pattern": "$REQ.QUERY_PARAMS[...]"
},
{
"pattern": "$REQ.data.get(...)"
},
{
"pattern": "$REQ.data[...]"
},
{
"pattern": "$REQ.query_params.get(...)"
},
{
"pattern": "$REQ.query_params[...]"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.stream"
},
{
"pattern": "$REQ.stream"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $SERVER(..., http.server.BaseHTTPRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.StreamRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.DatagramRequestHandler, ...):\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "self.requestline"
},
{
"pattern": "self.path"
},
{
"pattern": "self.headers[...]"
},
{
"pattern": "self.headers.get(...)"
},
{
"pattern": "self.rfile"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.dangerous-spawn-process",
"languages": [
"python"
],
"message": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", ...)"
},
{
"pattern-inside": "os.$METHOD($MODE, $CMD, ...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", [\"...\",\"...\",...], ...)"
},
{
"pattern-inside": "os.$METHOD($MODE, $BASH, [\"-c\",$CMD,...],...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", \"...\", \"...\", ...)"
},
{
"pattern-inside": "os.$METHOD($MODE, $BASH, \"-c\", $CMD,...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"pattern": "$ROUTEVAR"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@rest_framework.decorators.api_view(...)\ndef $FUNC($REQ, ...):\n ...\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $VIEW(..., rest_framework.views.APIView, ...):\n ...\n"
},
{
"pattern-inside": "class $VIEW(..., rest_framework.generics.GenericAPIView, ...):\n ... \n"
}
]
},
{
"pattern-inside": "def $METHOD(self, $REQ, ...):\n ...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(get|post|put|patch|delete|head)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.POST.get(...)"
},
{
"pattern": "$REQ.POST[...]"
},
{
"pattern": "$REQ.FILES.get(...)"
},
{
"pattern": "$REQ.FILES[...]"
},
{
"pattern": "$REQ.DATA.get(...)"
},
{
"pattern": "$REQ.DATA[...]"
},
{
"pattern": "$REQ.QUERY_PARAMS.get(...)"
},
{
"pattern": "$REQ.QUERY_PARAMS[...]"
},
{
"pattern": "$REQ.data.get(...)"
},
{
"pattern": "$REQ.data[...]"
},
{
"pattern": "$REQ.query_params.get(...)"
},
{
"pattern": "$REQ.query_params[...]"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.stream"
},
{
"pattern": "$REQ.stream"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $SERVER(..., http.server.BaseHTTPRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.StreamRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.DatagramRequestHandler, ...):\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "self.requestline"
},
{
"pattern": "self.path"
},
{
"pattern": "self.headers[...]"
},
{
"pattern": "self.headers.get(...)"
},
{
"pattern": "self.rfile"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ['$ANYTHING']"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb['$ANYTHING']"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv[...]"
},
{
"pattern": "sys.orig_argv[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.dangerous-subinterpreters-run-string",
"languages": [
"python"
],
"message": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://bugs.python.org/issue43472",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern": "_xxsubinterpreters.run_string($ID, $PAYLOAD, ...)\n"
},
{
"pattern-not": "_xxsubinterpreters.run_string($ID, \"...\", ...)\n"
},
{
"focus-metavariable": "$PAYLOAD"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@rest_framework.decorators.api_view(...)\ndef $FUNC($REQ, ...):\n ...\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $VIEW(..., rest_framework.views.APIView, ...):\n ...\n"
},
{
"pattern-inside": "class $VIEW(..., rest_framework.generics.GenericAPIView, ...):\n ... \n"
}
]
},
{
"pattern-inside": "def $METHOD(self, $REQ, ...):\n ...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(get|post|put|patch|delete|head)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.POST.get(...)"
},
{
"pattern": "$REQ.POST[...]"
},
{
"pattern": "$REQ.FILES.get(...)"
},
{
"pattern": "$REQ.FILES[...]"
},
{
"pattern": "$REQ.DATA.get(...)"
},
{
"pattern": "$REQ.DATA[...]"
},
{
"pattern": "$REQ.QUERY_PARAMS.get(...)"
},
{
"pattern": "$REQ.QUERY_PARAMS[...]"
},
{
"pattern": "$REQ.data.get(...)"
},
{
"pattern": "$REQ.data[...]"
},
{
"pattern": "$REQ.query_params.get(...)"
},
{
"pattern": "$REQ.query_params[...]"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.stream"
},
{
"pattern": "$REQ.stream"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $SERVER(..., http.server.BaseHTTPRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.StreamRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.DatagramRequestHandler, ...):\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "self.requestline"
},
{
"pattern": "self.path"
},
{
"pattern": "self.headers[...]"
},
{
"pattern": "self.headers.get(...)"
},
{
"pattern": "self.rfile"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.dangerous-subprocess-use",
"languages": [
"python"
],
"message": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess",
"https://docs.python.org/3/library/subprocess.html",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC(\"...\", ...)"
},
{
"pattern-not": "subprocess.$FUNC([\"...\",...], ...)"
},
{
"pattern-not": "subprocess.$FUNC((\"...\",...), ...)"
},
{
"pattern-not": "subprocess.CalledProcessError(...)"
},
{
"pattern-not": "subprocess.SubprocessError(...)"
},
{
"pattern": "subprocess.$FUNC($CMD, ...)"
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...)"
},
{
"pattern": "subprocess.$FUNC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\", $CMD)"
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC([\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...],...)"
},
{
"pattern-not": "subprocess.$FUNC((\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...),...)"
},
{
"pattern-either": [
{
"pattern": "subprocess.$FUNC([\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\", $CMD], ...)"
},
{
"pattern": "subprocess.$FUNC((\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\", $CMD), ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC(\"=~/(python)/\",\"...\",...)"
},
{
"pattern": "subprocess.$FUNC(\"=~/(python)/\", $CMD)"
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC([\"=~/(python)/\",\"...\",...],...)"
},
{
"pattern-not": "subprocess.$FUNC((\"=~/(python)/\",\"...\",...),...)"
},
{
"pattern-either": [
{
"pattern": "subprocess.$FUNC([\"=~/(python)/\", $CMD],...)"
},
{
"pattern": "subprocess.$FUNC((\"=~/(python)/\", $CMD),...)"
}
]
}
]
}
]
},
{
"focus-metavariable": "$CMD"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@rest_framework.decorators.api_view(...)\ndef $FUNC($REQ, ...):\n ...\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $VIEW(..., rest_framework.views.APIView, ...):\n ...\n"
},
{
"pattern-inside": "class $VIEW(..., rest_framework.generics.GenericAPIView, ...):\n ... \n"
}
]
},
{
"pattern-inside": "def $METHOD(self, $REQ, ...):\n ...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(get|post|put|patch|delete|head)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.POST.get(...)"
},
{
"pattern": "$REQ.POST[...]"
},
{
"pattern": "$REQ.FILES.get(...)"
},
{
"pattern": "$REQ.FILES[...]"
},
{
"pattern": "$REQ.DATA.get(...)"
},
{
"pattern": "$REQ.DATA[...]"
},
{
"pattern": "$REQ.QUERY_PARAMS.get(...)"
},
{
"pattern": "$REQ.QUERY_PARAMS[...]"
},
{
"pattern": "$REQ.data.get(...)"
},
{
"pattern": "$REQ.data[...]"
},
{
"pattern": "$REQ.query_params.get(...)"
},
{
"pattern": "$REQ.query_params[...]"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.stream"
},
{
"pattern": "$REQ.stream"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $SERVER(..., http.server.BaseHTTPRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.StreamRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.DatagramRequestHandler, ...):\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "self.requestline"
},
{
"pattern": "self.path"
},
{
"pattern": "self.headers[...]"
},
{
"pattern": "self.headers.get(...)"
},
{
"pattern": "self.rfile"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.dangerous-system-call",
"languages": [
"python"
],
"message": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dyanmic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-not": "os.$W(\"...\", ...)"
},
{
"pattern-either": [
{
"pattern": "os.system(...)"
},
{
"pattern": "getattr(os, \"system\")(...)"
},
{
"pattern": "__import__(\"os\").system(...)"
},
{
"pattern": "getattr(__import__(\"os\"), \"system\")(...)"
},
{
"pattern": "$X = __import__(\"os\")\n...\n$X.system(...)\n"
},
{
"pattern": "$X = __import__(\"os\")\n...\ngetattr($X, \"system\")(...)\n"
},
{
"pattern": "$X = getattr(os, \"system\")\n...\n$X(...)\n"
},
{
"pattern": "$X = __import__(\"os\")\n...\n$Y = getattr($X, \"system\")\n...\n$Y(...)\n"
},
{
"pattern": "os.popen(...)"
},
{
"pattern": "os.popen2(...)"
},
{
"pattern": "os.popen3(...)"
},
{
"pattern": "os.popen4(...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@rest_framework.decorators.api_view(...)\ndef $FUNC($REQ, ...):\n ...\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $VIEW(..., rest_framework.views.APIView, ...):\n ...\n"
},
{
"pattern-inside": "class $VIEW(..., rest_framework.generics.GenericAPIView, ...):\n ... \n"
}
]
},
{
"pattern-inside": "def $METHOD(self, $REQ, ...):\n ...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(get|post|put|patch|delete|head)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.POST.get(...)"
},
{
"pattern": "$REQ.POST[...]"
},
{
"pattern": "$REQ.FILES.get(...)"
},
{
"pattern": "$REQ.FILES[...]"
},
{
"pattern": "$REQ.DATA.get(...)"
},
{
"pattern": "$REQ.DATA[...]"
},
{
"pattern": "$REQ.QUERY_PARAMS.get(...)"
},
{
"pattern": "$REQ.QUERY_PARAMS[...]"
},
{
"pattern": "$REQ.data.get(...)"
},
{
"pattern": "$REQ.data[...]"
},
{
"pattern": "$REQ.query_params.get(...)"
},
{
"pattern": "$REQ.query_params[...]"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.stream"
},
{
"pattern": "$REQ.stream"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $SERVER(..., http.server.BaseHTTPRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.StreamRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.DatagramRequestHandler, ...):\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "self.requestline"
},
{
"pattern": "self.path"
},
{
"pattern": "self.headers[...]"
},
{
"pattern": "self.headers.get(...)"
},
{
"pattern": "self.rfile"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.dangerous-testcapi-run-in-subinterp",
"languages": [
"python"
],
"message": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "HIGH",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "_testcapi.run_in_subinterp($PAYLOAD, ...)\n"
},
{
"pattern": "test.support.run_in_subinterp($PAYLOAD, ...)\n"
}
]
},
{
"focus-metavariable": "$PAYLOAD"
},
{
"pattern-not": "_testcapi.run_in_subinterp(\"...\", ...)\n"
},
{
"pattern-not": "test.support.run_in_subinterp(\"...\", ...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "flask.request.form.get(...)"
},
{
"pattern": "flask.request.form[...]"
},
{
"pattern": "flask.request.args.get(...)"
},
{
"pattern": "flask.request.args[...]"
},
{
"pattern": "flask.request.values.get(...)"
},
{
"pattern": "flask.request.values[...]"
},
{
"pattern": "flask.request.cookies.get(...)"
},
{
"pattern": "flask.request.cookies[...]"
},
{
"pattern": "flask.request.stream"
},
{
"pattern": "flask.request.headers.get(...)"
},
{
"pattern": "flask.request.headers[...]"
},
{
"pattern": "flask.request.data"
},
{
"pattern": "flask.request.full_path"
},
{
"pattern": "flask.request.url"
},
{
"pattern": "flask.request.json"
},
{
"pattern": "flask.request.get_json()"
},
{
"pattern": "flask.request.view_args.get(...)"
},
{
"pattern": "flask.request.view_args[...]"
},
{
"patterns": [
{
"pattern-inside": "@$APP.route(...)\ndef $FUNC(..., $ROUTEVAR, ...):\n ...\n"
},
{
"focus-metavariable": "$ROUTEVAR"
}
]
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(request, ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "request.$PROPERTY.get(...)"
},
{
"pattern": "request.$PROPERTY[...]"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@rest_framework.decorators.api_view(...)\ndef $FUNC($REQ, ...):\n ...\n"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $VIEW(..., rest_framework.views.APIView, ...):\n ...\n"
},
{
"pattern-inside": "class $VIEW(..., rest_framework.generics.GenericAPIView, ...):\n ... \n"
}
]
},
{
"pattern-inside": "def $METHOD(self, $REQ, ...):\n ...\n"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(get|post|put|patch|delete|head)"
}
}
]
}
]
},
{
"pattern-either": [
{
"pattern": "$REQ.POST.get(...)"
},
{
"pattern": "$REQ.POST[...]"
},
{
"pattern": "$REQ.FILES.get(...)"
},
{
"pattern": "$REQ.FILES[...]"
},
{
"pattern": "$REQ.DATA.get(...)"
},
{
"pattern": "$REQ.DATA[...]"
},
{
"pattern": "$REQ.QUERY_PARAMS.get(...)"
},
{
"pattern": "$REQ.QUERY_PARAMS[...]"
},
{
"pattern": "$REQ.data.get(...)"
},
{
"pattern": "$REQ.data[...]"
},
{
"pattern": "$REQ.query_params.get(...)"
},
{
"pattern": "$REQ.query_params[...]"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.content_type"
},
{
"pattern": "$REQ.stream"
},
{
"pattern": "$REQ.stream"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "class $SERVER(..., http.server.BaseHTTPRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.StreamRequestHandler, ...):\n ...\n"
},
{
"pattern-inside": "class $SERVER(..., http.server.DatagramRequestHandler, ...):\n ...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "self.requestline"
},
{
"pattern": "self.path"
},
{
"pattern": "self.headers[...]"
},
{
"pattern": "self.headers.get(...)"
},
{
"pattern": "self.rfile"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.insecure-hash-algorithm-md5",
"languages": [
"python"
],
"message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"asvs": {
"control_id": "6.2.2 Insecure Custom Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"bandit-code": "B303",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "hashlib.md5(...)"
},
{
"pattern-not": "hashlib.md5(..., usedforsecurity=False, ...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "sha1",
"replacement": "sha256"
},
"id": "vendored-rules.python.lang.security.insecure-hash-algorithm-sha1",
"languages": [
"python"
],
"message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"asvs": {
"control_id": "6.2.2 Insecure Custom Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"bandit-code": "B303",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"pattern": "hashlib.sha1(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.insecure-hash-function",
"languages": [
"python"
],
"message": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead.",
"metadata": {
"asvs": {
"control_id": "6.2.2 Insecure Custom Algorithm",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/html/rfc6151",
"https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/hashlib_new_insecure_functions.py",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "hashlib.new(\"=~/[M|m][D|d][4|5]/\", ...)"
},
{
"pattern": "hashlib.new(..., name=\"=~/[M|m][D|d][4|5]/\", ...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "uuid1",
"replacement": "uuid4"
},
"id": "vendored-rules.python.lang.security.insecure-uuid-version",
"languages": [
"python"
],
"message": "Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.",
"metadata": {
"asvs": {
"control_id": "6.3.2 Insecure UUID Generation",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values",
"section": "V6 Stored Cryptography Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-330: Use of Insufficiently Random Values"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.landh.tech/blog/20230811-sandwich-attack/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "uuid.uuid1(...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "_create_unverified_context",
"replacement": "create_default_context"
},
"id": "vendored-rules.python.lang.security.unverified-ssl-context",
"languages": [
"python"
],
"message": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.python.org/3/library/ssl.html#ssl-security",
"https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "ssl._create_unverified_context(...)"
},
{
"pattern": "ssl._create_default_https_context = ssl._create_unverified_context"
}
]
}
],
"severity": "ERROR"
},
{
"fix": "defusedxml.etree.ElementTree.parse($...ARGS)",
"id": "vendored-rules.python.lang.security.use-defused-xml-parse",
"languages": [
"python"
],
"message": "The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://docs.python.org/3/library/xml.html",
"https://github.com/tiran/defusedxml",
"https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "xml.etree.ElementTree.parse($...ARGS)"
},
{
"pattern-not": "xml.etree.ElementTree.parse(\"...\")"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.use-defused-xml",
"languages": [
"python"
],
"message": "The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://docs.python.org/3/library/xml.html",
"https://github.com/tiran/defusedxml",
"https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern": "import xml",
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.use-defused-xmlrpc",
"languages": [
"python"
],
"message": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://pypi.org/project/defusedxml/",
"https://docs.python.org/3/library/xml.html#xml-vulnerabilities"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "import xmlrpclib"
},
{
"pattern": "import SimpleXMLRPCServer"
},
{
"pattern": "import xmlrpc"
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"regex": "csv",
"replacement": "defusedcsv"
},
"id": "vendored-rules.python.lang.security.use-defusedcsv",
"languages": [
"python"
],
"message": "Detected the generation of a CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1236: Improper Neutralization of Formula Elements in a CSV File"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/raphaelm/defusedcsv",
"https://owasp.org/www-community/attacks/CSV_Injection",
"https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "csv.writer(...)"
},
{
"pattern-not": "defusedcsv.writer(...)"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.python.lang.security.audit.multiprocessing-recv",
"languages": [
"python"
],
"message": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "multiprocessing.connection.Connection.recv(...)"
},
{
"pattern": "multiprocessing.connection.Client.recv(...)"
},
{
"pattern": "$C = multiprocessing.connection.Client(...)\n...\n$C.recv(...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-annotations-usage",
"languages": [
"python"
],
"message": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/typing.html#typing.get_type_hints"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "$C.__annotations__[$NAME] = $X\n"
},
{
"pattern-not": "$C.__annotations__[$NAME] = \"...\"\n"
},
{
"pattern-not": "$C.__annotations__[$NAME] = typing.$Y\n"
},
{
"metavariable-regex": {
"metavariable": "$X",
"regex": "(?!(int|float|complex|list|tuple|range|str|bytes|bytearray|memoryview|set|frozenset|dict))"
}
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-asyncio-create-exec-audit",
"languages": [
"python"
],
"message": "Detected 'create_subprocess_exec' function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, \"...\", ...)"
},
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, [\"...\",...], ...)"
},
{
"pattern": "asyncio.create_subprocess_exec(...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...)"
},
{
"pattern": "asyncio.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\",...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...], ...)"
},
{
"pattern": "asyncio.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", ...], ...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, \"...\", ...)"
},
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, [\"...\",...], ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec(...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\",...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...], ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", ...], ...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-asyncio-create-exec-tainted-env-args",
"languages": [
"python"
],
"message": "Detected 'create_subprocess_exec' function with user controlled data. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, \"...\", ...)"
},
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, [\"...\",...], ...)"
},
{
"pattern": "asyncio.create_subprocess_exec(...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...)"
},
{
"pattern": "asyncio.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\",...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...], ...)"
},
{
"pattern": "asyncio.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", ...], ...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, \"...\", ...)"
},
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, [\"...\",...], ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec(...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\",...)"
}
]
},
{
"patterns": [
{
"pattern-not": "asyncio.subprocess.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...], ...)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_exec($PROG, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", ...], ...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-asyncio-exec-audit",
"languages": [
"python"
],
"message": "Detected subprocess function '$LOOP.subprocess_exec' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, \"...\", ...)"
},
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, [\"...\",...], ...)"
},
{
"pattern": "$LOOP.subprocess_exec(...)"
}
]
},
{
"patterns": [
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...)"
},
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\",...)"
}
]
},
{
"patterns": [
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...], ...)"
},
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", ...], ...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args",
"languages": [
"python"
],
"message": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, \"...\", ...)"
},
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, [\"...\",...], ...)"
},
{
"pattern": "$LOOP.subprocess_exec(...)"
}
]
},
{
"patterns": [
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...)"
},
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, \"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\",...)"
}
]
},
{
"patterns": [
{
"pattern-not": "$LOOP.subprocess_exec($PROTOCOL, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", \"...\", ...], ...)"
},
{
"pattern": "$LOOP.subprocess_exec($PROTOCOL, [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", ...], ...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-asyncio-shell-audit",
"languages": [
"python"
],
"message": "Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-subprocess.html",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$LOOP.subprocess_shell($PROTOCOL, $CMD)"
},
{
"pattern": "asyncio.subprocess.create_subprocess_shell($CMD, ...)"
},
{
"pattern": "asyncio.create_subprocess_shell($CMD, ...)"
}
]
},
{
"pattern-not-inside": "$CMD = \"...\"\n...\n"
},
{
"pattern-not": "$LOOP.subprocess_shell($PROTOCOL, \"...\")"
},
{
"pattern-not": "asyncio.subprocess.create_subprocess_shell(\"...\", ...)"
},
{
"pattern-not": "asyncio.create_subprocess_shell(\"...\", ...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args",
"languages": [
"python"
],
"message": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/asyncio-subprocess.html",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$LOOP.subprocess_shell($PROTOCOL, $CMD)"
},
{
"pattern-inside": "asyncio.subprocess.create_subprocess_shell($CMD, ...)"
},
{
"pattern-inside": "asyncio.create_subprocess_shell($CMD, ...)"
}
]
},
{
"focus-metavariable": "$CMD"
},
{
"pattern-not-inside": "$CMD = \"...\"\n...\n"
},
{
"pattern-not": "$LOOP.subprocess_shell($PROTOCOL, \"...\")"
},
{
"pattern-not": "asyncio.subprocess.create_subprocess_shell(\"...\", ...)"
},
{
"pattern-not": "asyncio.create_subprocess_shell(\"...\", ...)"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-interactive-code-run-audit",
"languages": [
"python"
],
"message": "Found dynamic content inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$X.push($PAYLOAD,...)\n"
},
{
"pattern": "$X.runsource($PAYLOAD,...)\n"
},
{
"pattern": "$X.runcode(code.compile_command($PAYLOAD),...)\n"
},
{
"pattern": "$PL = code.compile_command($PAYLOAD,...)\n...\n$X.runcode($PL,...)\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$X = code.InteractiveConsole(...)\n...\n"
},
{
"pattern-inside": "$X = code.InteractiveInterpreter(...)\n...\n"
}
]
},
{
"pattern-not": "$X.push(\"...\",...)\n"
},
{
"pattern-not": "$X.runsource(\"...\",...)\n"
},
{
"pattern-not": "$X.runcode(code.compile_command(\"...\"),...)\n"
},
{
"pattern-not": "$PL = code.compile_command(\"...\",...)\n...\n$X.runcode($PL,...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-interactive-code-run-tainted-env-args",
"languages": [
"python"
],
"message": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$X = code.InteractiveConsole(...)\n...\n"
},
{
"pattern-inside": "$X = code.InteractiveInterpreter(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$X.push($PAYLOAD,...)\n"
},
{
"pattern-inside": "$X.runsource($PAYLOAD,...)\n"
},
{
"pattern-inside": "$X.runcode(code.compile_command($PAYLOAD),...)\n"
},
{
"pattern-inside": "$PL = code.compile_command($PAYLOAD,...)\n...\n$X.runcode($PL,...)\n"
}
]
},
{
"pattern": "$PAYLOAD"
},
{
"pattern-not": "$X.push(\"...\",...)\n"
},
{
"pattern-not": "$X.runsource(\"...\",...)\n"
},
{
"pattern-not": "$X.runcode(code.compile_command(\"...\"),...)\n"
},
{
"pattern-not": "$PL = code.compile_command(\"...\",...)\n...\n$X.runcode($PL,...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-os-exec-audit",
"languages": [
"python"
],
"message": "Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", ...)"
},
{
"pattern": "os.$METHOD(...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execl|execle|execlp|execlpe|execv|execve|execvp|execvpe)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", [$PATH,\"...\",\"...\",...],...)"
},
{
"pattern": "os.$METHOD($BASH,[$PATH,\"-c\",$CMD,...],...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execv|execve|execvp|execvpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", $PATH, \"...\", \"...\",...)"
},
{
"pattern": "os.$METHOD($BASH, $PATH, \"-c\", $CMD,...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execl|execle|execlp|execlpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-os-exec-tainted-env-args",
"languages": [
"python"
],
"message": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", ...)"
},
{
"pattern": "os.$METHOD(...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execl|execle|execlp|execlpe|execv|execve|execvp|execvpe)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", [$PATH,\"...\",\"...\",...],...)"
},
{
"pattern-inside": "os.$METHOD($BASH,[$PATH,\"-c\",$CMD,...],...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execv|execve|execvp|execvpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD(\"...\", $PATH, \"...\", \"...\",...)"
},
{
"pattern-inside": "os.$METHOD($BASH, $PATH, \"-c\", $CMD,...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(execl|execle|execlp|execlpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-spawn-process-audit",
"languages": [
"python"
],
"message": "Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", ...)"
},
{
"pattern": "os.$METHOD(...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", [\"...\",\"...\",...], ...)"
},
{
"pattern": "os.$METHOD($MODE, $BASH, [\"-c\",$CMD,...],...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", \"...\", \"...\", ...)"
},
{
"pattern": "os.$METHOD($MODE, $BASH, \"-c\", $CMD,...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-spawn-process-tainted-env-args",
"languages": [
"python"
],
"message": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", ...)"
},
{
"pattern-inside": "os.$METHOD($MODE, $CMD, ...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", [\"...\",\"...\",...], ...)"
},
{
"pattern-inside": "os.$METHOD($MODE, $BASH, [\"-c\",$CMD,...],...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
},
{
"patterns": [
{
"pattern-not": "os.$METHOD($MODE, \"...\", \"...\", \"...\", ...)"
},
{
"pattern-inside": "os.$METHOD($MODE, $BASH, \"-c\", $CMD,...)"
},
{
"pattern": "$CMD"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(spawnl|spawnle|spawnlp|spawnlpe)"
}
},
{
"metavariable-regex": {
"metavariable": "$BASH",
"regex": "(.*)(sh|bash|ksh|csh|tcsh|zsh)"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-subinterpreters-run-string-audit",
"languages": [
"python"
],
"message": "Found dynamic content in `run_string`. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://bugs.python.org/issue43472",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "_xxsubinterpreters.run_string($ID, $PAYLOAD, ...)\n"
},
{
"pattern-not": "_xxsubinterpreters.run_string($ID, \"...\", ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args",
"languages": [
"python"
],
"message": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://bugs.python.org/issue43472",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "_xxsubinterpreters.run_string($ID, $PAYLOAD, ...)\n"
},
{
"pattern-not": "_xxsubinterpreters.run_string($ID, \"...\", ...)\n"
},
{
"pattern": "$PAYLOAD"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-subprocess-use-audit",
"languages": [
"python"
],
"message": "Detected subprocess function '$FUNC' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess",
"https://docs.python.org/3/library/subprocess.html",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC(\"...\", ...)"
},
{
"pattern-not": "subprocess.$FUNC([\"...\",...], ...)"
},
{
"pattern-not": "subprocess.$FUNC((\"...\",...), ...)"
},
{
"pattern-not": {
"patterns": [
{
"pattern-not-inside": "$ARR = [\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\", \"-c\", ...]\n...\n"
},
{
"pattern-inside": "$ARR = [...]\n...\n"
},
{
"pattern-either": [
{
"pattern": "subprocess.$FUNC(*$ARR, ...)"
},
{
"pattern": "subprocess.$FUNC([*$ARR, ...])"
}
]
}
]
}
},
{
"pattern-not": "subprocess.CalledProcessError(...)"
},
{
"pattern-not": "subprocess.SubprocessError(...)"
},
{
"pattern": "subprocess.$FUNC(...)"
}
]
},
{
"patterns": [
{
"pattern": "subprocess.$FUNC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",...)"
},
{
"pattern-not": "subprocess.$FUNC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "subprocess.$FUNC([\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",...],...)"
},
{
"pattern": "subprocess.$FUNC((\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",...),...)"
}
]
},
{
"pattern-not": "subprocess.$FUNC([\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...],...)"
},
{
"pattern-not": "subprocess.$FUNC((\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...),...)"
}
]
},
{
"patterns": [
{
"pattern": "subprocess.$FUNC(\"=~/(python)/\",...)"
},
{
"pattern-not": "subprocess.$FUNC(\"=~/(python)/\",\"...\",...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "subprocess.$FUNC([\"=~/(python)/\",...],...)"
},
{
"pattern": "subprocess.$FUNC((\"=~/(python)/\",...),...)"
}
]
},
{
"pattern-not": "subprocess.$FUNC([\"=~/(python)/\",\"...\",...],...)"
},
{
"pattern-not": "subprocess.$FUNC((\"=~/(python)/\",\"...\",...),...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-subprocess-use-tainted-env-args",
"languages": [
"python"
],
"message": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'.",
"metadata": {
"asvs": {
"control_id": "5.3.8 OS Command Injection",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess",
"https://docs.python.org/3/library/subprocess.html",
"https://docs.python.org/3/library/shlex.html",
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sanitizers": [
{
"pattern": "shlex.quote(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC(\"...\", ...)"
},
{
"pattern-not": "subprocess.$FUNC([\"...\",...], ...)"
},
{
"pattern-not": "subprocess.$FUNC((\"...\",...), ...)"
},
{
"pattern-not": "subprocess.CalledProcessError(...)"
},
{
"pattern-not": "subprocess.SubprocessError(...)"
},
{
"pattern": "subprocess.$FUNC($CMD, ...)"
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...)"
},
{
"pattern": "subprocess.$FUNC(\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\", $CMD)"
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC([\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...],...)"
},
{
"pattern-not": "subprocess.$FUNC((\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\",\"...\",...),...)"
},
{
"pattern-either": [
{
"pattern": "subprocess.$FUNC([\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\", $CMD], ...)"
},
{
"pattern": "subprocess.$FUNC((\"=~/(sh|bash|ksh|csh|tcsh|zsh)/\",\"-c\", $CMD), ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC(\"=~/(python)/\",\"...\",...)"
},
{
"pattern": "subprocess.$FUNC(\"=~/(python)/\", $CMD)"
}
]
},
{
"patterns": [
{
"pattern-not": "subprocess.$FUNC([\"=~/(python)/\",\"...\",...],...)"
},
{
"pattern-not": "subprocess.$FUNC((\"=~/(python)/\",\"...\",...),...)"
},
{
"pattern-either": [
{
"pattern": "subprocess.$FUNC([\"=~/(python)/\", $CMD],...)"
},
{
"pattern": "subprocess.$FUNC((\"=~/(python)/\", $CMD),...)"
}
]
}
]
}
]
},
{
"focus-metavariable": "$CMD"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-system-call-audit",
"languages": [
"python"
],
"message": "Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dyanmic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-not": "os.$W(\"...\", ...)"
},
{
"pattern-either": [
{
"pattern": "os.system(...)"
},
{
"pattern": "getattr(os, \"system\")(...)"
},
{
"pattern": "__import__(\"os\").system(...)"
},
{
"pattern": "getattr(__import__(\"os\"), \"system\")(...)"
},
{
"pattern": "$X = __import__(\"os\")\n...\n$X.system(...)\n"
},
{
"pattern": "$X = __import__(\"os\")\n...\ngetattr($X, \"system\")(...)\n"
},
{
"pattern": "$X = getattr(os, \"system\")\n...\n$X(...)\n"
},
{
"pattern": "$X = __import__(\"os\")\n...\n$Y = getattr($X, \"system\")\n...\n$Y(...)\n"
},
{
"pattern": "os.popen(...)"
},
{
"pattern": "os.popen2(...)"
},
{
"pattern": "os.popen3(...)"
},
{
"pattern": "os.popen4(...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-system-call-tainted-env-args",
"languages": [
"python"
],
"message": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dyanmic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html",
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-not": "os.$W(\"...\", ...)"
},
{
"pattern-either": [
{
"pattern": "os.system(...)"
},
{
"pattern": "$X = __import__(\"os\")\n...\n$X.system(...)\n"
},
{
"pattern": "$X = __import__(\"os\")\n...\ngetattr($X, \"system\")(...)\n"
},
{
"pattern": "$X = getattr(os, \"system\")\n...\n$X(...)\n"
},
{
"pattern": "$X = __import__(\"os\")\n...\n$Y = getattr($X, \"system\")\n...\n$Y(...)\n"
},
{
"pattern": "os.popen(...)"
},
{
"pattern": "os.popen2(...)"
},
{
"pattern": "os.popen3(...)"
},
{
"pattern": "os.popen4(...)"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-testcapi-run-in-subinterp-audit",
"languages": [
"python"
],
"message": "Found dynamic content in `run_in_subinterp`. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "_testcapi.run_in_subinterp($PAYLOAD, ...)\n"
},
{
"pattern": "test.support.run_in_subinterp($PAYLOAD, ...)\n"
}
]
},
{
"pattern-not": "_testcapi.run_in_subinterp(\"...\", ...)\n"
},
{
"pattern-not": "test.support.run_in_subinterp(\"...\", ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args",
"languages": [
"python"
],
"message": "Found user controlled content in `run_in_subinterp`. This is dangerous because it allows a malicious actor to run arbitrary Python code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://semgrep.dev/docs/cheat-sheets/python-command-injection/"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "_testcapi.run_in_subinterp($PAYLOAD, ...)\n"
},
{
"pattern-inside": "test.support.run_in_subinterp($PAYLOAD, ...)\n"
}
]
},
{
"pattern": "$PAYLOAD"
},
{
"pattern-not": "_testcapi.run_in_subinterp(\"...\", ...)\n"
},
{
"pattern-not": "test.support.run_in_subinterp(\"...\", ...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "os.environ"
},
{
"pattern": "os.environ.get('$FOO', ...)"
},
{
"pattern": "os.environb"
},
{
"pattern": "os.environb.get('$FOO', ...)"
},
{
"pattern": "os.getenv('$ANYTHING', ...)"
},
{
"pattern": "os.getenvb('$ANYTHING', ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "sys.argv"
},
{
"pattern": "sys.orig_argv"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = argparse.ArgumentParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-inside": "$PARSER = optparse.OptionParser(...)\n...\n"
},
{
"pattern-inside": "$ARGS = $PARSER.parse_args()\n"
},
{
"pattern": "<... $ARGS ...>"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPTS, $ARGS = getopt.getopt(...)\n...\n"
},
{
"pattern-inside": "$OPTS, $ARGS = getopt.gnu_getopt(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "for $O, $A in $OPTS:\n ...\n"
},
{
"pattern": "$A"
}
]
},
{
"pattern": "$ARGS"
}
]
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.dynamic-urllib-use-detected",
"languages": [
"python"
],
"message": "Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dynamic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"bandit-code": "B310",
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-939: Improper Authorization in Handler for Custom URL Scheme"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": "A01:2017 - Injection",
"references": [
"https://cwe.mitre.org/data/definitions/939.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/blacklists/calls.py#L163",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-not": "urllib.$W(\"...\")"
},
{
"pattern-not": "urllib.request.$W(\"...\")"
},
{
"pattern-not": "$OPENER.$W(\"...\")"
},
{
"pattern-either": [
{
"pattern": "urllib.urlopen(...)"
},
{
"pattern": "urllib.request.urlopen(...)"
},
{
"pattern": "urllib.urlretrieve(...)"
},
{
"pattern": "urllib.request.urlretrieve(...)"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$OPENER = urllib.URLopener(...)\n...\n"
},
{
"pattern-inside": "$OPENER = urllib.request.URLopener(...)\n...\n"
},
{
"pattern-inside": "$OPENER = urllib.FancyURLopener(...)\n...\n"
},
{
"pattern-inside": "$OPENER = urllib.request.FancyURLopener(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$OPENER.open(...)"
},
{
"pattern": "$OPENER.retrieve(...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.eval-detected",
"languages": [
"python"
],
"message": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dyanmic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b307-eval",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-not": "eval(f\"\")"
},
{
"pattern-not": "eval(\"...\")"
},
{
"pattern": "eval(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.exec-detected",
"languages": [
"python"
],
"message": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.",
"metadata": {
"asvs": {
"control_id": "5.2.4 Dyanmic Code Execution Features",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements",
"section": "V5: Validation, Sanitization and Encoding Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b102_exec_used.html",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-not": "exec(\"...\")"
},
{
"pattern": "exec(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.formatted-sql-query",
"languages": [
"python"
],
"message": "Detected possible formatted SQL query. Use parameterized queries instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/questions/775296/mysql-parameterized-queries"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "$DB.execute(\"...\" % ...)"
},
{
"pattern": "$DB.execute(\"...\".format(...))"
},
{
"pattern": "$DB.execute(f\"...\")"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$SQL = \"...\" % ...\n...\n"
},
{
"pattern-inside": "$SQL = \"...\".format(...)\n...\n"
},
{
"pattern-inside": "$SQL = f\"...{$X}...\"\n...\n"
}
]
},
{
"pattern": "$DB.execute($SQL)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.hardcoded-password-default-argument",
"languages": [
"python"
],
"message": "Hardcoded password is used as a default argument to '$FUNC'. This could be dangerous if a real password is not supplied.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "def $FUNC(..., password=\"...\", ...):\n ...\n"
},
{
"pattern-not": "def $FUNC(..., password=\"\", ...):\n ...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.httpsconnection-detected",
"languages": [
"python"
],
"message": "The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "httplib.HTTPSConnection(...)"
},
{
"pattern": "http.client.HTTPSConnection(...)"
},
{
"pattern": "six.moves.http_client.HTTPSConnection(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-file-permissions",
"languages": [
"python"
],
"message": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-276: Incorrect Default Permissions"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-inside": "os.$METHOD(...)"
},
{
"metavariable-pattern": {
"metavariable": "$METHOD",
"patterns": [
{
"pattern-either": [
{
"pattern": "chmod"
},
{
"pattern": "lchmod"
},
{
"pattern": "fchmod"
}
]
}
]
}
},
{
"pattern-either": [
{
"patterns": [
{
"pattern": "os.$METHOD($FILE, $BITS, ...)"
},
{
"metavariable-comparison": {
"comparison": "$BITS >= 0o650 and $BITS < 0o100000",
"metavariable": "$BITS"
}
}
]
},
{
"patterns": [
{
"pattern": "os.$METHOD($FILE, $BITS)"
},
{
"metavariable-comparison": {
"comparison": "$BITS >= 0o100650",
"metavariable": "$BITS"
}
}
]
},
{
"patterns": [
{
"pattern": "os.$METHOD($FILE, $BITS, ...)"
},
{
"metavariable-pattern": {
"metavariable": "$BITS",
"patterns": [
{
"pattern-either": [
{
"pattern": "<... stat.S_IWGRP ...>"
},
{
"pattern": "<... stat.S_IXGRP ...>"
},
{
"pattern": "<... stat.S_IWOTH ...>"
},
{
"pattern": "<... stat.S_IXOTH ...>"
},
{
"pattern": "<... stat.S_IRWXO ...>"
},
{
"pattern": "<... stat.S_IRWXG ...>"
}
]
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "os.$METHOD($FILE, $EXPR | $MOD, ...)"
},
{
"metavariable-comparison": {
"comparison": "$MOD == 0o111",
"metavariable": "$MOD"
}
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.mako-templates-detected",
"languages": [
"python"
],
"message": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping",
"https://jinja.palletsprojects.com/en/2.11.x/intro/#"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/mako_templates.py",
"subcategory": [
"audit"
],
"technology": [
"mako"
]
},
"pattern": "mako.template.Template(...)",
"severity": "INFO"
},
{
"id": "vendored-rules.python.lang.security.audit.marshal-usage",
"languages": [
"python"
],
"message": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/marshal.html?highlight=security"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "marshal.dump(...)"
},
{
"pattern": "marshal.dumps(...)"
},
{
"pattern": "marshal.load(...)"
},
{
"pattern": "marshal.loads(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.md5-used-as-password",
"languages": [
"python"
],
"message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/html/rfc6151",
"https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html",
"https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords",
"https://github.com/returntocorp/semgrep-rules/issues/1609",
"https://docs.python.org/3/library/hashlib.html#hashlib.scrypt"
],
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome",
"hashlib",
"md5"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FUNCTION(...)"
},
{
"metavariable-regex": {
"metavariable": "$FUNCTION",
"regex": "(?i)(.*password.*)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "hashlib.md5"
},
{
"pattern": "hashlib.new(..., name=\"MD5\", ...)"
},
{
"pattern": "Cryptodome.Hash.MD5"
},
{
"pattern": "Crypto.Hash.MD5"
},
{
"pattern": "cryptography.hazmat.primitives.hashes.MD5"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.non-literal-import",
"languages": [
"python"
],
"message": "Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-706: Use of Incorrectly-Resolved Name or Reference"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "importlib.import_module($NAME, ...)\n"
},
{
"pattern-not": "importlib.import_module(\"...\", ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.paramiko-implicit-trust-host-key",
"languages": [
"python"
],
"message": "Detected a paramiko host key policy that implicitly trusts a server's host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-322: Key Exchange without Entity Authentication"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/ssh_no_host_key_verification.py",
"subcategory": [
"audit"
],
"technology": [
"paramiko"
]
},
"patterns": [
{
"pattern-inside": "$CLIENT = paramiko.client.SSHClient(...)\n...\n$CLIENT.set_missing_host_key_policy(...)\n"
},
{
"pattern-either": [
{
"pattern": "paramiko.client.AutoAddPolicy"
},
{
"pattern": "paramiko.client.WarningPolicy"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.python-reverse-shell",
"languages": [
"python"
],
"message": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-553: Command Shell in Externally Accessible Directory"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/553.html"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "pty.spawn(\"$BINPATH\",...)"
},
{
"pattern": "subprocess.call([\"$BINPATH\",...],...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$BINPATH",
"regex": "/bin/.*?sh\\b"
}
},
{
"pattern-inside": "import socket\n...\n$S = socket.socket(...)\n...\n$S.connect(($IP,$PORT),...)\n...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.regex_dos",
"languages": [
"python"
],
"message": "Detected usage of re.compile with an inefficient regular expression. This can lead to regular expression denial of service, which can result in service down time. Instead, check all regexes or use safer alternatives such as pyre2.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-1333: Inefficient Regular Expression Complexity",
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": "A06:2017 - Security Misconfiguration",
"references": [
"https://docs.python.org/3/library/re.html"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "$A = re.compile(\"$B\", ...)\n...\n$A.$METHOD(...)\n"
},
{
"metavariable-analysis": {
"analyzer": "redos",
"metavariable": "$B"
}
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(?!(escape)|(purge))"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.ssl-wrap-socket-is-deprecated",
"languages": [
"python"
],
"message": "'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/ssl.html#ssl.wrap_socket",
"https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"pattern": "ssl.wrap_socket(...)",
"severity": "WARNING"
},
{
"fix": "False\n",
"id": "vendored-rules.python.lang.security.audit.subprocess-shell-true",
"languages": [
"python"
],
"message": "Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess",
"https://docs.python.org/3/library/subprocess.html"
],
"source-rule-url": "https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"subcategory": [
"secure default"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "subprocess.$FUNC(..., shell=$TRUE, ...)"
},
{
"metavariable-pattern": {
"metavariable": "$TRUE",
"pattern": "True \n"
}
},
{
"pattern-not": "subprocess.$FUNC(\"...\", shell=True, ...)"
},
{
"focus-metavariable": "$TRUE"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.system-wildcard-detected",
"languages": [
"python"
],
"message": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-155: Improper Neutralization of Wildcards or Matching Symbols"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": "A01:2017 - Injection",
"references": [
"https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt"
],
"source-url-open": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/injection_wildcard.py",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "os.system(\"...\")"
},
{
"pattern-inside": "os.popen(\"...\")"
},
{
"pattern-inside": "os.popen2(\"...\")"
},
{
"pattern-inside": "os.popen3(\"...\")"
},
{
"pattern-inside": "os.popen4(\"...\")"
},
{
"pattern-inside": "subprocess.$W(..., shell=True, ...)"
}
]
},
{
"pattern-regex": "(tar|chmod|chown|rsync)(.*?)\\*"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.telnetlib",
"languages": [
"python"
],
"message": "Telnet does not encrypt communications. Use SSH instead.",
"metadata": {
"bandit-code": "B312",
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/telnetlib.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L208",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern": "telnetlib.$ANYTHING(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.weak-ssl-version",
"languages": [
"python"
],
"message": "An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher.",
"metadata": {
"asvs": {
"control_id": "9.1.3 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/html/rfc7568",
"https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html",
"https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/insecure_ssl_tls.py#L30",
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "ssl.PROTOCOL_SSLv2"
},
{
"pattern": "ssl.PROTOCOL_SSLv3"
},
{
"pattern": "ssl.PROTOCOL_TLSv1"
},
{
"pattern": "ssl.PROTOCOL_TLSv1_1"
},
{
"pattern": "pyOpenSSL.SSL.SSLv2_METHOD"
},
{
"pattern": "pyOpenSSL.SSL.SSLv23_METHOD"
},
{
"pattern": "pyOpenSSL.SSL.SSLv3_METHOD"
},
{
"pattern": "pyOpenSSL.SSL.TLSv1_METHOD"
},
{
"pattern": "pyOpenSSL.SSL.TLSv1_1_METHOD"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "FTP(.*)\\)",
"replacement": "FTP_TLS\\1, context=ssl.create_default_context())"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls",
"languages": [
"python"
],
"message": "The 'FTP' class sends information unencrypted. Consider using the 'FTP_TLS' class instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS"
],
"subcategory": [
"audit"
],
"technology": [
"ftplib"
]
},
"patterns": [
{
"pattern": "ftplib.FTP(...)"
},
{
"pattern-not": "ftplib.FTP_TLS(...)"
}
],
"severity": "INFO"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context",
"languages": [
"python"
],
"message": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.",
"metadata": {
"asvs": {
"control_id": "9.2.1 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"requests"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "with requests.Session(...) as $SESSION:\n ...\n"
},
{
"pattern-either": [
{
"pattern": "$SESSION.$W($SINK, ...)"
},
{
"pattern": "$SESSION.request($METHOD, $SINK, ...)"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "\"$URL\"\n"
},
{
"metavariable-pattern": {
"language": "regex",
"metavariable": "$URL",
"patterns": [
{
"pattern-regex": "http://"
},
{
"pattern-not-regex": ".*://localhost"
},
{
"pattern-not-regex": ".*://127\\.0\\.0\\.1"
}
]
}
}
]
}
],
"severity": "INFO"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.requests.request-session-with-http",
"languages": [
"python"
],
"message": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.",
"metadata": {
"asvs": {
"control_id": "9.1.1 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"requests"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "requests.Session(...).$W($SINK, ...)"
},
{
"pattern": "requests.Session(...).request($METHOD, $SINK, ...)"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "\"$URL\"\n"
},
{
"metavariable-pattern": {
"language": "regex",
"metavariable": "$URL",
"patterns": [
{
"pattern-regex": "http://"
},
{
"pattern-not-regex": ".*://localhost"
},
{
"pattern-not-regex": ".*://127\\.0\\.0\\.1"
}
]
}
}
]
}
],
"severity": "INFO"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.requests.request-with-http",
"languages": [
"python"
],
"message": "Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead.",
"metadata": {
"asvs": {
"control_id": "9.1.1 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"audit"
],
"technology": [
"requests"
]
},
"mode": "taint",
"options": {
"symbolic_propagation": true
},
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "requests.$W($SINK, ...)"
},
{
"pattern": "requests.request($METHOD, $SINK, ...)"
},
{
"pattern": "requests.Request($METHOD, $SINK, ...)"
}
]
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "\"$URL\"\n"
},
{
"metavariable-pattern": {
"language": "regex",
"metavariable": "$URL",
"patterns": [
{
"pattern-regex": "http://"
},
{
"pattern-not-regex": ".*://localhost"
},
{
"pattern-not-regex": ".*://127\\.0\\.0\\.1"
}
]
}
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-transport.ssl.no-set-ciphers",
"languages": [
"python"
],
"message": "The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.",
"metadata": {
"asvs": {
"control_id": "9.1.3 Weak TLS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements",
"section": "V9 Communications Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/ssl.html#cipher-selection",
"https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers"
],
"subcategory": [
"audit"
],
"technology": [
"ssl"
]
},
"pattern": "$CONTEXT.set_ciphers(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp",
"languages": [
"python"
],
"message": "Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.OpenerDirector(...).open(\"=~/^[Ff][Tt][Pp]://.*/\", ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.OpenerDirector(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open(\"=~/^[Ff][Tt][Pp]://.*/\", ...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.OpenerDirector(...)\n...\n"
},
{
"pattern": "$URL = \"=~/^[Ff][Tt][Pp]://.*/\"\n...\n$OPENERDIRECTOR.open($URL, ...)\n"
}
]
},
{
"pattern": "$URL = \"=~/^[Ff][Tt][Pp]://.*/\"\n...\nurllib.request.OpenerDirector(...).open($URL, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $URL = \"=~/^[Ff][Tt][Pp]://.*/\", ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "urllib.request.OpenerDirector(...).open($URL, ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.OpenerDirector(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open($URL, ...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open",
"languages": [
"python"
],
"message": "Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'http://'. Use 'https://' instead to secure the channel.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.OpenerDirector(...).open(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.OpenerDirector(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.OpenerDirector(...)\n...\n"
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\n$OPENERDIRECTOR.open($URL, ...)\n"
}
]
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\nurllib.request.OpenerDirector(...).open($URL, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\", ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "urllib.request.OpenerDirector(...).open($URL, ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.OpenerDirector(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open($URL, ...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp",
"languages": [
"python"
],
"message": "Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'ftp://'. This connection will not be encrypted. Consider using SFTP instead. urllib does not support SFTP natively, so consider using a library which supports SFTP.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.Request"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.Request(\"=~/^[Ff][Tt][Pp]://.*/\", ...)"
},
{
"pattern": "$URL = \"=~/^[Ff][Tt][Pp]://.*/\"\n...\nurllib.request.Request($URL, ...)\n"
},
{
"pattern": "def $FUNC(..., $URL = \"=~/^[Ff][Tt][Pp]://.*/\", ...):\n ...\n urllib.request.Request($URL, ...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-request-object",
"languages": [
"python"
],
"message": "Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.Request"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.Request(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\nurllib.request.Request($URL, ...)\n"
},
{
"pattern": "def $FUNC(..., $URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\", ...):\n ...\n urllib.request.Request($URL, ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp",
"languages": [
"python"
],
"message": "Detected 'urllib.urlopen()' using 'ftp://'. This request will not be encrypted. Consider using SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.urlopen(\"=~/^[Ff][Tt][Pp]://.*/\", ...)"
},
{
"pattern": "$URL = \"=~/^[Ff][Tt][Pp]://.*/\"\n...\nurllib.request.urlopen($URL, ...)\n"
},
{
"pattern": "def $FUNC(..., $URL = \"=~/^[Ff][Tt][Pp]://.*/\", ...):\n ...\n urllib.request.urlopen($URL, ...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlopen",
"languages": [
"python"
],
"message": "Detected 'urllib.urlopen()' using 'http://'. This request will not be encrypted. Use 'https://' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.urlopen(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\nurllib.request.urlopen($URL, ...)\n"
},
{
"pattern": "def $FUNC(..., $URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\", ...):\n ...\n urllib.request.urlopen($URL, ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp",
"languages": [
"python"
],
"message": "Detected an insecure transmission channel. 'URLopener.open(...)' is being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).open(\"=~/[Ff][Tt][Pp]://.*/\", ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open(\"=~/[Ff][Tt][Pp]://.*/\", ...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$URL = \"=~/[Ff][Tt][Pp]://.*/\"\n...\n$OPENERDIRECTOR.open($URL, ...)\n"
}
]
},
{
"pattern": "$URL = \"=~/[Ff][Tt][Pp]://.*/\"\n...\nurllib.request.URLopener(...).open($URL, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $URL = \"=~/[Ff][Tt][Pp]://.*/\", ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).open($URL, ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open($URL, ...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open",
"languages": [
"python"
],
"message": "Detected an unsecured transmission channel. 'URLopener.open(...)' is being used with 'http://'. Use 'https://' instead to secure the channel.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).open(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\n$OPENERDIRECTOR.open($URL, ...)\n"
}
]
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\nurllib.request.URLopener(...).open($URL, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\", ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).open($URL, ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.open($URL, ...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp",
"languages": [
"python"
],
"message": "Detected an insecure transmission channel. 'URLopener.retrieve(...)' is being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).retrieve(\"=~/[Ff][Tt][Pp]://.*/\", ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.retrieve(\"=~/[Ff][Tt][Pp]://.*/\", ...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$URL = \"=~/[Ff][Tt][Pp]://.*/\"\n...\n$OPENERDIRECTOR.retrieve($URL, ...)\n"
}
]
},
{
"pattern": "$URL = \"=~/[Ff][Tt][Pp]://.*/\"\n...\nurllib.request.URLopener(...).retrieve($URL, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $URL = \"=~/[Ff][Tt][Pp]://.*/\", ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).retrieve($URL, ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.retrieve($URL, ...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve",
"languages": [
"python"
],
"message": "Detected an unsecured transmission channel. 'URLopener.retrieve(...)' is being used with 'http://'. Use 'https://' instead to secure the channel.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).retrieve(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.retrieve(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\n$OPENERDIRECTOR.retrieve($URL, ...)\n"
}
]
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\nurllib.request.URLopener(...).retrieve($URL, ...)\n"
},
{
"patterns": [
{
"pattern-inside": "def $FUNC(..., $URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\", ...):\n ...\n"
},
{
"pattern-either": [
{
"pattern": "urllib.request.URLopener(...).retrieve($URL, ...)"
},
{
"patterns": [
{
"pattern-inside": "$OPENERDIRECTOR = urllib.request.URLopener(...)\n...\n"
},
{
"pattern": "$OPENERDIRECTOR.retrieve($URL, ...)"
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp",
"languages": [
"python"
],
"message": "Detected 'urllib.urlretrieve()' using 'ftp://'. This request will not be encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching to a library which supports SFTP.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.urlretrieve(\"=~/^[Ff][Tt][Pp]://.*/\", ...)"
},
{
"pattern": "$URL = \"=~/^[Ff][Tt][Pp]://.*/\"\n...\nurllib.request.urlretrieve($URL, ...)\n"
},
{
"pattern": "def $FUNC(..., $URL = \"=~/^[Ff][Tt][Pp]://.*/\", ...):\n ...\n urllib.request.urlretrieve($URL, ...)"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "[Hh][Tt][Tt][Pp]://",
"replacement": "https://"
},
"id": "vendored-rules.python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve",
"languages": [
"python"
],
"message": "Detected 'urllib.urlretrieve()' using 'http://'. This request will not be encrypted. Use 'https://' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve"
],
"subcategory": [
"audit"
],
"technology": [
"urllib"
]
},
"pattern-either": [
{
"pattern": "urllib.request.urlretrieve(\"=~/[Hh][Tt][Tt][Pp]://.*/\", ...)"
},
{
"pattern": "$URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\"\n...\nurllib.request.urlretrieve($URL, ...)\n"
},
{
"pattern": "def $FUNC(..., $URL = \"=~/[Hh][Tt][Tt][Pp]://.*/\", ...):\n ...\n urllib.request.urlretrieve($URL, ...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.logging.listen-eval",
"languages": [
"python"
],
"message": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern": "logging.config.listen(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.logging.python-logger-credential-disclosure",
"languages": [
"python"
],
"message": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-532: Insertion of Sensitive Information into Log File"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A09:2021 - Security Logging and Monitoring Failures"
],
"references": [
"https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "$LOGGER_OBJ.$LOGGER_CALL($FORMAT_STRING,...)\n"
},
{
"metavariable-regex": {
"metavariable": "$LOGGER_OBJ",
"regex": "(?i)(_logger|logger|self.logger|log)"
}
},
{
"metavariable-regex": {
"metavariable": "$LOGGER_CALL",
"regex": "(debug|info|warn|warning|error|exception|critical)"
}
},
{
"metavariable-regex": {
"metavariable": "$FORMAT_STRING",
"regex": "(?i).*(api.key|secret|credential|token|password).*\\%s.*"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.network.avoid-bind-to-all-interfaces",
"languages": [
"python"
],
"message": "Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose the server publicly as it binds to all available interfaces. Consider instead getting correct address from an environment variable or configuration file.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "$S = socket.socket(...)\n...\n$S.bind((\"0.0.0.0\", ...))\n"
},
{
"pattern": "$S = socket.socket(...)\n...\n$S.bind((\"::\", ...))\n"
},
{
"pattern": "$S = socket.socket(...)\n...\n$S.bind((\"\", ...))\n"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.python.lang.security.audit.network.disabled-cert-validation",
"languages": [
"python"
],
"message": "certificate verification explicitly disabled, insecure connections possible",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"vuln"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "urllib3.PoolManager(..., cert_reqs=$REQS, ...)"
},
{
"pattern": "urllib3.ProxyManager(..., cert_reqs=$REQS, ...)"
},
{
"pattern": "urllib3.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)"
},
{
"pattern": "urllib3.connectionpool.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)"
},
{
"pattern": "urllib3.connection_from_url(..., cert_reqs=$REQS, ...)"
},
{
"pattern": "urllib3.proxy_from_url(..., cert_reqs=$REQS, ...)"
},
{
"pattern": "$CONTEXT.wrap_socket(..., cert_reqs=$REQS, ...)"
},
{
"pattern": "ssl.wrap_socket(..., cert_reqs=$REQS, ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$REQS",
"regex": "(NONE|CERT_NONE|CERT_OPTIONAL|ssl\\.CERT_NONE|ssl\\.CERT_OPTIONAL|\\'NONE\\'|\\\"NONE\\\"|\\'OPTIONAL\\'|\\\"OPTIONAL\\\")"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.network.http-not-https-connection",
"languages": [
"python"
],
"message": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern-either": [
{
"pattern": "urllib3.HTTPConnectionPool(...)"
},
{
"pattern": "urllib3.connectionpool.HTTPConnectionPool(...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.paramiko.paramiko-exec-command",
"languages": [
"python"
],
"message": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command",
"https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py",
"subcategory": [
"audit"
],
"technology": [
"paramiko"
]
},
"patterns": [
{
"pattern-inside": "$CLIENT = paramiko.client.SSHClient(...)\n...\n"
},
{
"pattern": "$CLIENT.exec_command(...)"
},
{
"pattern-not": "$CLIENT.exec_command(\"...\", ...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.audit.sqli.aiopg-sqli",
"languages": [
"python"
],
"message": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: 'cur.execute(\"SELECT %s FROM table\", (user_value,))'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/aio-libs/aiopg"
],
"subcategory": [
"audit"
],
"technology": [
"aiopg"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$CUR.$METHOD(...,$QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = '...'.format(...)\n...\n"
},
{
"pattern-inside": "$QUERY = '...' % (...)\n...\n"
},
{
"pattern-inside": "$QUERY = f'...{$USERINPUT}...'\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...'.format()\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...' % ()\n...\n"
}
]
},
{
"pattern": "$CUR.$METHOD(..., $X + $Y, ...)"
},
{
"pattern": "$CUR.$METHOD(..., '...'.format(...), ...)"
},
{
"pattern": "$CUR.$METHOD(..., '...' % (...), ...)"
},
{
"pattern": "$CUR.$METHOD(..., f'...{$USERINPUT}...', ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$CONN = await aiopg.connect(...)\n...\n$CUR = await $CONN.cursor(...)\n...\n"
},
{
"pattern-inside": "$POOL = await aiopg.create_pool(...)\n...\nasync with $POOL.acquire(...) as $CONN:\n ...\n async with $CONN.cursor(...) as $CUR:\n ...\n"
},
{
"pattern-inside": "$POOL = await aiopg.create_pool(...)\n...\nwith (await $POOL.cursor(...)) as $CUR:\n ...\n"
},
{
"pattern-inside": "$POOL = await aiopg.create_pool(...)\n...\nasync with $POOL as $CONN:\n ...\n $CUR = await $CONN.cursor(...)\n ...\n"
},
{
"pattern-inside": "$POOL = await aiopg.create_pool(...)\n...\nasync with $POOL.cursor(...) as $CUR:\n ...\n"
}
]
},
{
"pattern-not": "$CUR.$METHOD(..., \"...\" + \"...\", ...)"
},
{
"pattern-not": "$CUR.$METHOD(..., '...'.format(), ...)"
},
{
"pattern-not": "$CUR.$METHOD(..., '...'%(), ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(execute)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.sqli.asyncpg-sqli",
"languages": [
"python"
],
"message": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/MagicStack/asyncpg",
"https://magicstack.github.io/asyncpg/current/"
],
"subcategory": [
"audit"
],
"technology": [
"asyncpg"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$CONN.$METHOD(...,$QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = '...'.format(...)\n...\n"
},
{
"pattern-inside": "$QUERY = '...' % (...)\n...\n"
},
{
"pattern-inside": "$QUERY = f'...{$USERINPUT}...'\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...'.format()\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...' % ()\n...\n"
}
]
},
{
"pattern": "$CONN.$METHOD(..., $X + $Y, ...)"
},
{
"pattern": "$CONN.$METHOD(..., $Y.format(...), ...)"
},
{
"pattern": "$CONN.$METHOD(..., '...'.format(...), ...)"
},
{
"pattern": "$CONN.$METHOD(..., '...' % (...), ...)"
},
{
"pattern": "$CONN.$METHOD(..., f'...{$USERINPUT}...', ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$CONN = await asyncpg.connect(...)\n...\n"
},
{
"pattern-inside": "async with asyncpg.create_pool(...) as $CONN:\n ...\n"
},
{
"pattern-inside": "async with $POOL.acquire(...) as $CONN:\n ...\n"
},
{
"pattern-inside": "$CONN = await $POOL.acquire(...)\n...\n"
},
{
"pattern-inside": "def $FUNCNAME(..., $CONN: Connection, ...):\n ...\n"
},
{
"pattern-inside": "def $FUNCNAME(..., $CONN: asyncpg.Connection, ...):\n ...\n"
}
]
},
{
"pattern-not": "$CONN.$METHOD(..., \"...\" + \"...\", ...)"
},
{
"pattern-not": "$CONN.$METHOD(..., '...'.format(), ...)"
},
{
"pattern-not": "$CONN.$METHOD(..., '...'%(), ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(fetch|fetchrow|fetchval|execute|executemany|prepare|cursor|copyfromquery)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.sqli.pg8000-sqli",
"languages": [
"python"
],
"message": "Detected string concatenation with a non-literal variable in a pg8000 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.run(\"SELECT :value FROM table\", value=myvalue)'. You can also create prepared statements with 'conn.prepare': 'conn.prepare(\"SELECT (:v) FROM table\")'",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/tlocke/pg8000"
],
"subcategory": [
"audit"
],
"technology": [
"pg8000"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$CONN.$METHOD(...,$QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = '...'.format(...)\n...\n"
},
{
"pattern-inside": "$QUERY = '...' % (...)\n...\n"
},
{
"pattern-inside": "$QUERY = f'...{$USERINPUT}...'\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...'.format()\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...' % ()\n...\n"
}
]
},
{
"pattern": "$CONN.$METHOD(..., $X + $Y, ...)"
},
{
"pattern": "$CONN.$METHOD(..., '...'.format(...), ...)"
},
{
"pattern": "$CONN.$METHOD(..., '...' % (...), ...)"
},
{
"pattern": "$CONN.$METHOD(..., f'...{$USERINPUT}...', ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$CONN = pg8000.native.Connection(...)\n...\n"
},
{
"pattern-inside": "$CONN = pg8000.dhapi.connect(...)\n...\n"
},
{
"pattern-inside": "$CONN1 = pg8000.connect(...)\n...\n$CONN = $CONN1.cursor(...)\n...\n"
},
{
"pattern-inside": "$CONN = pg8000.connect(...)\n...\n"
}
]
},
{
"pattern-not": "$CONN.$METHOD(..., \"...\" + \"...\", ...)"
},
{
"pattern-not": "$CONN.$METHOD(..., '...'.format(), ...)"
},
{
"pattern-not": "$CONN.$METHOD(..., '...'%(), ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(run|execute|executemany|prepare)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.audit.sqli.psycopg-sqli",
"languages": [
"python"
],
"message": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.psycopg.org/docs/sql.html"
],
"subcategory": [
"audit"
],
"technology": [
"psycopg"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$CUR.$METHOD(...,$QUERY,...)"
},
{
"pattern-either": [
{
"pattern-inside": "$QUERY = $X + $Y\n...\n"
},
{
"pattern-inside": "$QUERY += $X\n...\n"
},
{
"pattern-inside": "$QUERY = '...'.format(...)\n...\n"
},
{
"pattern-inside": "$QUERY = '...' % (...)\n...\n"
},
{
"pattern-inside": "$QUERY = f'...{$USERINPUT}...'\n...\n"
}
]
},
{
"pattern-not-inside": "$QUERY += \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = \"...\" + \"...\"\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...'.format()\n...\n"
},
{
"pattern-not-inside": "$QUERY = '...' % ()\n...\n"
}
]
},
{
"pattern": "$CUR.$METHOD(..., $X + $Y, ...)"
},
{
"pattern": "$CUR.$METHOD(..., '...'.format(...), ...)"
},
{
"pattern": "$CUR.$METHOD(..., '...' % (...), ...)"
},
{
"pattern": "$CUR.$METHOD(..., f'...{$USERINPUT}...', ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "$CONN = psycopg2.connect(...)\n...\n$CUR = $CONN.cursor(...)\n...\n"
},
{
"pattern-inside": "$CONN = psycopg2.connect(...)\n...\nwith $CONN.cursor(...) as $CUR:\n ...\n"
}
]
},
{
"pattern-not": "$CUR.$METHOD(..., \"...\" + \"...\", ...)"
},
{
"pattern-not": "$CUR.$METHOD(..., '...'.format(), ...)"
},
{
"pattern-not": "$CUR.$METHOD(..., '...'%(), ...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(execute|executemany|mogrify)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.deserialization.avoid-jsonpickle",
"languages": [
"python"
],
"message": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/jsonpickle/jsonpickle#jsonpickle",
"https://www.exploit-db.com/exploits/49585"
],
"subcategory": [
"audit"
],
"technology": [
"jsonpickle"
]
},
"patterns": [
{
"pattern": "jsonpickle.decode($PAYLOAD,...)\n"
},
{
"pattern-not": "jsonpickle.decode(\"...\",...)\n"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"count": 1,
"regex": "unsafe_load",
"replacement": "safe_load"
},
"id": "vendored-rules.python.lang.security.deserialization.avoid-pyyaml-load",
"languages": [
"python"
],
"message": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation",
"https://nvd.nist.gov/vuln/detail/CVE-2017-18342"
],
"subcategory": [
"audit"
],
"technology": [
"pyyaml"
]
},
"patterns": [
{
"pattern-inside": "import yaml\n...\n"
},
{
"pattern-not-inside": "$YAML = ruamel.yaml.YAML(...)\n...\n"
},
{
"pattern-either": [
{
"pattern": "yaml.unsafe_load(...)"
},
{
"pattern": "yaml.load(..., Loader=yaml.Loader, ...)"
},
{
"pattern": "yaml.load(..., Loader=yaml.UnsafeLoader, ...)"
},
{
"pattern": "yaml.load(..., Loader=yaml.CLoader, ...)"
},
{
"pattern": "yaml.load_all(..., Loader=yaml.Loader, ...)"
},
{
"pattern": "yaml.load_all(..., Loader=yaml.UnsafeLoader, ...)"
},
{
"pattern": "yaml.load_all(..., Loader=yaml.CLoader, ...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.deserialization.avoid-unsafe-ruamel",
"languages": [
"python"
],
"message": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ"
],
"subcategory": [
"audit"
],
"technology": [
"ruamel.yaml"
]
},
"pattern-either": [
{
"pattern": "ruamel.yaml.YAML(..., typ='unsafe', ...)"
},
{
"pattern": "ruamel.yaml.YAML(..., typ='base', ...)"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.lang.security.deserialization.avoid-pickle",
"languages": [
"python"
],
"message": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/pickle.html"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "pickle.$FUNC(...)"
},
{
"pattern": "_pickle.$FUNC(...)"
}
]
},
{
"pattern-not": "pickle.$FUNC(\"...\")"
},
{
"pattern-not": "_pickle.$FUNC(\"...\")"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.deserialization.avoid-cPickle",
"languages": [
"python"
],
"message": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/pickle.html"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "cPickle.$FUNC(...)"
},
{
"pattern-not": "cPickle.$FUNC(\"...\")"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.deserialization.avoid-dill",
"languages": [
"python"
],
"message": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/pickle.html"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"patterns": [
{
"pattern": "dill.$FUNC(...)"
},
{
"pattern-not": "dill.$FUNC(\"...\")"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.lang.security.deserialization.avoid-shelve",
"languages": [
"python"
],
"message": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://docs.python.org/3/library/pickle.html"
],
"subcategory": [
"audit"
],
"technology": [
"python"
]
},
"pattern": "shelve.$FUNC(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-cipher-algorithm-blowfish",
"languages": [
"python"
],
"message": "Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::pycryptodome",
"crypto::search::symmetric-algorithm::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption",
"https://www.pycryptodome.org/src/cipher/cipher"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"pattern-either": [
{
"pattern": "Cryptodome.Cipher.Blowfish.new(...)"
},
{
"pattern": "Crypto.Cipher.Blowfish.new(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-cipher-algorithm-des",
"languages": [
"python"
],
"message": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::pycryptodome",
"crypto::search::symmetric-algorithm::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/326.html",
"https://www.pycryptodome.org/src/cipher/cipher"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"pattern-either": [
{
"pattern": "Cryptodome.Cipher.DES.new(...)"
},
{
"pattern": "Crypto.Cipher.DES.new(...)"
},
{
"pattern": "Cryptodome.Cipher.DES3.new(...)"
},
{
"pattern": "Crypto.Cipher.DES3.new(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-cipher-algorithm-rc2",
"languages": [
"python"
],
"message": "Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::pycryptodome",
"crypto::search::symmetric-algorithm::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/326.html",
"https://www.pycryptodome.org/src/cipher/cipher"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"pattern-either": [
{
"pattern": "Cryptodome.Cipher.ARC2.new(...)"
},
{
"pattern": "Crypto.Cipher.ARC2.new(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-cipher-algorithm-rc4",
"languages": [
"python"
],
"message": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::symmetric-algorithm::pycryptodome",
"crypto::search::symmetric-algorithm::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/326.html",
"https://www.pycryptodome.org/src/cipher/cipher"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"pattern-either": [
{
"pattern": "Cryptodome.Cipher.ARC4.new(...)"
},
{
"pattern": "Crypto.Cipher.ARC4.new(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-cipher-algorithm-xor",
"languages": [
"python"
],
"message": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.",
"metadata": {
"bandit-code": "B304",
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"pattern-either": [
{
"pattern": "Cryptodome.Cipher.XOR.new(...)"
},
{
"pattern": "Crypto.Cipher.XOR.new(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-hash-algorithm-md2",
"languages": [
"python"
],
"message": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::hash-algorithm::pycryptodome",
"crypto::search::hash-algorithm::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms",
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"pattern-either": [
{
"pattern": "Crypto.Hash.MD2.new(...)"
},
{
"pattern": "Cryptodome.Hash.MD2.new (...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-hash-algorithm-md4",
"languages": [
"python"
],
"message": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::hash-algorithm::pycryptodome",
"crypto::search::hash-algorithm::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms",
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"pattern-either": [
{
"pattern": "Crypto.Hash.MD4.new(...)"
},
{
"pattern": "Cryptodome.Hash.MD4.new (...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-hash-algorithm-md5",
"languages": [
"python"
],
"message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"functional-categories": [
"crypto::search::hash-algorithm::pycryptodome",
"crypto::search::hash-algorithm::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms",
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"pattern-either": [
{
"pattern": "Crypto.Hash.MD5.new(...)"
},
{
"pattern": "Cryptodome.Hash.MD5.new (...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insecure-hash-algorithm-sha1",
"languages": [
"python"
],
"message": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html",
"https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability",
"http://2012.sharcs.org/slides/stevens.pdf",
"https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"pattern-either": [
{
"pattern": "Crypto.Hash.SHA.new(...)"
},
{
"pattern": "Cryptodome.Hash.SHA.new (...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insufficient-dsa-key-size",
"languages": [
"python"
],
"message": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::key-length::pycryptodome",
"crypto::search::key-length::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.pycryptodome.org/src/public_key/dsa",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"patterns": [
{
"pattern-either": [
{
"pattern": "Crypto.PublicKey.DSA.generate(..., bits=$SIZE, ...)"
},
{
"pattern": "Crypto.PublicKey.DSA.generate($SIZE, ...)"
},
{
"pattern": "Cryptodome.PublicKey.DSA.generate(..., bits=$SIZE, ...)"
},
{
"pattern": "Cryptodome.PublicKey.DSA.generate($SIZE, ...)"
}
]
},
{
"metavariable-comparison": {
"comparison": "$SIZE < 2048",
"metavariable": "$SIZE"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.insufficient-rsa-key-size",
"languages": [
"python"
],
"message": "Detected an insufficient key size for RSA. NIST recommends a key size of 3072 or higher.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"functional-categories": [
"crypto::search::key-length::pycryptodome",
"crypto::search::key-length::pycryptodomex"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.pycryptodome.org/src/public_key/rsa#rsa",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
],
"source-rule-url": "https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py",
"subcategory": [
"vuln"
],
"technology": [
"pycryptodome"
]
},
"options": {
"symbolic_propagation": true
},
"patterns": [
{
"pattern-either": [
{
"pattern": "Crypto.PublicKey.RSA.generate(..., bits=$SIZE, ...)"
},
{
"pattern": "Crypto.PublicKey.RSA.generate($SIZE, ...)"
},
{
"pattern": "Cryptodome.PublicKey.RSA.generate(..., bits=$SIZE, ...)"
},
{
"pattern": "Cryptodome.PublicKey.RSA.generate($SIZE, ...)"
}
]
},
{
"metavariable-comparison": {
"comparison": "$SIZE < 3072",
"metavariable": "$SIZE"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.pycryptodome.security.crypto-mode-without-authentication",
"languages": [
"python"
],
"message": "An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. ",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"subcategory": [
"vuln"
],
"technology": [
"cryptography"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "AES.new(..., $PYCRYPTODOME_MODE)\n"
}
]
},
{
"pattern-not-inside": "AES.new(..., $PYCRYPTODOME_MODE)\n...\nHMAC.new\n"
},
{
"metavariable-pattern": {
"metavariable": "$PYCRYPTODOME_MODE",
"patterns": [
{
"pattern-either": [
{
"pattern": "AES.MODE_CBC"
},
{
"pattern": "AES.MODE_CTR"
},
{
"pattern": "AES.MODE_CFB"
},
{
"pattern": "AES.MODE_OFB"
}
]
}
]
}
}
]
}
]
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"regex": "MONGODB-CR",
"replacement": "SCRAM-SHA-256"
},
"id": "vendored-rules.python.pymongo.security.mongo-client-bad-auth",
"languages": [
"python"
],
"message": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-477: Use of Obsolete Function"
],
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://cwe.mitre.org/data/definitions/477.html"
],
"subcategory": [
"vuln"
],
"technology": [
"pymongo"
]
},
"pattern": "pymongo.MongoClient(..., authMechanism='MONGODB-CR')\n",
"severity": "WARNING"
},
{
"fix": "$...PARAMS, httponly=True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-authtkt-cookie-httponly-unsafe-default",
"languages": [
"python"
],
"message": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern": "pyramid.authentication.$FUNC($...PARAMS)"
},
{
"metavariable-pattern": {
"metavariable": "$FUNC",
"pattern-either": [
{
"pattern": "AuthTktCookieHelper"
},
{
"pattern": "AuthTktAuthenticationPolicy"
}
]
}
},
{
"pattern-not": "pyramid.authentication.$FUNC(..., httponly=$HTTPONLY, ...)"
},
{
"pattern-not": "pyramid.authentication.$FUNC(..., **$PARAMS, ...)"
},
{
"focus-metavariable": "$...PARAMS"
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-authtkt-cookie-httponly-unsafe-value",
"languages": [
"python"
],
"message": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)"
},
{
"pattern": "pyramid.authentication.AuthTktCookieHelper(..., httponly=$HTTPONLY, ...)"
}
]
},
{
"patterns": [
{
"pattern-not": "pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)"
},
{
"pattern": "pyramid.authentication.AuthTktAuthenticationPolicy(..., httponly=$HTTPONLY, ...)"
}
]
}
]
},
{
"pattern": "$HTTPONLY"
},
{
"metavariable-pattern": {
"metavariable": "$HTTPONLY",
"pattern": "False\n"
}
}
],
"severity": "WARNING"
},
{
"fix": "'Lax'\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-authtkt-cookie-samesite",
"languages": [
"python"
],
"message": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1275: Sensitive Cookie with Improper SameSite Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "pyramid.authentication.AuthTktCookieHelper(..., samesite=$SAMESITE, ...)"
},
{
"pattern": "pyramid.authentication.AuthTktAuthenticationPolicy(..., samesite=$SAMESITE, ...)"
}
]
},
{
"pattern": "$SAMESITE"
},
{
"metavariable-regex": {
"metavariable": "$SAMESITE",
"regex": "(?!'Lax')"
}
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*)\\)",
"replacement": "\\1, secure=True)"
},
"id": "vendored-rules.python.pyramid.audit.pyramid-authtkt-cookie-secure-unsafe-default",
"languages": [
"python"
],
"message": "Found a Pyramid Authentication Ticket cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "pyramid.authentication.AuthTktCookieHelper(..., secure=$SECURE, ...)"
},
{
"pattern-not": "pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)"
},
{
"pattern": "pyramid.authentication.AuthTktCookieHelper(...)"
}
]
},
{
"patterns": [
{
"pattern-not": "pyramid.authentication.AuthTktAuthenticationPolicy(..., secure=$SECURE, ...)"
},
{
"pattern-not": "pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)"
},
{
"pattern": "pyramid.authentication.AuthTktAuthenticationPolicy(...)"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-authtkt-cookie-secure-unsafe-value",
"languages": [
"python"
],
"message": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-not": "pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)"
},
{
"pattern": "pyramid.authentication.AuthTktCookieHelper(..., secure=$SECURE, ...)"
}
]
},
{
"patterns": [
{
"pattern-not": "pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)"
},
{
"pattern": "pyramid.authentication.AuthTktAuthenticationPolicy(..., secure=$SECURE, ...)"
}
]
}
]
},
{
"pattern": "$SECURE"
},
{
"metavariable-pattern": {
"metavariable": "$SECURE",
"pattern": "False\n"
}
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-csrf-check-disabled",
"languages": [
"python"
],
"message": "CSRF protection is disabled for this view. This is a security risk.",
"metadata": {
"asvs": {
"control_id": "4.2.2 CSRF",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v42-operation-level-access-control",
"section": "V4 Access Control",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"audit"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-inside": "from pyramid.view import view_config\n...\n@view_config(..., require_csrf=$REQUIRE_CSRF, ...)\ndef $VIEW(...):\n ...\n"
},
{
"pattern": "$REQUIRE_CSRF"
},
{
"metavariable-comparison": {
"comparison": "$REQUIRE_CSRF == False",
"metavariable": "$REQUIRE_CSRF"
}
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-csrf-origin-check-disabled-globally",
"languages": [
"python"
],
"message": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616).",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-inside": "$CONFIG.set_default_csrf_options(..., check_origin=$CHECK_ORIGIN, ...)\n"
},
{
"pattern": "$CHECK_ORIGIN"
},
{
"metavariable-comparison": {
"comparison": "$CHECK_ORIGIN == False",
"metavariable": "$CHECK_ORIGIN"
}
}
],
"severity": "ERROR"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-csrf-origin-check-disabled",
"languages": [
"python"
],
"message": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure.",
"metadata": {
"asvs": {
"control_id": "4.2.2 CSRF",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v42-operation-level-access-control",
"section": "V4 Access Control",
"version": "4"
},
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-inside": "from pyramid.view import view_config\n...\n@view_config(..., check_origin=$CHECK_ORIGIN, ...)\ndef $VIEW(...):\n ...\n"
},
{
"pattern": "$CHECK_ORIGIN"
},
{
"metavariable-comparison": {
"comparison": "$CHECK_ORIGIN == False",
"metavariable": "$CHECK_ORIGIN"
}
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*)\\)",
"replacement": "\\1, httponly=True)"
},
"id": "vendored-rules.python.pyramid.audit.pyramid-set-cookie-httponly-unsafe-default",
"languages": [
"python"
],
"message": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@pyramid.view.view_config(...)\ndef $VIEW($REQUEST):\n ...\n $RESPONSE = $REQUEST.response\n ...\n"
},
{
"pattern-inside": "def $VIEW(...):\n ...\n $RESPONSE = pyramid.httpexceptions.HTTPFound(...)\n ...\n"
}
]
},
{
"pattern-not": "$RESPONSE.set_cookie(..., httponly=$HTTPONLY, ...)"
},
{
"pattern-not": "$RESPONSE.set_cookie(..., **$PARAMS)"
},
{
"pattern": "$RESPONSE.set_cookie(...)"
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-set-cookie-httponly-unsafe-value",
"languages": [
"python"
],
"message": "Found a Pyramid cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/www-community/controls/SecureCookieAttribute",
"https://owasp.org/www-community/HttpOnly",
"https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#httponly-attribute"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@pyramid.view.view_config(...)\ndef $VIEW($REQUEST):\n ...\n $RESPONSE = $REQUEST.response\n ...\n"
},
{
"pattern-inside": "def $VIEW(...):\n ...\n $RESPONSE = pyramid.httpexceptions.HTTPFound(...)\n ...\n"
}
]
},
{
"pattern-not": "$RESPONSE.set_cookie(..., **$PARAMS)"
},
{
"pattern": "$RESPONSE.set_cookie(..., httponly=$HTTPONLY, ...)"
},
{
"pattern": "$HTTPONLY"
},
{
"metavariable-pattern": {
"metavariable": "$HTTPONLY",
"pattern": "False\n"
}
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*)\\)",
"replacement": "\\1, samesite='Lax')"
},
"id": "vendored-rules.python.pyramid.audit.pyramid-set-cookie-samesite-unsafe-default",
"languages": [
"python"
],
"message": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1275: Sensitive Cookie with Improper SameSite Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@pyramid.view.view_config(...)\ndef $VIEW($REQUEST):\n ...\n $RESPONSE = $REQUEST.response\n ...\n"
},
{
"pattern-inside": "def $VIEW(...):\n ...\n $RESPONSE = pyramid.httpexceptions.HTTPFound(...)\n ...\n"
}
]
},
{
"pattern-not": "$RESPONSE.set_cookie(..., samesite=$SAMESITE, ...)"
},
{
"pattern-not": "$RESPONSE.set_cookie(..., **$PARAMS)"
},
{
"pattern": "$RESPONSE.set_cookie(...)"
}
],
"severity": "WARNING"
},
{
"fix": "'Lax'\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-set-cookie-samesite-unsafe-value",
"languages": [
"python"
],
"message": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1275: Sensitive Cookie with Improper SameSite Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@pyramid.view.view_config(...)\ndef $VIEW($REQUEST):\n ...\n $RESPONSE = $REQUEST.response\n ...\n"
},
{
"pattern-inside": "def $VIEW(...):\n ...\n $RESPONSE = pyramid.httpexceptions.HTTPFound(...)\n ...\n"
}
]
},
{
"pattern-not": "$RESPONSE.set_cookie(..., **$PARAMS)"
},
{
"pattern": "$RESPONSE.set_cookie(..., samesite=$SAMESITE, ...)"
},
{
"pattern": "$SAMESITE"
},
{
"metavariable-regex": {
"metavariable": "$SAMESITE",
"regex": "(?!'Lax')"
}
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "(.*)\\)",
"replacement": "\\1, secure=True)"
},
"id": "vendored-rules.python.pyramid.audit.pyramid-set-cookie-secure-unsafe-default",
"languages": [
"python"
],
"message": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@pyramid.view.view_config(...)\ndef $VIEW($REQUEST):\n ...\n $RESPONSE = $REQUEST.response\n ...\n"
},
{
"pattern-inside": "def $VIEW(...):\n ...\n $RESPONSE = pyramid.httpexceptions.HTTPFound(...)\n ...\n"
}
]
},
{
"pattern-not": "$RESPONSE.set_cookie(..., secure=$SECURE, ...)"
},
{
"pattern-not": "$RESPONSE.set_cookie(..., **$PARAMS)"
},
{
"pattern": "$RESPONSE.set_cookie(...)"
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.audit.pyramid-set-cookie-secure-unsafe-value",
"languages": [
"python"
],
"message": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "@pyramid.view.view_config(...)\ndef $VIEW($REQUEST):\n ...\n $RESPONSE = $REQUEST.response\n ...\n"
},
{
"pattern-inside": "def $VIEW(...):\n ...\n $RESPONSE = pyramid.httpexceptions.HTTPFound(...)\n ...\n"
}
]
},
{
"pattern-not": "$RESPONSE.set_cookie(..., **$PARAMS)"
},
{
"pattern": "$RESPONSE.set_cookie(..., secure=$SECURE, ...)"
},
{
"pattern": "$SECURE"
},
{
"metavariable-pattern": {
"metavariable": "$SECURE",
"pattern": "False\n"
}
}
],
"severity": "WARNING"
},
{
"fix": "True\n",
"id": "vendored-rules.python.pyramid.security.pyramid-csrf-check-disabled-globally",
"languages": [
"python"
],
"message": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616).",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"patterns": [
{
"pattern-inside": "$CONFIG.set_default_csrf_options(..., require_csrf=$REQUIRE_CSRF, ...)\n"
},
{
"pattern": "$REQUIRE_CSRF"
},
{
"metavariable-comparison": {
"comparison": "$REQUIRE_CSRF == False",
"metavariable": "$REQUIRE_CSRF"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.pyramid.security.pyramid-direct-use-of-response",
"languages": [
"python"
],
"message": "Detected data rendered directly to the end user via 'Response'. This bypasses Pyramid's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Pyramid's template engines to safely render HTML.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "pyramid.request.Response.text($SINK)\n"
},
{
"pattern": "pyramid.request.Response($SINK)\n"
},
{
"pattern": "$REQ.response.body = $SINK\n"
},
{
"pattern": "$REQ.response.text = $SINK\n"
},
{
"pattern": "$REQ.response.ubody = $SINK\n"
},
{
"pattern": "$REQ.response.unicode_body = $SINK\n"
}
]
},
{
"pattern": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "@pyramid.view.view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"regex": "format",
"replacement": "bindparams"
},
"id": "vendored-rules.python.pyramid.security.pyramid-sqlalchemy-sql-injection",
"languages": [
"python"
],
"message": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data"
],
"subcategory": [
"vuln"
],
"technology": [
"pyramid"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$QUERY = $REQ.dbsession.query(...)\n...\n"
},
{
"pattern-either": [
{
"pattern": "$QUERY.$SQLFUNC(\"...\".$FORMATFUNC(..., $SINK, ...))\n"
},
{
"pattern": "$QUERY.join(...).$SQLFUNC(\"...\".$FORMATFUNC(..., $SINK, ...))\n"
}
]
},
{
"pattern": "$SINK"
},
{
"metavariable-regex": {
"metavariable": "$SQLFUNC",
"regex": "(group_by|order_by|distinct|having|filter)"
}
},
{
"metavariable-regex": {
"metavariable": "$FORMATFUNC",
"regex": "(?!bindparams)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-inside": "from pyramid.view import view_config\n...\n@view_config( ... )\ndef $VIEW($REQ):\n ...\n"
},
{
"pattern": "$REQ.$ANYTHING"
},
{
"pattern-not": "$REQ.dbsession"
}
]
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"regex": "verify(\\s)*=(\\s)*False",
"replacement": "verify=True"
},
"id": "vendored-rules.python.requests.security.disabled-cert-validation",
"languages": [
"python"
],
"message": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib"
],
"subcategory": [
"audit"
],
"technology": [
"requests"
]
},
"pattern-either": [
{
"pattern": "requests.put(..., verify=False, ...)"
},
{
"pattern": "requests.patch(..., verify=False, ...)"
},
{
"pattern": "requests.delete(..., verify=False, ...)"
},
{
"pattern": "requests.head(..., verify=False, ...)"
},
{
"pattern": "requests.options(..., verify=False, ...)"
},
{
"pattern": "requests.request(..., verify=False, ...)"
},
{
"pattern": "requests.get(..., verify=False, ...)"
},
{
"pattern": "requests.post(..., verify=False, ...)"
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"count": 1,
"regex": "http:\\/\\/",
"replacement": "https://"
},
"id": "vendored-rules.python.requests.security.no-auth-over-http",
"languages": [
"python"
],
"message": "Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use 'https://' instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-523: Unprotected Transport of Credentials"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/",
"https://bento.dev/checks/requests/no-auth-over-http/"
],
"source-rule-url": "https://pypi.org/project/flake8-flask/",
"subcategory": [
"audit"
],
"technology": [
"requests"
]
},
"pattern-either": [
{
"pattern": "requests.$W(\"=~/http:\\/\\/.*/\", ..., auth=$X, ...)"
},
{
"pattern": "$URL = \"=~/http:\\/\\/.../\"\n...\nrequests.$W($URL, ..., auth=$X, ...)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.sh.security.string-concat",
"languages": [
"python"
],
"message": "Detected string concatenation or formatting in a call to a command via 'sh'. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"sh"
]
},
"pattern-either": [
{
"pattern": "sh.$BIN($X + $Y)"
},
{
"pattern": "sh.$BIN($X.format(...))"
},
{
"pattern": "sh.$BIN(f\"...{...}...\")"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.sqlalchemy.security.sqlalchemy-execute-raw-query",
"languages": [
"python"
],
"message": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql",
"https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm",
"https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"
],
"subcategory": [
"audit"
],
"technology": [
"sqlalchemy"
]
},
"pattern-either": [
{
"pattern": "$CONNECTION.execute( $SQL + ..., ... )\n"
},
{
"pattern": "$CONNECTION.execute( $SQL % (...), ...)\n"
},
{
"pattern": "$CONNECTION.execute( $SQL.format(...), ... )\n"
},
{
"pattern": "$CONNECTION.execute(f\"...{...}...\", ...)\n"
},
{
"patterns": [
{
"pattern-inside": "$QUERY = $SQL + ...\n...\n"
},
{
"pattern": "$CONNECTION.execute($QUERY, ...)\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "$QUERY = $SQL % (...)\n...\n"
},
{
"pattern": "$CONNECTION.execute($QUERY, ...)\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "$QUERY = $SQL.format(...)\n...\n"
},
{
"pattern": "$CONNECTION.execute($QUERY, ...)\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "$QUERY = f\"...{...}...\"\n...\n"
},
{
"pattern": "$CONNECTION.execute($QUERY, ...)\n"
}
]
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"regex": "format",
"replacement": "bindparams"
},
"id": "vendored-rules.python.sqlalchemy.security.sqlalchemy-sql-injection",
"languages": [
"python"
],
"message": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"sqlalchemy"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "def $FUNC(...,$VAR,...):\n ...\n $SESSION.query(...).$SQLFUNC(\"...\".$FORMATFUNC(...,$VAR,...))\n"
},
{
"pattern": "def $FUNC(...,$VAR,...):\n ...\n $SESSION.query.join(...).$SQLFUNC(\"...\".$FORMATFUNC(...,$VAR,...))\n"
},
{
"pattern": "def $FUNC(...,$VAR,...):\n ...\n $SESSION.query.$SQLFUNC(\"...\".$FORMATFUNC(...,$VAR,...))\n"
},
{
"pattern": "def $FUNC(...,$VAR,...):\n ...\n query.$SQLFUNC(\"...\".$FORMATFUNC(...,$VAR,...))\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLFUNC",
"regex": "(group_by|order_by|distinct|having|filter)"
}
},
{
"metavariable-regex": {
"metavariable": "$FORMATFUNC",
"regex": "(?!bindparams)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.python.sqlalchemy.security.audit.avoid-sqlalchemy-text",
"languages": [
"python"
],
"message": "sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as or_, and_, etc.) to construct SQL.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql"
],
"subcategory": [
"audit"
],
"technology": [
"sqlalchemy"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "sqlalchemy.text(...)\n"
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$X + $Y\n"
},
{
"metavariable-type": {
"metavariable": "$X",
"type": "string"
}
}
]
},
{
"patterns": [
{
"pattern": "$X + $Y\n"
},
{
"metavariable-type": {
"metavariable": "$Y",
"type": "string"
}
}
]
},
{
"patterns": [
{
"pattern": "f\"...\"\n"
}
]
},
{
"patterns": [
{
"pattern": "$X.format(...)\n"
},
{
"metavariable-type": {
"metavariable": "$X",
"type": "string"
}
}
]
},
{
"patterns": [
{
"pattern": "$X % $Y\n"
},
{
"metavariable-type": {
"metavariable": "$X",
"type": "string"
}
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.python.twilio.security.twiml-injection",
"languages": [
"python"
],
"message": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-91: XML Injection"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://codeberg.org/fennix/funjection"
],
"subcategory": "vuln",
"technology": [
"python",
"twilio",
"twiml"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "xml.sax.saxutils.escape(...)"
},
{
"pattern": "html.escape(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$CLIENT.calls.create(..., twiml=$SINK, ...)\n"
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"pattern": "f\"...\"\n"
},
{
"pattern": "\"...\" % ...\n"
},
{
"pattern": "\"...\".format(...)\n"
},
{
"patterns": [
{
"pattern": "$ARG"
},
{
"pattern-inside": "def $F(..., $ARG, ...):\n ...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.aws-lambda.security.activerecord-sqli",
"languages": [
"ruby"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"active-record"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "ActiveRecord::Base.connection.execute($QUERY,...)"
},
{
"pattern": "$MODEL.find_by_sql($QUERY,...)"
},
{
"pattern": "$MODEL.select_all($QUERY,...)"
}
]
},
{
"pattern-inside": "require 'active_record'\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context)\n ...\nend\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.aws-lambda.security.mysql2-sqli",
"languages": [
"ruby"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/brianmario/mysql2"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"mysql2"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "$CLIENT.escape(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$CLIENT.query($QUERY,...)"
},
{
"pattern": "$CLIENT.prepare($QUERY,...)"
}
]
},
{
"pattern-inside": "require 'mysql2'\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context)\n ...\nend\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.aws-lambda.security.pg-sqli",
"languages": [
"ruby"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.rubydoc.info/gems/pg/PG/Connection"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"postgres",
"pg"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "$CONN.exec($QUERY,...)"
},
{
"pattern": "$CONN.exec_params($QUERY,...)"
},
{
"pattern": "$CONN.exec_prepared($QUERY,...)"
},
{
"pattern": "$CONN.async_exec($QUERY,...)"
},
{
"pattern": "$CONN.async_exec_params($QUERY,...)"
},
{
"pattern": "$CONN.async_exec_prepared($QUERY,...)"
}
]
},
{
"pattern-inside": "require 'pg'\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context)\n ...\nend\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.aws-lambda.security.sequel-sqli",
"languages": [
"ruby"
],
"message": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda",
"sequel"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$QUERY"
},
{
"pattern-either": [
{
"pattern": "DB[$QUERY,...]"
},
{
"pattern": "DB.run($QUERY,...)"
}
]
},
{
"pattern-inside": "require 'sequel'\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context)\n ...\nend\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.aws-lambda.security.tainted-deserialization",
"languages": [
"ruby"
],
"message": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html",
"https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ",
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$SINK"
},
{
"pattern-either": [
{
"pattern-inside": "YAML.load($SINK,...)\n"
},
{
"pattern-inside": "CSV.load($SINK,...)\n"
},
{
"pattern-inside": "Marshal.load($SINK,...)\n"
},
{
"pattern-inside": "Marshal.restore($SINK,...)\n"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context)\n ...\nend\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.aws-lambda.security.tainted-sql-string",
"languages": [
"ruby"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet"
],
"subcategory": [
"vuln"
],
"technology": [
"aws-lambda"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "\"...#{...}...\"\n"
},
{
"pattern-regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b|\\w+\\s*!?[<>=].*"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Kernel::sprintf(\"$SQLSTR\", ...)"
},
{
"pattern": "\"$SQLSTR\" + $EXPR\n"
},
{
"pattern": "\"$SQLSTR\" % $EXPR\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b|\\w+\\s*!?[<>=].*"
}
}
]
}
]
},
{
"pattern-not-inside": "puts(...)\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "event"
},
{
"pattern-inside": "def $HANDLER(event, context)\n ...\nend\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.jwt.security.ruby-jwt-exposed-credentials",
"languages": [
"ruby"
],
"message": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://cwe.mitre.org/data/definitions/522.html"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "require 'jwt'\n...\n"
},
{
"pattern": "$PAYLOAD = {...,password:...,...}\n...\nJWT.encode($PAYLOAD,...)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.jwt.security.ruby-jwt-hardcoded-secret",
"languages": [
"ruby"
],
"message": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "require 'jwt'\n...\n"
},
{
"pattern-either": [
{
"pattern": "JWT.encode($PAYLOAD,\"...\",...)\n"
},
{
"pattern": "JWT.decode($PAYLOAD,\"...\",...)\n"
},
{
"pattern": "JWT.encode($PAYLOAD,nil,...)\n"
},
{
"pattern": "JWT.decode($PAYLOAD,nil,...)\n"
},
{
"pattern": "$SECRET = \"...\"\n...\nJWT.encode($PAYLOAD,$SECRET,...)\n"
},
{
"pattern": "$SECRET = \"...\"\n...\nJWT.decode($PAYLOAD,$SECRET,...)\n"
}
]
},
{
"pattern-not": "JWT.encode($PAYLOAD, nil, ... , jwks: ..., ...)\n"
},
{
"pattern-not": "JWT.decode($PAYLOAD, nil, ..., jwks: ..., ...)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.jwt.security.ruby-jwt-none-alg",
"languages": [
"ruby"
],
"message": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "require 'jwt'\n...\n"
},
{
"pattern": "JWT.encode($PAYLOAD, $SECRET, 'none', ...)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.jwt.security.audit.ruby-jwt-decode-without-verify",
"languages": [
"ruby"
],
"message": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-345: Insufficient Verification of Data Authenticity"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "require 'jwt'\n...\n"
},
{
"pattern": "JWT.decode($PAYLOAD,$SECRET,false,...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.jwt.security.audit.ruby-jwt-exposed-data",
"languages": [
"ruby"
],
"message": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"patterns": [
{
"pattern-inside": "require 'jwt'\n...\n"
},
{
"pattern-inside": "def $FUNC(...,$INPUT,...)\n ...\nend\n"
},
{
"pattern": "JWT.encode($INPUT,...)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.bad-deserialization-env",
"languages": [
"ruby"
],
"message": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ",
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "CSV.load(...)\n"
},
{
"pattern": "Marshal.load(...)\n"
},
{
"pattern": "Marshal.restore(...)\n"
},
{
"pattern": "Oj.object_load(...)\n"
},
{
"pattern": "Oj.load($X)\n"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "request.env"
}
]
}
],
"severity": "ERROR"
},
{
"fix": "Psych.safe_load($...ARGS)",
"id": "vendored-rules.ruby.lang.security.bad-deserialization-yaml",
"languages": [
"ruby"
],
"message": "Unsafe deserialization from YAML. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with YAML can potentially be dangerous. Use JSON in a secure fashion instead. However, loading YAML from a static file is not dangerous and should not be flagged.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ",
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb"
],
"subcategory": [
"audit"
],
"technology": [
"ruby",
"yaml"
]
},
"patterns": [
{
"pattern": "YAML.load($...ARGS)\n"
},
{
"pattern-not": "YAML.load(..., safe: true, ...)\n"
},
{
"pattern-not": "YAML.load(\"...\", ...)\n"
},
{
"pattern-not-inside": "YAML.load(..., File.read(...), ...)\n"
},
{
"pattern-not-inside": "$FILE = File.read(...)\n...\nYAML.load(..., $FILE, ...)\n"
},
{
"pattern-not-inside": "$FILENAME = ...\n...\n$FILE = File.read($FILENAME, ...)\n...\nYAML.load(..., $FILE, ...)\n"
},
{
"pattern-not-inside": "YAML.load(..., $X.$Y(File.read(...)), ...)\n"
},
{
"pattern-not-inside": "YAML.load(..., $X.$Y(File.read(...)).$Z, ...)\n"
},
{
"pattern-not-inside": "$T = $MOD.$MET(File.read(...))\n...\nYAML.load(..., $T, ...)\n"
},
{
"pattern-not-inside": "$T = $MOD.$MET(File.read(...))\n...\nYAML.load(..., $T.$R, ...)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.bad-deserialization",
"languages": [
"ruby"
],
"message": "Checks for unsafe deserialization. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load and object_load can cause remote code execution. Loading user input with MARSHAL or CSV can potentially be dangerous. Use JSON in a secure fashion instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-502: Deserialization of Untrusted Data"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A08:2017 - Insecure Deserialization",
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ",
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "CSV.load(...)\n"
},
{
"pattern": "Marshal.load(...)\n"
},
{
"pattern": "Marshal.restore(...)\n"
},
{
"pattern": "Oj.object_load(...)\n"
},
{
"pattern": "Oj.load($X)\n"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "cookies"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.cookie-serialization",
"languages": [
"ruby"
],
"message": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb",
"https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"pattern-either": [
{
"pattern": "Rails.application.config.action_dispatch.cookies_serializer = :marshal\n"
},
{
"pattern": "Rails.application.config.action_dispatch.cookies_serializer = :hybrid\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.create-with",
"languages": [
"ruby"
],
"message": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb",
"https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern-not": "$FUNC.create_with($PARAMSB.permit(...))\n"
},
{
"pattern": "$FUNC.create_with($PARAMSA)\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.dangerous-exec",
"languages": [
"ruby"
],
"message": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://guides.rubyonrails.org/security.html#command-line-injection"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_execute.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$EXEC(...)\n"
},
{
"pattern-not": "$EXEC(\"...\",\"...\",\"...\",...)\n"
},
{
"pattern-not": "$EXEC([\"...\",\"...\",\"...\",...],...)\n"
},
{
"pattern-not": "$EXEC({...},\"...\",\"...\",\"...\",...)\n"
},
{
"pattern-not": "$EXEC({...},[\"...\",\"...\",\"...\",...],...)\n"
},
{
"metavariable-regex": {
"metavariable": "$EXEC",
"regex": "^(system|exec|spawn|Process.exec|Process.spawn|Open3.capture2|Open3.capture2e|Open3.capture3|Open3.popen2|Open3.popen2e|Open3.popen3|IO.popen|Gem::Util.popen|PTY.spawn)$"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "def $F(...,$ARG,...)\n ...\nend\n"
},
{
"focus-metavariable": "$ARG"
}
]
},
{
"pattern": "params"
},
{
"pattern": "cookies"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.dangerous-open",
"languages": [
"ruby"
],
"message": "Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern": "open($CMD,...)\n"
},
{
"pattern-not": "open(\"...\",...)\n"
},
{
"metavariable-regex": {
"metavariable": "$CMD",
"regex": "|"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.dangerous-open3-pipeline",
"languages": [
"ruby"
],
"message": "Detected non-static command inside $PIPE. Audit the input to '$PIPE'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern": "Open3.$PIPE(...)\n"
},
{
"pattern-not": "Open3.$PIPE(...,\"...\",...)\n"
},
{
"metavariable-regex": {
"metavariable": "$PIPE",
"regex": "^(pipeline|pipeline_r|pipeline_rw|pipeline_start|pipeline_w)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.dangerous-subshell",
"languages": [
"ruby"
],
"message": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern": "`...#{$VAL}...`\n"
},
{
"pattern-not": "`...#{\"...\"}...`\n"
},
{
"pattern-not-inside": "$VAL = \"...\"\n...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.dangerous-syscall",
"languages": [
"ruby"
],
"message": "'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"pattern": "syscall\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.divide-by-zero",
"languages": [
"ruby"
],
"message": "Detected a possible ZeroDivisionError.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-369: Divide By Zero"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "$NUMER / 0"
},
{
"pattern": "$NUMER"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$VAR"
},
{
"metavariable-regex": {
"metavariable": "$VAR",
"regex": "^\\d*(?!\\.)$"
}
}
]
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "=(\\s)*true",
"replacement": "= false"
},
"id": "vendored-rules.ruby.lang.security.file-disclosure",
"languages": [
"ruby"
],
"message": "Special requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb",
"https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"pattern": "config.serve_static_assets = true",
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.filter-skipping",
"languages": [
"ruby"
],
"message": "Checks for use of action in Ruby routes. This can cause Rails to render an arbitrary view if an attacker creates an URL accurately. Affects 3.0 applications. Can avoid the vulnerability by providing additional constraints.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_filter_skipping.rb",
"https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern-not": "$CALL \"=~/.*(/:action.*).*/\", $ACTION\n"
},
{
"pattern": "$CALL \"=~/.*(/:action.*).*/\"\n"
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"regex": "=\\s*false",
"replacement": "= true"
},
"id": "vendored-rules.ruby.lang.security.force-ssl-false",
"languages": [
"ruby"
],
"message": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-311: Missing Encryption of Sensitive Data"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A04:2021 - Insecure Design"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"pattern": "config.force_ssl = false",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.hardcoded-http-auth-in-controller",
"languages": [
"ruby"
],
"message": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/basic_auth/index.markdown",
"subcategory": [
"audit"
],
"technology": [
"ruby",
"secrets"
]
},
"patterns": [
{
"pattern-inside": "class $CONTROLLER < ApplicationController\n ...\n http_basic_authenticate_with ..., :password => \"$SECRET\", ...\nend\n"
},
{
"focus-metavariable": "$SECRET"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.hardcoded-secret-rsa-passphrase",
"languages": [
"ruby"
],
"message": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://cwe.mitre.org/data/definitions/522.html"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"secrets"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "OpenSSL::PKey::RSA.new(..., '...')"
},
{
"pattern": "OpenSSL::PKey::RSA.new(...).to_pem(..., '...')"
},
{
"pattern": "OpenSSL::PKey::RSA.new(...).export(..., '...')"
},
{
"patterns": [
{
"pattern-inside": "$OPENSSL = OpenSSL::PKey::RSA.new(...)\n...\n"
},
{
"pattern-either": [
{
"pattern": "$OPENSSL.export(...,'...')\n"
},
{
"pattern": "$OPENSSL.to_pem(...,'...')\n"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$ASSIGN = '...'\n...\n"
},
{
"pattern": "OpenSSL::PKey::RSA.new(..., $ASSIGN)"
}
]
},
{
"patterns": [
{
"pattern-inside": "def $METHOD1(...)\n...\n$ASSIGN = '...'\n...\nend\n...\ndef $METHOD2(...)\n...\nend\n"
},
{
"pattern": "OpenSSL::PKey::RSA.new(..., $ASSIGN)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$ASSIGN = '...'\n...\ndef $METHOD(...)\n $OPENSSL = OpenSSL::PKey::RSA.new(...)\n...\nend\n...\n"
},
{
"pattern-either": [
{
"pattern": "$OPENSSL.export(...,$ASSIGN)"
},
{
"pattern": "$OPENSSL.to_pem(...,$ASSIGN)"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $METHOD1(...)\n...\n$OPENSSL = OpenSSL::PKey::RSA.new(...)\n...\n$ASSIGN = '...'\n...\nend\n...\n"
},
{
"pattern-either": [
{
"pattern": "$OPENSSL.export(...,$ASSIGN)"
},
{
"pattern": "$OPENSSL.to_pem(...,$ASSIGN)"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $METHOD1(...)\n...\n$ASSIGN = '...'\n...\nend\n...\ndef $METHOD2(...)\n...\n$OPENSSL = OpenSSL::PKey::RSA.new(...)\n...\nend\n...\n"
},
{
"pattern-either": [
{
"pattern": "$OPENSSL.export(...,$ASSIGN)"
},
{
"pattern": "$OPENSSL.to_pem(...,$ASSIGN)"
}
]
}
]
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.insufficient-rsa-key-size",
"languages": [
"ruby"
],
"message": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-326: Inadequate Encryption Strength"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "OpenSSL::PKey::RSA.generate($SIZE,...)"
},
{
"pattern": "OpenSSL::PKey::RSA.new($SIZE, ...)"
},
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$ASSIGN = $SIZE\n...\n"
},
{
"pattern-either": [
{
"pattern": "OpenSSL::PKey::RSA.new($ASSIGN, ...)"
},
{
"pattern": "OpenSSL::PKey::RSA.generate($ASSIGN, ...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-inside": "def $METHOD1(...)\n...\n$ASSIGN = $SIZE\n...\nend\n...\n"
},
{
"pattern-either": [
{
"pattern": "OpenSSL::PKey::RSA.new($ASSIGN, ...)"
},
{
"pattern": "OpenSSL::PKey::RSA.generate($ASSIGN, ...)"
}
]
}
]
}
]
}
]
}
]
},
{
"metavariable-comparison": {
"comparison": "$SIZE < 2048",
"metavariable": "$SIZE"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.json-entity-escape",
"languages": [
"ruby"
],
"message": "Checks if HTML escaping is globally disabled for JSON output. This could lead to XSS.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_entity_escape.rb",
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"pattern-either": [
{
"pattern": "ActiveSupport.escape_html_entities_in_json = false\n"
},
{
"pattern": "config.active_support.escape_html_entities_in_json = false\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.mass-assignment-protection-disabled",
"languages": [
"ruby"
],
"message": "Mass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/mass_assignment/index.markdown",
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"pattern": "$MODEL.new(params[...], ..., :without_protection => true, ...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.md5-used-as-password",
"languages": [
"ruby"
],
"message": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html",
"https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords",
"https://github.com/returntocorp/semgrep-rules/issues/1609"
],
"subcategory": [
"vuln"
],
"technology": [
"md5"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$FUNCTION(...);"
},
{
"metavariable-regex": {
"metavariable": "$FUNCTION",
"regex": "(?i)(.*password.*)"
}
}
]
}
],
"pattern-sources": [
{
"pattern": "Digest::MD5"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.missing-csrf-protection",
"languages": [
"ruby"
],
"message": "Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross-site_request_forgery/index.markdown",
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern": "class $CONTROLLER < ActionController::Base\n ...\nend\n"
},
{
"pattern-not": "class $CONTROLLER < ActionController::Base\n ...\n protect_from_forgery :with => :exception\nend\n"
},
{
"pattern-not": "class $CONTROLLER < ActionController::Base\n ...\n protect_from_forgery prepend: true, with: :exception\nend\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.model-attr-accessible",
"languages": [
"ruby"
],
"message": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don't allow admin, banned, role, and account_id using permit or attr_accessible.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"pattern-either": [
{
"pattern": "....permit(..., :admin, ...)\n"
},
{
"pattern": "....permit(..., :role, ...)\n"
},
{
"pattern": "....permit(..., :banned, ...)\n"
},
{
"pattern": "....permit(..., :account_id, ...)\n"
},
{
"pattern": "attr_accessible ..., :admin, ...\n"
},
{
"pattern": "attr_accessible ..., :role, ...\n"
},
{
"pattern": "attr_accessible ..., :banned, ...\n"
},
{
"pattern": "attr_accessible ..., :account_id, ...\n"
},
{
"pattern": "params.permit!\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.model-attributes-attr-accessible",
"languages": [
"ruby"
],
"message": "Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb"
],
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"patterns": [
{
"pattern-not": "class $CLASS < $TYPE\n...\nattr_accessible :$XXX\n...\nend\n...\n$CLASS.$FUNC(...)\n"
},
{
"pattern": "class $CLASS < $TYPE\n...\nend\n...\n$CLASS.$FUNC(...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$TYPE",
"patterns": [
{
"pattern-not-regex": "(?i)(Error|Exception)"
}
]
}
},
{
"focus-metavariable": "$CLASS"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.lang.security.ruby-eval",
"languages": [
"ruby"
],
"message": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_evaluation.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$X.eval"
},
{
"pattern": "$X.class_eval"
},
{
"pattern": "$X.instance_eval"
},
{
"pattern": "$X.module_eval"
},
{
"pattern": "$X.eval(...)"
},
{
"pattern": "$X.class_eval(...)"
},
{
"pattern": "$X.instance_eval(...)"
},
{
"pattern": "$X.module_eval(...)"
},
{
"pattern": "eval(...)"
},
{
"pattern": "class_eval(...)"
},
{
"pattern": "module_eval(...)"
},
{
"pattern": "instance_eval(...)"
}
]
},
{
"pattern-not": "$M(\"...\",...)"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"patterns": [
{
"pattern": "RubyVM::InstructionSequence.compile(...)\n"
},
{
"pattern-not": "RubyVM::InstructionSequence.compile(\"...\")\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.bad-send",
"languages": [
"ruby"
],
"message": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb",
"https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"pattern-either": [
{
"pattern": "$PARAM = params[...]\n...\n$RES = $MOD.send($PARAM.$FUNC)\n"
},
{
"pattern": "$PARAM = params[...]\n...\n$RES = $MOD.try($PARAM.$FUNC)\n"
},
{
"pattern": "$PARAM = params[...]\n...\n$RES = $MOD.__send__($PARAM.$FUNC)\n"
},
{
"pattern": "$PARAM = params[...]\n...\n$RES = $MOD.public_send($PARAM.$FUNC)"
}
],
"severity": "ERROR"
},
{
"fix-regex": {
"regex": "VERIFY_NONE",
"replacement": "VERIFY_PEER"
},
"id": "vendored-rules.ruby.lang.security.ssl-mode-no-verify",
"languages": [
"ruby"
],
"message": "Detected SSL that will accept an unverified connection. This makes the connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-295: Improper Certificate Validation"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"pattern": "OpenSSL::SSL::VERIFY_NONE",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.mass-assignment-vuln",
"languages": [
"ruby"
],
"message": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb",
"https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/"
],
"subcategory": [
"audit"
],
"technology": [
"ruby"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$MOD.new(params[$CODE])\n"
},
{
"pattern": "$MOD.new(..., params[$CODE], :without_protection => true, ...)\n"
}
]
},
{
"pattern-not-inside": "attr_accessible $VAR\n...\n$MOD.new(params[$CODE])\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.weak-hashes-md5",
"languages": [
"ruby"
],
"message": "Should not use md5 to generate hashes. md5 is proven to be vulnerable through the use of brute-force attacks. Could also result in collisions, leading to potential collision attacks. Use SHA256 or other hashing functions instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"pattern-either": [
{
"pattern": "Digest::MD5.base64digest $X"
},
{
"pattern": "Digest::MD5.hexdigest $X"
},
{
"pattern": "Digest::MD5.digest $X"
},
{
"pattern": "Digest::MD5.new"
},
{
"pattern": "OpenSSL::Digest::MD5.base64digest $X"
},
{
"pattern": "OpenSSL::Digest::MD5.hexdigest $X"
},
{
"pattern": "OpenSSL::Digest::MD5.digest $X"
},
{
"pattern": "OpenSSL::Digest::MD5.new"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.lang.security.weak-hashes-sha1",
"languages": [
"ruby"
],
"message": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-328: Use of Weak Hash"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html",
"https://shattered.io/"
],
"subcategory": [
"vuln"
],
"technology": [
"ruby"
]
},
"pattern-either": [
{
"pattern": "Digest::SHA1.$FUNC"
},
{
"pattern": "OpenSSL::Digest::SHA1.$FUNC"
},
{
"pattern": "OpenSSL::HMAC.$FUNC(\"sha1\",...)"
}
],
"severity": "WARNING"
},
{
"fix": "redirect_to $T",
"id": "vendored-rules.ruby.rails.correctness.rails-no-render-after-save",
"languages": [
"ruby"
],
"message": "Found a call to `render $T` after calling `$T.save`. Do not call `render` after calling `save` on an ActiveRecord object. Reloading the page will cause the state-changing operation to be repeated which may cause undesirable side effects. Use `redirect_to` instead.",
"metadata": {
"category": "correctness",
"references": [
"https://guides.rubyonrails.org/getting_started.html#creating-a-new-article"
],
"technology": [
"rails",
"ruby",
"activerecord"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "render $T\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$T"
},
{
"pattern-inside": "$T.save\n...\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.performance.ruby-rails-performance-indexes-are-beneficial",
"languages": [
"ruby"
],
"message": "The $COLUMN column appears to be a foreign key. Would it benefit from an index? Having an index can improve performance.",
"metadata": {
"category": "performance",
"references": [
"https://archive.is/i7SLO"
],
"technology": [
"rails"
]
},
"patterns": [
{
"pattern-not-inside": "add_column $TABLE, $COLUMN, $TYPE, ...\n...\nadd_index $TABLE, $COLUMN, ...\n"
},
{
"pattern": "add_column $TABLE, $COLUMN, $TYPE, ...\n"
},
{
"metavariable-regex": {
"metavariable": "$COLUMN",
"regex": "(.*_id$)"
}
},
{
"metavariable-regex": {
"metavariable": "$TYPE",
"regex": ":integer|:bigint"
}
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.ruby.rails.security.audit.avoid-session-manipulation",
"languages": [
"ruby"
],
"message": "This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-276: Incorrect Default Permissions"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"help": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://brakemanscanner.org/docs/warning_types/session_manipulation/"
],
"shortDescription": "Allowing an attacker to manipulate the session may lead to unintended behavior.",
"subcategory": [
"vuln"
],
"tags": [
"security"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "session[...]"
}
],
"pattern-sources": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.avoid-tainted-file-access",
"languages": [
"ruby"
],
"message": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Dir.$X(...)"
},
{
"pattern": "File.$X(...)"
},
{
"pattern": "IO.$X(...)"
},
{
"pattern": "Kernel.$X(...)"
},
{
"pattern": "PStore.$X(...)"
},
{
"pattern": "Pathname.$X(...)"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$X",
"patterns": [
{
"pattern-either": [
{
"pattern": "chdir"
},
{
"pattern": "chroot"
},
{
"pattern": "delete"
},
{
"pattern": "entries"
},
{
"pattern": "foreach"
},
{
"pattern": "glob"
},
{
"pattern": "install"
},
{
"pattern": "lchmod"
},
{
"pattern": "lchown"
},
{
"pattern": "link"
},
{
"pattern": "load"
},
{
"pattern": "load_file"
},
{
"pattern": "makedirs"
},
{
"pattern": "move"
},
{
"pattern": "new"
},
{
"pattern": "open"
},
{
"pattern": "read"
},
{
"pattern": "readlines"
},
{
"pattern": "rename"
},
{
"pattern": "rmdir"
},
{
"pattern": "safe_unlink"
},
{
"pattern": "symlink"
},
{
"pattern": "syscopy"
},
{
"pattern": "sysopen"
},
{
"pattern": "truncate"
},
{
"pattern": "unlink"
}
]
}
]
}
}
]
}
],
"pattern-sources": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.avoid-tainted-ftp-call",
"languages": [
"ruby"
],
"message": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "Net::FTP.$X(...)"
},
{
"patterns": [
{
"pattern-inside": "$FTP = Net::FTP.$OPEN(...)\n...\n$FTP.$METHOD(...)\n"
},
{
"pattern": "$FTP.$METHOD(...)"
}
]
}
]
}
],
"pattern-sources": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.avoid-tainted-http-request",
"languages": [
"ruby"
],
"message": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "Net::HTTP::$METHOD.new(...)"
},
{
"metavariable-pattern": {
"metavariable": "$METHOD",
"patterns": [
{
"pattern-either": [
{
"pattern": "Copy"
},
{
"pattern": "Delete"
},
{
"pattern": "Get"
},
{
"pattern": "Head"
},
{
"pattern": "Lock"
},
{
"pattern": "Mkcol"
},
{
"pattern": "Move"
},
{
"pattern": "Options"
},
{
"pattern": "Patch"
},
{
"pattern": "Post"
},
{
"pattern": "Propfind"
},
{
"pattern": "Proppatch"
},
{
"pattern": "Put"
},
{
"pattern": "Trace"
},
{
"pattern": "Unlock"
}
]
}
]
}
}
]
},
{
"patterns": [
{
"pattern": "Net::HTTP.$X(...)"
},
{
"metavariable-pattern": {
"metavariable": "$X",
"patterns": [
{
"pattern-either": [
{
"pattern": "get"
},
{
"pattern": "get2"
},
{
"pattern": "head"
},
{
"pattern": "head2"
},
{
"pattern": "options"
},
{
"pattern": "patch"
},
{
"pattern": "post"
},
{
"pattern": "post2"
},
{
"pattern": "post_form"
},
{
"pattern": "put"
},
{
"pattern": "request"
},
{
"pattern": "request_get"
},
{
"pattern": "request_head"
},
{
"pattern": "request_post"
},
{
"pattern": "send_request"
},
{
"pattern": "trace"
},
{
"pattern": "get_print"
},
{
"pattern": "get_response"
},
{
"pattern": "start"
}
]
}
]
}
}
]
}
]
}
],
"pattern-sources": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.avoid-tainted-shell-call",
"languages": [
"ruby"
],
"message": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "Kernel.$X(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Shell.$X(...)"
},
{
"patterns": [
{
"pattern-inside": "$SHELL = Shell.$ANY(...)\n...\n$SHELL.$X(...)\n"
},
{
"pattern": "$SHELL.$X(...)"
}
]
}
]
}
]
}
]
},
{
"metavariable-pattern": {
"metavariable": "$X",
"patterns": [
{
"pattern-either": [
{
"pattern": "cat"
},
{
"pattern": "chdir"
},
{
"pattern": "chroot"
},
{
"pattern": "delete"
},
{
"pattern": "entries"
},
{
"pattern": "exec"
},
{
"pattern": "foreach"
},
{
"pattern": "glob"
},
{
"pattern": "install"
},
{
"pattern": "lchmod"
},
{
"pattern": "lchown"
},
{
"pattern": "link"
},
{
"pattern": "load"
},
{
"pattern": "load_file"
},
{
"pattern": "makedirs"
},
{
"pattern": "move"
},
{
"pattern": "new"
},
{
"pattern": "open"
},
{
"pattern": "read"
},
{
"pattern": "readlines"
},
{
"pattern": "rename"
},
{
"pattern": "rmdir"
},
{
"pattern": "safe_unlink"
},
{
"pattern": "symlink"
},
{
"pattern": "syscopy"
},
{
"pattern": "sysopen"
},
{
"pattern": "system"
},
{
"pattern": "truncate"
},
{
"pattern": "unlink"
}
]
}
]
}
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "params[...]"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.audit.detailed-exceptions",
"languages": [
"ruby"
],
"message": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_detailed_exceptions.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "config.consider_all_requests_local = true\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "class $CONTROLLER < ApplicationController\n ...\nend\n"
},
{
"pattern": "def show_detailed_exceptions? (...)\n ...\nreturn $RETURN\nend\n"
},
{
"metavariable-pattern": {
"metavariable": "$RETURN",
"patterns": [
{
"pattern-not": "false\n"
}
]
}
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.rails-skip-forgery-protection",
"languages": [
"ruby"
],
"message": "This call turns off CSRF protection allowing CSRF attacks against the application",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection"
],
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"pattern": "skip_forgery_protection",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.sqli.ruby-pg-sqli",
"languages": [
"ruby"
],
"message": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://www.rubydoc.info/gems/pg/PG/Connection"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-propagators": [
{
"from": "$Y",
"pattern": "$X << $Y",
"to": "$X"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$CON = PG.connect(...)\n...\n"
},
{
"pattern-inside": "$CON = PG::Connection.open(...)\n...\n"
},
{
"pattern-inside": "$CON = PG::Connection.new(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$CON.$METHOD($X,...)\n"
},
{
"pattern": "$CON.$METHOD $X, ...\n"
}
]
},
{
"focus-metavariable": "$X"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "^(exec|exec_params)$"
}
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "params\n"
},
{
"pattern": "cookies\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-content-tag",
"languages": [
"ruby"
],
"message": "'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown",
"https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_content_tag.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"pattern": "content_tag(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-default-routes",
"languages": [
"ruby"
],
"message": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-276: Incorrect Default Permissions"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown"
],
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*routes.rb"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "map.connect \":controller/:action/:id\""
},
{
"pattern": "match ':controller(/:action(/:id(.:format)))'"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-html-safe",
"languages": [
"ruby"
],
"message": "'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown",
"https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"pattern-either": [
{
"pattern": "$STR.html_safe"
},
{
"pattern": "$STR.html_safe.$MORE"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-link-to",
"languages": [
"ruby"
],
"message": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://brakemanscanner.org/docs/warning_types/link_to/",
"https://brakemanscanner.org/docs/warning_types/link_to_href/"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_link_to.rb",
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "\"...#{...}...\"\n"
},
{
"pattern-not": "\"#{...}...\"\n"
}
]
}
],
"pattern-sinks": [
{
"pattern": "link_to(...)"
}
],
"pattern-sources": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
},
{
"pattern-either": [
{
"pattern": "$MODEL.url(...)"
},
{
"pattern": "$MODEL.uri(...)"
},
{
"pattern": "$MODEL.link(...)"
},
{
"pattern": "$MODEL.page(...)"
},
{
"pattern": "$MODEL.site(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-raw",
"languages": [
"ruby"
],
"message": "'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw",
"https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"pattern": "raw(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-redirect",
"languages": [
"ruby"
],
"message": "When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://brakemanscanner.org/docs/warning_types/redirect/"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "params.merge(:only_path => true)"
},
{
"pattern": "params.merge(:host => ...)"
}
],
"pattern-sinks": [
{
"pattern": "redirect_to(...)"
}
],
"pattern-sources": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
},
{
"patterns": [
{
"pattern": "$MODEL.$X(...)"
},
{
"pattern-not": "$MODEL.$X(\"...\")"
},
{
"metavariable-pattern": {
"metavariable": "$X",
"pattern-either": [
{
"pattern": "all"
},
{
"pattern": "create"
},
{
"pattern": "create!"
},
{
"pattern": "find"
},
{
"pattern": "find_by_sql"
},
{
"pattern": "first"
},
{
"pattern": "last"
},
{
"pattern": "new"
},
{
"pattern": "from"
},
{
"pattern": "group"
},
{
"pattern": "having"
},
{
"pattern": "joins"
},
{
"pattern": "lock"
},
{
"pattern": "order"
},
{
"pattern": "reorder"
},
{
"pattern": "select"
},
{
"pattern": "where"
},
{
"pattern": "find_by"
},
{
"pattern": "find_by!"
},
{
"pattern": "take"
}
]
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-render-dynamic-path",
"languages": [
"ruby"
],
"message": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-inside": "render($X => $INPUT, ...)"
},
{
"pattern": "$INPUT"
},
{
"metavariable-pattern": {
"metavariable": "$X",
"pattern-either": [
{
"pattern": "action"
},
{
"pattern": "template"
},
{
"pattern": "partial"
},
{
"pattern": "file"
}
]
}
}
]
}
],
"pattern-sources": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-render-inline",
"languages": [
"ruby"
],
"message": "'render inline: ...' renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider using a partial or another safe rendering method.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_inline.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"pattern": "render inline: ...",
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "text:",
"replacement": "plain:"
},
"id": "vendored-rules.ruby.rails.security.audit.xss.avoid-render-text",
"languages": [
"ruby"
],
"message": "'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_inline.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"pattern": "render text: ...",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.manual-template-creation",
"languages": [
"ruby"
],
"message": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_template_injection.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"pattern": "ERB.new(...)",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.alias-for-html-safe",
"languages": [
"generic"
],
"message": "The syntax `<%== ... %>` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027",
"https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text==="
],
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern": "<%== ... %>"
},
{
"pattern-not": "<%== $...A.to_json %>"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.avoid-content-tag",
"languages": [
"generic"
],
"message": "'content_tag' exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use 'html_safe' if you must render raw HTML data.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://brakemanscanner.org/docs/warning_types/content_tag/"
],
"source-rule-url": "https://brakemanscanner.org/docs/warning_types/content_tag/",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern-inside": "<%= ... %>"
},
{
"pattern": "content_tag"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.avoid-html-safe",
"languages": [
"generic"
],
"message": "'html_safe' renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===",
"https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern-inside": "<%= ... %>"
},
{
"pattern": "$SOMETHING.html_safe"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.avoid-raw",
"languages": [
"generic"
],
"message": "'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===",
"https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern-inside": "<%= ... %>"
},
{
"pattern": "raw"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.dangerous-link-to",
"languages": [
"generic"
],
"message": "Detected a template variable used in 'link_to'. This will generate dynamic data in the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: 'link_to \"Here\", \"/\"+@link'. You may also consider setting the Content Security Policy (CSP) header.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss",
"https://brakemanscanner.org/docs/warning_types/link_to_href/"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_link_to.rb",
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern-inside": "<%= ... %>"
},
{
"pattern-not-inside": "link_to ... \"/\" + ... @$VAR"
},
{
"pattern-not-inside": "link_to ... '/' + ... @$VAR"
},
{
"pattern": "link_to ... @$VAR"
}
],
"severity": "WARNING"
},
{
"fix-regex": {
"regex": "<%=(.*?)%>",
"replacement": "\"<%=\\1%>\""
},
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.unquoted-attribute",
"languages": [
"generic"
],
"message": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"<%= expr %>\".",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes",
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"
],
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern-inside": "<$TAG ...>"
},
{
"pattern-not-inside": "=\"...\""
},
{
"pattern-not-inside": "=\"<%= ... %>\""
},
{
"pattern-not-inside": "='...'"
},
{
"pattern-not-inside": "='<%= ... %>'"
},
{
"pattern": "<%= ... %>"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.var-in-href",
"languages": [
"generic"
],
"message": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI",
"https://github.com/pugjs/pug/issues/2952"
],
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"pattern-either": [
{
"pattern": "<a ... href = \"<%= ... %>\" ... >"
},
{
"pattern": "<a ... href = '<%= ... %>' ... >"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xss.templates.var-in-script-tag",
"languages": [
"generic"
],
"message": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/",
"https://www.youtube.com/watch?v=yYTkLUEdIyE",
"https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough"
],
"subcategory": [
"audit"
],
"technology": [
"rails"
]
},
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern-inside": "<script ...> ... </script>"
},
{
"pattern-not": "<%= j ... >"
},
{
"pattern-not": "<%= escape_javascript ... >"
},
{
"pattern": "<%= ... >"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xxe.libxml-backend",
"languages": [
"ruby"
],
"message": "This application is using LibXML as the XML backend. LibXML can be vulnerable to XML External Entities (XXE) vulnerabilities. Use the built-in Rails XML parser, REXML, instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/",
"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"rails",
"libxml"
]
},
"pattern": "ActiveSupport::XmlMini.backend = \"LibXML\"",
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.audit.xxe.xml-external-entities-enabled",
"languages": [
"ruby"
],
"message": "This application is explicitly enabling external entities enabling an attacker to inject malicious XML to exploit an XML External Entities (XXE) vulnerability. This could let the attacker cause a denial-of-service by forcing the parser to parse large files, or at worst, let the attacker download sensitive files or user data. Use the built-in Rails XML parser, REXML, instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/",
"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"audit"
],
"technology": [
"rails",
"libxml"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "LibXML::XML.class_eval do\n ...\nend\n"
},
{
"pattern-inside": "XML.class_eval do\n ...\nend\n"
}
]
},
{
"pattern": "XML.default_substitute_entities = true"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-before-filter",
"languages": [
"ruby"
],
"message": "Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-284: Improper Access Control"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_skip_before_filter.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "search",
"patterns": [
{
"pattern-either": [
{
"pattern": "skip_filter ..., :except => $ARGS\n"
},
{
"pattern": "skip_before_filter ..., :except => $ARGS\n"
},
{
"pattern": "skip_before_action ..., :except => $ARGS\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-cookie-store-session-security-attributes",
"languages": [
"ruby"
],
"message": "Found a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb",
"subcategory": [
"audit"
],
"technology": [
"ruby",
"rails"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": ":$KEY => false\n"
},
{
"pattern-inside": "ActionController::Base.session = {...}\n"
}
]
},
{
"pattern": "$MODULE::Application.config.session_store :cookie_store, ..., :$KEY => false, ...\n"
},
{
"pattern": "$CLASS.application.config.session_store :cookie_store, ..., $KEY: false, ...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$KEY",
"regex": "^(session_)?(http_?only|secure)$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-dynamic-render-local-file-include",
"languages": [
"generic"
],
"message": "Found request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion",
"https://github.com/presidentbeef/brakeman/blob/f74cb53ead47f0af821d98b5b41e16d63100c240/test/apps/rails2/app/views/home/test_render.html.erb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "search",
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern": "params[...]\n"
},
{
"pattern-inside": "render :file => ...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-http-verb-confusion",
"languages": [
"ruby"
],
"message": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-650: Trusting HTTP Permission Methods on the Server Side"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/accounts_controller.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_verb_confusion.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "search",
"patterns": [
{
"pattern": "if request.get?\n ...\nelse\n ...\nend\n"
},
{
"pattern-not-inside": "if ...\nelsif ...\n ...\nend\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-permit-attributes-high",
"languages": [
"ruby"
],
"message": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb",
"subcategory": [
"audit"
],
"technology": [
"ruby",
"rails"
]
},
"patterns": [
{
"pattern": "$P.permit($ATTRIBUTE)"
},
{
"metavariable-regex": {
"metavariable": "$ATTRIBUTE",
"regex": ".*(admin|account_id).*"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-permit-attributes-medium",
"languages": [
"ruby"
],
"message": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb",
"subcategory": [
"audit"
],
"technology": [
"ruby",
"rails"
]
},
"patterns": [
{
"pattern": "$P.permit($ATTRIBUTE)"
},
{
"metavariable-regex": {
"metavariable": "$ATTRIBUTE",
"regex": ".*(role|banned).*"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-rails-secret-yaml",
"languages": [
"yaml"
],
"message": "$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-540: Inclusion of Sensitive Information in Source Code"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4/config/secrets.yml"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb",
"subcategory": [
"audit"
],
"technology": [
"ruby",
"rails"
]
},
"paths": {
"include": [
"*secrets.*.yml",
"*secrets.*.yaml"
]
},
"patterns": [
{
"pattern": "secret_key_base: $VALUE\n"
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$VALUE",
"patterns": [
{
"pattern-not": "<%= ... %>\n"
}
]
}
},
{
"pattern-inside": "production:\n ...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-rails-session-secret-handling",
"languages": [
"ruby"
],
"message": "Found a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-540: Inclusion of Sensitive Information in Source Code"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes",
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4_with_engines/config/initializers/secret_token.rb",
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3/config/initializers/secret_token.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": ":$KEY => \"$LITERAL\"\n"
},
{
"pattern-inside": "ActionController::Base.session = {...}\n"
}
]
},
{
"pattern": "$RAILS::Application.config.$KEY = \"$LITERAL\"\n"
},
{
"pattern": "Rails.application.config.$KEY = \"$LITERAL\"\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$KEY",
"regex": "^secret(_(token|key_base))?$"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-redirect-to",
"languages": [
"ruby"
],
"message": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_redirect.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$F(...)\n"
},
{
"metavariable-pattern": {
"metavariable": "$F",
"patterns": [
{
"pattern-not-regex": "(params|url_for|cookies|request.env|permit|redirect_to)"
}
]
}
}
]
},
{
"pattern": "params.merge! :only_path => true\n...\n"
},
{
"pattern": "params.slice(...)\n...\n"
},
{
"pattern": "redirect_to [...]\n"
},
{
"patterns": [
{
"pattern": "$MODEL. ... .$M(...)\n...\n"
},
{
"metavariable-regex": {
"metavariable": "$MODEL",
"regex": "[A-Z]\\w+"
}
},
{
"metavariable-regex": {
"metavariable": "$M",
"regex": "(all|create|find|find_by|find_by_sql|first|last|new|from|group|having|joins|lock|order|reorder|select|where|take)"
}
}
]
},
{
"patterns": [
{
"pattern": "params.$UNSAFE_HASH.merge(...,:only_path => true,...)\n...\n"
},
{
"metavariable-regex": {
"metavariable": "$UNSAFE_HASH",
"regex": "to_unsafe_h(ash)?"
}
}
]
},
{
"patterns": [
{
"pattern": "params.permit(...,$X,...)"
},
{
"metavariable-pattern": {
"metavariable": "$X",
"patterns": [
{
"pattern-not-regex": "(host|port|(sub)?domain)"
}
]
}
}
]
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$X"
},
{
"pattern-inside": "redirect_to $X, ...\n"
},
{
"pattern-not-regex": "params\\.\\w+(?<!permit)\\(.*?\\)"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "cookies"
},
{
"pattern": "request.env"
},
{
"pattern": "url_for(params[...],...,:only_path => false,...)"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-regex-dos",
"languages": [
"ruby"
],
"message": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A03:2017 - Sensitive Data Exposure"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_regex_dos.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$Y"
},
{
"pattern-inside": "/...#{...}.../\n"
}
]
},
{
"patterns": [
{
"pattern": "$Y"
},
{
"pattern-inside": "Regexp.new(...)\n"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "cookies[...]\n"
},
{
"patterns": [
{
"pattern": "cookies. ... .$PROPERTY[...]\n"
},
{
"metavariable-regex": {
"metavariable": "$PROPERTY",
"regex": "(?!signed|encrypted)"
}
}
]
},
{
"pattern": "params[...]\n"
},
{
"pattern": "request.env[...]\n"
},
{
"patterns": [
{
"pattern": "$Y"
},
{
"pattern-either": [
{
"pattern-inside": "$RECORD.read_attribute($Y)\n"
},
{
"pattern-inside": "$RECORD[$Y]\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$RECORD",
"regex": "[A-Z][a-z]+"
}
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-render-local-file-include",
"languages": [
"ruby"
],
"message": "Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion",
"https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
],
"vulnerability_class": [
"Path Traversal"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern": "$MAP[...]"
},
{
"metavariable-pattern": {
"metavariable": "$MAP",
"patterns": [
{
"pattern-not-regex": "params"
}
]
}
}
]
},
{
"pattern": "File.basename(...)"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "render ..., file: $X\n"
},
{
"pattern": "render ..., inline: $X\n"
},
{
"pattern": "render ..., template: $X\n"
},
{
"pattern": "render ..., action: $X\n"
},
{
"pattern": "render $X, ...\n"
}
]
},
{
"focus-metavariable": "$X"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "params[...]"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-reverse-tabnabbing",
"languages": [
"generic"
],
"message": "Setting an anchor target of `_blank` without the `noopener` or `noreferrer` attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-1022: Use of Web Link to Untrusted Target with window.opener Access"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility",
"https://github.com/presidentbeef/brakeman/blob/3f5d5d5/test/apps/rails5/app/views/users/show.html.erb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_reverse_tabnabbing.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "search",
"paths": {
"include": [
"*.erb"
]
},
"patterns": [
{
"pattern": "_blank\n"
},
{
"pattern-inside": "target: ...\n"
},
{
"pattern-not-inside": "<%= ... rel: 'noopener noreferrer' ...%>\n"
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "<%= $...INLINERUBYDO do -%>\n...\n<% end %>\n"
},
{
"metavariable-pattern": {
"language": "ruby",
"metavariable": "$...INLINERUBYDO",
"patterns": [
{
"pattern": "link_to ...\n"
},
{
"pattern-not": "link_to \"...\", \"...\", ...\n"
}
]
}
}
]
},
{
"patterns": [
{
"pattern-not-inside": "<%= ... do - %>\n"
},
{
"pattern-inside": "<%= $...INLINERUBY %>\n"
},
{
"metavariable-pattern": {
"language": "ruby",
"metavariable": "$...INLINERUBY",
"patterns": [
{
"pattern": "link_to ...\n"
},
{
"pattern-not": "link_to '...', '...', ...\n"
},
{
"pattern-not": "link_to '...', target: ...\n"
}
]
}
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-secrets",
"languages": [
"ruby"
],
"message": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html",
"https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_secrets.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"patterns": [
{
"pattern": "$VAR = \"$VALUE\""
},
{
"metavariable-regex": {
"metavariable": "$VAR",
"regex": "(?i)password|secret|(rest_auth_site|api)_key$"
}
},
{
"metavariable-regex": {
"metavariable": "$VALUE",
"regex": ".+"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-send-file",
"languages": [
"ruby"
],
"message": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-73: External Control of File Name or Path"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal",
"https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send_file.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "send_file ...\n"
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "cookies[...]\n"
},
{
"patterns": [
{
"pattern": "cookies. ... .$PROPERTY[...]\n"
},
{
"metavariable-regex": {
"metavariable": "$PROPERTY",
"regex": "(?!signed|encrypted)"
}
}
]
},
{
"pattern": "params[...]\n"
},
{
"pattern": "request.env[...]\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-sql",
"languages": [
"ruby"
],
"message": "Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection",
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_sql.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$X"
},
{
"pattern-either": [
{
"pattern-inside": ":$KEY => $X\n"
},
{
"pattern-inside": "[\"...\",$X,...]\n"
}
]
}
]
},
{
"pattern": "params[...].to_i\n"
},
{
"pattern": "params[...].to_f\n"
},
{
"patterns": [
{
"pattern": "params[...] ? $A : $B\n"
},
{
"metavariable-pattern": {
"metavariable": "$A",
"patterns": [
{
"pattern-not": "params[...]\n"
}
]
}
},
{
"metavariable-pattern": {
"metavariable": "$B",
"patterns": [
{
"pattern-not": "params[...]\n"
}
]
}
}
]
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$X"
},
{
"pattern-not-inside": "$P.where(\"...\",...)\n"
},
{
"pattern-not-inside": "$P.where(:$KEY => $VAL,...)\n"
},
{
"pattern-either": [
{
"pattern-inside": "$P.$M(...)\n"
},
{
"pattern-inside": "$P.$M(\"...\",...)\n"
}
]
},
{
"pattern-inside": "class $P < ActiveRecord::Base\n ...\nend\n"
},
{
"metavariable-regex": {
"metavariable": "$M",
"regex": "(where|find|first|last|select|minimum|maximum|calculate|sum|average)"
}
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "cookies[...]\n"
},
{
"patterns": [
{
"pattern": "cookies. ... .$PROPERTY[...]\n"
},
{
"metavariable-regex": {
"metavariable": "$PROPERTY",
"regex": "(?!signed|encrypted)"
}
}
]
},
{
"pattern": "params[...]\n"
},
{
"pattern": "request.env[...]\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-unsafe-reflection-methods",
"languages": [
"ruby"
],
"message": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection_methods.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$X"
},
{
"pattern-either": [
{
"pattern-inside": "$X. ... .to_proc\n"
},
{
"patterns": [
{
"pattern-inside": "$Y.method($Z)\n"
},
{
"focus-metavariable": "$Z"
}
]
},
{
"patterns": [
{
"pattern-inside": "$Y.tap($Z)\n"
},
{
"focus-metavariable": "$Z"
}
]
},
{
"patterns": [
{
"pattern-inside": "$Y.tap{ |$ANY| $Z }\n"
},
{
"focus-metavariable": "$Z"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "cookies[...]\n"
},
{
"patterns": [
{
"pattern": "cookies. ... .$PROPERTY[...]\n"
},
{
"metavariable-regex": {
"metavariable": "$PROPERTY",
"regex": "(?!signed|encrypted)"
}
}
]
},
{
"pattern": "params[...]\n"
},
{
"pattern": "request.env[...]\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-unsafe-reflection",
"languages": [
"ruby"
],
"message": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$X"
},
{
"pattern-either": [
{
"pattern-inside": "$X.constantize\n"
},
{
"pattern-inside": "$X. ... .safe_constantize\n"
},
{
"pattern-inside": "const_get(...)\n"
},
{
"pattern-inside": "qualified_const_get(...)\n"
}
]
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "cookies[...]\n"
},
{
"patterns": [
{
"pattern": "cookies. ... .$PROPERTY[...]\n"
},
{
"metavariable-regex": {
"metavariable": "$PROPERTY",
"regex": "(?!signed|encrypted)"
}
}
]
},
{
"pattern": "params[...]\n"
},
{
"pattern": "request.env[...]\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-unscoped-find",
"languages": [
"ruby"
],
"message": "Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-639: Authorization Bypass Through User-Controlled Key"
],
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://brakemanscanner.org/docs/warning_types/unscoped_find/",
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unscoped_find.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$MODEL.find(...)"
},
{
"pattern": "$MODEL.find_by_id(...)"
},
{
"pattern": "$MODEL.find_by_id!(...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$MODEL",
"regex": "[A-Z]\\S+"
}
}
]
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern": "cookies[...]\n"
},
{
"patterns": [
{
"pattern": "cookies. ... .$PROPERTY[...]\n"
},
{
"metavariable-regex": {
"metavariable": "$PROPERTY",
"regex": "(?!signed|encrypted)"
}
}
]
},
{
"pattern": "params[...]\n"
},
{
"pattern": "request.env[...]\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.brakeman.check-validation-regex",
"languages": [
"ruby"
],
"message": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-185: Incorrect Regular Expression"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://brakemanscanner.org/docs/warning_types/format_validation/",
"https://github.com/presidentbeef/brakeman/blob/aef6253a8b7bcb97116f2af1ed2a561a6ae35bd5/test/apps/rails3/app/models/account.rb",
"https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/account.rb"
],
"source-rule-url": "https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_validation_regex.rb",
"subcategory": [
"vuln"
],
"technology": [
"ruby",
"rails"
]
},
"mode": "search",
"patterns": [
{
"pattern-either": [
{
"pattern": "validates ..., :format => <... $V ...>,...\n"
},
{
"pattern": "validates_format_of ..., :with => <... $V ...>,...\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$V",
"regex": "/(.{2}(?<!\\\\A)[^\\/]+|[^\\/]+(?<!\\\\[Zz]))\\/"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.injection.raw-html-format",
"languages": [
"ruby"
],
"message": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/",
"https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "sanitize(...)"
},
{
"pattern": "strip_tags(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$HTMLSTR\n"
},
{
"pattern-regex": "<\\w+.*"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Kernel::sprintf(\"$HTMLSTR\", ...)"
},
{
"pattern": "\"$HTMLSTR\" + $EXPR\n"
},
{
"pattern": "\"$HTMLSTR\" % $EXPR\n"
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$HTMLSTR",
"pattern": "<$TAG ..."
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "request"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.ruby.rails.security.injection.tainted-sql-string",
"languages": [
"ruby"
],
"message": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "$PARAMS.slice(...)\n"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$RECORD.where($X,...)\n"
}
]
},
{
"pattern": "$RECORD.find(..., :conditions => $X,...)\n"
}
]
},
{
"focus-metavariable": "$X"
}
]
},
{
"patterns": [
{
"pattern": "\"$SQLVERB#{$EXPR}...\"\n"
},
{
"pattern-not-inside": "$FUNC(\"...\", \"...#{$EXPR}...\",...)\n"
},
{
"focus-metavariable": "$SQLVERB"
},
{
"pattern-regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Kernel::sprintf(\"$SQLSTR\", $EXPR)"
},
{
"pattern": "\"$SQLSTR\" + $EXPR\n"
},
{
"pattern": "\"$SQLSTR\" % $EXPR\n"
}
]
},
{
"pattern-not-inside": "$FUNC(\"...\", \"...#{$EXPR}...\",...)\n"
},
{
"focus-metavariable": "$EXPR"
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b"
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "request"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.ruby.rails.security.injection.tainted-url-host",
"languages": [
"ruby"
],
"message": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html",
"https://github.com/arkadiyt/ssrf_filter"
],
"subcategory": [
"vuln"
],
"technology": [
"rails"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern": "SsrfFilter"
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$URLSTR\n"
},
{
"pattern-regex": "\\w+:\\/\\/#{.*}"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Kernel::sprintf(\"$URLSTR\", ...)"
},
{
"pattern": "\"$URLSTR\" + $EXPR\n"
},
{
"pattern": "\"$URLSTR\" % $EXPR\n"
}
]
},
{
"metavariable-pattern": {
"language": "generic",
"metavariable": "$URLSTR",
"pattern": "$SCHEME:// ..."
}
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "params"
},
{
"pattern": "request"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.rust.lang.security.args-os",
"languages": [
"rust"
],
"message": "args_os should not be used for security operations. From the docs: \"The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes.\"",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://doc.rust-lang.org/stable/std/env/fn.args_os.html"
],
"subcategory": "audit",
"technology": [
"rust"
]
},
"pattern": "std::env::args_os()",
"severity": "INFO"
},
{
"id": "vendored-rules.rust.lang.security.args",
"languages": [
"rust"
],
"message": "args should not be used for security operations. From the docs: \"The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes.\"",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://doc.rust-lang.org/stable/std/env/fn.args.html"
],
"subcategory": "audit",
"technology": [
"rust"
]
},
"pattern": "std::env::args()",
"severity": "INFO"
},
{
"id": "vendored-rules.rust.lang.security.current-exe",
"languages": [
"rust"
],
"message": "current_exe should not be used for security operations. From the docs: \"The output of this function should not be trusted for anything that might have security implications. Basically, if users can run the executable, they can change the output arbitrarily.\"",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://doc.rust-lang.org/stable/std/env/fn.current_exe.html#security"
],
"subcategory": "audit",
"technology": [
"rust"
]
},
"pattern": "std::env::current_exe()",
"severity": "INFO"
},
{
"id": "vendored-rules.rust.lang.security.insecure-hashes",
"languages": [
"rust"
],
"message": "Detected cryptographically insecure hashing function",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-328: Use of Weak Hash",
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://github.com/RustCrypto/hashes",
"https://docs.rs/md2/latest/md2/",
"https://docs.rs/md4/latest/md4/",
"https://docs.rs/md5/latest/md5/",
"https://docs.rs/sha-1/latest/sha1/"
],
"subcategory": "audit",
"technology": [
"rust"
]
},
"pattern-either": [
{
"pattern": "md2::Md2::new(...)"
},
{
"pattern": "md4::Md4::new(...)"
},
{
"pattern": "md5::Md5::new(...)"
},
{
"pattern": "sha1::Sha1::new(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.rust.lang.security.reqwest-accept-invalid",
"languages": [
"rust"
],
"message": "Dangerously accepting invalid TLS information",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-295: Improper Certificate Validation",
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames",
"https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs"
],
"subcategory": "vuln",
"technology": [
"reqwest"
]
},
"pattern-either": [
{
"pattern": "reqwest::Client::builder(). ... .danger_accept_invalid_hostnames(true)"
},
{
"pattern": "reqwest::Client::builder(). ... .danger_accept_invalid_certs(true)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.rust.lang.security.reqwest-set-sensitive",
"languages": [
"rust"
],
"message": "Set sensitive flag on security headers with 'set_sensitive' to treat data with special care",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-921: Storage of Sensitive Data in a Mechanism without Access Control",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://docs.rs/reqwest/latest/reqwest/header/struct.HeaderValue.html#method.set_sensitive"
],
"subcategory": "audit",
"technology": [
"reqwest"
]
},
"patterns": [
{
"pattern": "let mut $HEADERS = header::HeaderMap::new();\n...\nlet $HEADER_VALUE = <... header::HeaderValue::$FROM_FUNC(...) ...>;\n...\n$HEADERS.insert($HEADER, $HEADER_VALUE);\n"
},
{
"pattern-not": "let mut $HEADERS = header::HeaderMap::new();\n...\nlet $HEADER_VALUE = <... header::HeaderValue::$FROM_FUNC(...) ...>;\n...\n$HEADER_VALUE.set_sensitive(true);\n...\n$HEADERS.insert($HEADER, $HEADER_VALUE);\n"
},
{
"metavariable-pattern": {
"metavariable": "$FROM_FUNC",
"pattern-either": [
{
"pattern": "from_static"
},
{
"pattern": "from_str"
},
{
"pattern": "from_name"
},
{
"pattern": "from_bytes"
},
{
"pattern": "from_maybe_shared"
}
]
}
},
{
"metavariable-pattern": {
"metavariable": "$HEADER",
"pattern-either": [
{
"pattern": "header::AUTHORIZATION"
},
{
"pattern": "\"Authorization\""
}
]
}
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.rust.lang.security.rustls-dangerous",
"languages": [
"rust"
],
"message": "Dangerous client config used, ensure SSL verification",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-295: Improper Certificate Validation",
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html",
"https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous"
],
"subcategory": "vuln",
"technology": [
"rustls"
]
},
"pattern-either": [
{
"pattern": "rustls::client::DangerousClientConfig"
},
{
"pattern": "$CLIENT.dangerous().set_certificate_verifier(...)"
},
{
"pattern": "let $CLIENT = rustls::client::ClientConfig::dangerous(...);\n...\n$CLIENT.set_certificate_verifier(...);\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.rust.lang.security.ssl-verify-none",
"languages": [
"rust"
],
"message": "SSL verification disabled, this allows for MitM attacks",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-295: Improper Certificate Validation",
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify"
],
"subcategory": "vuln",
"technology": [
"openssl"
]
},
"pattern": "$BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE)",
"severity": "WARNING"
},
{
"id": "vendored-rules.rust.lang.security.temp-dir",
"languages": [
"rust"
],
"message": "temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in \u201cinsecure temporary file\u201d security vulnerabilities.'",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://doc.rust-lang.org/stable/std/env/fn.temp_dir.html"
],
"subcategory": "audit",
"technology": [
"rust"
]
},
"pattern": "std::env::temp_dir()",
"severity": "INFO"
},
{
"id": "vendored-rules.rust.lang.security.unsafe-usage",
"languages": [
"rust"
],
"message": "Detected 'unsafe' usage, please audit for secure usage",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-242: Use of Inherently Dangerous Function",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://doc.rust-lang.org/std/keyword.unsafe.html"
],
"subcategory": "audit",
"technology": [
"rust"
]
},
"pattern": "unsafe { ... }",
"severity": "INFO"
},
{
"id": "vendored-rules.scala.jwt-scala.security.jwt-scala-hardcode",
"languages": [
"scala"
],
"message": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://jwt-scala.github.io/jwt-scala/"
],
"subcategory": [
"vuln"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern-inside": "import pdi.jwt.$DEPS\n...\n"
},
{
"pattern-either": [
{
"pattern": "$JWT.encode($X, \"...\", ...)"
},
{
"pattern": "$JWT.decode($X, \"...\", ...)"
},
{
"pattern": "$JWT.decodeRawAll($X, \"...\", ...)"
},
{
"pattern": "$JWT.decodeRaw($X, \"...\", ...)"
},
{
"pattern": "$JWT.decodeAll($X, \"...\", ...)"
},
{
"pattern": "$JWT.validate($X, \"...\", ...)"
},
{
"pattern": "$JWT.isValid($X, \"...\", ...)"
},
{
"pattern": "$JWT.decodeJson($X, \"...\", ...)"
},
{
"pattern": "$JWT.decodeJsonAll($X, \"...\", ...)"
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$JWT.encode($X, $KEY, ...)"
},
{
"pattern": "$JWT.decode($X, $KEY, ...)"
},
{
"pattern": "$JWT.decodeRawAll($X, $KEY, ...)"
},
{
"pattern": "$JWT.decodeRaw($X, $KEY, ...)"
},
{
"pattern": "$JWT.decodeAll($X, $KEY, ...)"
},
{
"pattern": "$JWT.validate($X, $KEY, ...)"
},
{
"pattern": "$JWT.isValid($X, $KEY, ...)"
},
{
"pattern": "$JWT.decodeJson($X, $KEY, ...)"
},
{
"pattern": "$JWT.decodeJsonAll($X, $KEY, ...)"
},
{
"pattern": "$JWT.encode($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.decode($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.decodeRawAll($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.decodeRaw($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.decodeAll($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.validate($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.isValid($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.decodeJson($X, this.$KEY, ...)"
},
{
"pattern": "$JWT.decodeJsonAll($X, this.$KEY, ...)"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "class $CL {\n ...\n $KEY = \"...\"\n ...\n}\n"
},
{
"pattern-inside": "object $CL {\n ...\n $KEY = \"...\"\n ...\n}\n"
}
]
}
]
}
]
},
{
"metavariable-pattern": {
"metavariable": "$JWT",
"patterns": [
{
"pattern-either": [
{
"pattern": "Jwt"
},
{
"pattern": "JwtArgonaut"
},
{
"pattern": "JwtCirce"
},
{
"pattern": "JwtJson4s"
},
{
"pattern": "JwtJson"
},
{
"pattern": "JwtUpickle"
}
]
}
]
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.dangerous-seq-run",
"languages": [
"scala"
],
"message": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern": "Seq($CMD, ...)"
},
{
"pattern-not": "Seq(\"...\", ...)"
},
{
"pattern-inside": "import sys.process\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\"\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "Seq(...).!"
},
{
"pattern-inside": "Seq(...).!!"
},
{
"pattern-inside": "Seq(...).lazyLines"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.lang.security.audit.dangerous-shell-run",
"languages": [
"scala"
],
"message": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern": "Seq($SH, \"-c\", $CMD, ...)"
},
{
"pattern-not": "Seq($SH, \"-c\", \"...\", ...)"
},
{
"pattern-inside": "import sys.process\n...\n"
},
{
"pattern-not-inside": "$CMD = \"...\"\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "Seq(...).!"
},
{
"pattern-inside": "Seq(...).!!"
},
{
"pattern-inside": "Seq(...).lazyLines"
}
]
},
{
"metavariable-regex": {
"metavariable": "$SH",
"regex": "\"(sh|bash|ksh|csh|tcsh|zsh)\""
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.lang.security.audit.dispatch-ssrf",
"languages": [
"scala"
],
"message": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html",
"https://dispatchhttp.org/Dispatch.html"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"dispatch"
]
},
"patterns": [
{
"pattern": "url($URL)"
},
{
"pattern-inside": "import dispatch._\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n"
},
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.documentbuilder-dtd-enabled",
"languages": [
"scala"
],
"message": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"source-rule-url": "https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html",
"subcategory": [
"vuln"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$DF = DocumentBuilderFactory.newInstance(...)\n...\n$DB = $DF.newDocumentBuilder(...)\n"
},
{
"patterns": [
{
"pattern": "$DB = DocumentBuilderFactory.newInstance(...)"
},
{
"pattern-not-inside": "...\n$X = $DB.newDocumentBuilder(...)\n"
}
]
},
{
"pattern": "$DB = DocumentBuilderFactory.newInstance(...).newDocumentBuilder(...)"
}
]
},
{
"pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n"
},
{
"pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n"
},
{
"pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n"
},
{
"pattern-not-inside": "...\n$DB.setXIncludeAware(true)\n...\n$DB.setNamespaceAware(true)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$DB.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$DB.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.insecure-random",
"languages": [
"scala"
],
"message": "Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-330: Use of Insufficiently Random Values"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"resources": [
"https://find-sec-bugs.github.io/bugs.htm"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"cryptography"
]
},
"patterns": [
{
"pattern": "import scala.util.Random\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.io-source-ssrf",
"languages": [
"scala"
],
"message": "A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html",
"https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource"
],
"subcategory": [
"audit"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "Source.fromURL($URL,...)"
},
{
"pattern": "Source.fromURI($URL,...)"
}
]
},
{
"pattern-inside": "import scala.io.$SOURCE\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n"
},
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.path-traversal-fromfile",
"languages": [
"scala"
],
"message": "Flags cases of possible path traversal. If an unfiltered parameter is passed into 'fromFile', file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"resources": [
"https://find-sec-bugs.github.io/bugs.htm"
],
"subcategory": [
"audit"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$FILENAME = \"...\" + $VAR\n...\n"
},
{
"pattern-inside": "$FILENAME = $VAR + \"...\"\n...\n"
},
{
"pattern-inside": "$FILENAME = $STR.concat($VAR)\n...\n"
},
{
"pattern-inside": "$FILENAME = \"...\".format(..., $VAR, ...)\n...\n"
}
]
},
{
"pattern": "Source.fromFile($FILENAME, ...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "Source.fromFile(\"...\" + $VAR, ...)"
},
{
"pattern": "Source.fromFile($VAR + \"...\", ...)"
},
{
"pattern": "Source.fromFile($STR.concat($VAR), ...)"
},
{
"pattern": "Source.fromFile(\"...\".format(..., $VAR, ...), ...)"
}
]
}
]
}
]
},
{
"pattern-inside": "def $FUNC(..., $VAR: $TYPE, ...) = Action {\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.rsa-padding-set",
"languages": [
"scala"
],
"message": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-780: Use of RSA Algorithm without OAEP"
],
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
],
"resources": [
"https://blog.codacy.com/9-scala-security-issues/"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"cryptography"
]
},
"patterns": [
{
"pattern": "$VAR = $CIPHER.getInstance($MODE)\n"
},
{
"metavariable-regex": {
"metavariable": "$MODE",
"regex": ".*RSA/.*/NoPadding.*"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.sax-dtd-enabled",
"languages": [
"scala"
],
"message": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"source-rule-url": "https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html",
"subcategory": [
"audit"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$SR = new SAXReader(...)"
},
{
"pattern": "$SF = SAXParserFactory.newInstance(...)\n...\n$SR = $SF.newSAXParser(...)\n"
},
{
"patterns": [
{
"pattern": "$SR = SAXParserFactory.newInstance(...)"
},
{
"pattern-not-inside": "...\n$X = $SR.newSAXParser(...)\n"
}
]
},
{
"pattern": "$SR = SAXParserFactory.newInstance(...).newSAXParser(...)"
},
{
"pattern": "$SR = new SAXBuilder(...)"
}
]
},
{
"pattern-not-inside": "...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n"
},
{
"pattern-not-inside": "...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n"
},
{
"pattern-not-inside": "...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n"
},
{
"pattern-not-inside": "...\n$SR.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)\n...\n$SR.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)\n...\n$SR.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true)\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.scala-dangerous-process-run",
"languages": [
"scala"
],
"message": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$X.!"
},
{
"pattern": "$X.!!"
},
{
"pattern": "$X.lazyLines"
}
]
},
{
"pattern-inside": "import sys.process\n...\n"
},
{
"pattern-not": "\"...\".!\n"
},
{
"pattern-not": "\"...\".!!\n"
},
{
"pattern-not": "\"...\".lazyLines\n"
},
{
"pattern-not": "Seq(...).!\n"
},
{
"pattern-not": "Seq(...).!!\n"
},
{
"pattern-not": "Seq(...).lazyLines\n"
},
{
"pattern-not-inside": "val $X = \"...\"\n...\n"
},
{
"pattern-not-inside": "val $X = Seq(...)\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.lang.security.audit.scalac-debug",
"languages": [
"generic"
],
"message": "Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-489: Active Debug Code"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": "A05:2021 - Security Misconfiguration",
"references": [
"https://docs.scala-lang.org/overviews/compiler-options/index.html"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"sbt"
]
},
"paths": {
"include": [
"*.sbt*"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "scalacOptions ... \"-Vdebug\""
},
{
"pattern": "scalacOptions ... \"-Ydebug\""
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.scalaj-http-ssrf",
"languages": [
"scala"
],
"message": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html",
"https://github.com/scalaj/scalaj-http#simplified-http"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"scalaj-http"
]
},
"patterns": [
{
"pattern": "Http($URL)"
},
{
"pattern-inside": "import scalaj.http.$HTTP\n...\n"
},
{
"pattern-either": [
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n"
},
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.scalajs-eval",
"languages": [
"scala"
],
"message": "`eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Do not use eval(). Alternatively: Ensure evaluated content is not definable by external sources. If it\u2019s not possible, strip everything except alphanumeric characters from an input provided for the command string and arguments.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-94: Improper Control of Generation of Code ('Code Injection')"
],
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2021 - Injection"
],
"references": [
"https://www.scala-js.org/doc/"
],
"subcategory": [
"vuln"
],
"technology": [
"scala",
"scala-js"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern": "$JS.eval(...)"
},
{
"pattern-inside": "import scala.scalajs.$X\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$PARAM"
},
{
"pattern-either": [
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) {\n ...\n}\n"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.lang.security.audit.tainted-sql-string",
"languages": [
"scala"
],
"message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html"
],
"subcategory": [
"vuln"
],
"technology": [
"scala"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$LOGGER.$METHOD(...)"
},
{
"pattern": "$LOGGER(...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$LOGGER",
"regex": "(i?)log.*"
}
}
]
},
{
"patterns": [
{
"pattern": "$LOGGER.$METHOD(...)"
},
{
"metavariable-regex": {
"metavariable": "$METHOD",
"regex": "(i?)(trace|info|warn|warning|warnToError|error|debug)"
}
}
]
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"pattern": "\"$SQLSTR\".format(...)\n"
},
{
"patterns": [
{
"pattern-inside": "$SB = new StringBuilder(\"$SQLSTR\");\n...\n"
},
{
"pattern": "$SB.append(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VAR = \"$SQLSTR\"\n...\n"
},
{
"pattern": "$VAR += ..."
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "s\"...\""
},
{
"pattern": "f\"...\""
}
]
},
{
"pattern-regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*\n"
}
]
}
]
},
{
"pattern-not-inside": "println(...)"
},
{
"pattern-not-inside": "throw new $EXCEPTION(...)"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern": "$PARAM"
},
{
"pattern-either": [
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) {\n ...\n}\n"
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.lang.security.audit.xmlinputfactory-dtd-enabled",
"languages": [
"scala"
],
"message": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-611: Improper Restriction of XML External Entity Reference"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A04:2017 - XML External Entities (XXE)",
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://owasp.org/Top10/A05_2021-Security_Misconfiguration"
],
"source-rule-url": "https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html",
"subcategory": [
"audit"
],
"technology": [
"scala"
]
},
"patterns": [
{
"pattern-not-inside": "...\n$XMLFACTORY.setProperty(\"javax.xml.stream.isSupportingExternalEntities\", false)\n"
},
{
"pattern-either": [
{
"pattern": "$XMLFACTORY = XMLInputFactory.newFactory(...)"
},
{
"pattern": "$XMLFACTORY = XMLInputFactory.newInstance(...)"
},
{
"pattern": "$XMLFACTORY = new XMLInputFactory(...)"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.play.security.conf-csrf-headers-bypass",
"languages": [
"generic"
],
"message": "Possibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they\u2019re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-352: Cross-Site Request Forgery (CSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://www.playframework.com/documentation/2.8.x/Migration25#CSRF-changes",
"https://owasp.org/www-community/attacks/csrf"
],
"subcategory": [
"vuln"
],
"technology": [
"scala",
"play"
]
},
"paths": {
"include": [
"*.conf"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "X-Requested-With = \"*\""
},
{
"pattern": "Csrf-Token = \"...\""
}
]
},
{
"pattern-inside": "bypassHeaders {...\n...\n...}\n"
},
{
"pattern-not-inside": "{...\n ...\n ...blackList = [...\"application/x-www-form-urlencoded\"...\"multipart/form-data\"...\"text/plain\"...]\n ...\n...}\n"
},
{
"pattern-not-inside": "{...\n ...\n ...blackList = [...\"application/x-www-form-urlencoded\"...\"text/plain\"...\"multipart/form-data\"...]\n ...\n...}\n"
},
{
"pattern-not-inside": "{...\n ...\n ...blackList = [...\"multipart/form-data\"...\"application/x-www-form-urlencoded\"...\"text/plain\"...]\n ...\n...}\n"
},
{
"pattern-not-inside": "{...\n ...\n ...blackList = [...\"multipart/form-data\"...\"text/plain\"...\"application/x-www-form-urlencoded\"...]\n ...\n...}\n"
},
{
"pattern-not-inside": "{...\n ...\n ...blackList = [...\"text/plain\"...\"application/x-www-form-urlencoded\"...\"multipart/form-data\"...]\n ...\n...}\n"
},
{
"pattern-not-inside": "{...\n ...\n ...blackList = [...\"text/plain\"...\"multipart/form-data\"...\"application/x-www-form-urlencoded\"...]\n ...\n...}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.play.security.conf-insecure-cookie-settings",
"languages": [
"generic"
],
"message": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A05:2021 - Security Misconfiguration"
],
"references": [
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security",
"https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration"
],
"subcategory": [
"vuln"
],
"technology": [
"play",
"scala"
]
},
"paths": {
"include": [
"*.conf"
]
},
"patterns": [
{
"pattern": "secure = false"
},
{
"pattern-inside": "session = {\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.play.security.tainted-html-response",
"languages": [
"scala"
],
"message": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"vuln"
],
"technology": [
"scala",
"play"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"pattern-either": [
{
"pattern": "org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(...)"
},
{
"pattern": "org.owasp.encoder.Encode.forHtml(...)"
}
]
}
],
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "Html.apply(...)"
},
{
"pattern": "Ok(...).as(HTML)"
},
{
"pattern": "Ok(...).as(ContentTypes.HTML)"
},
{
"patterns": [
{
"pattern": "Ok(...).as($CTYPE)"
},
{
"metavariable-regex": {
"metavariable": "$CTYPE",
"regex": "\"[tT][eE][xX][tT]/[hH][tT][mM][lL]\""
}
}
]
},
{
"patterns": [
{
"pattern": "Ok(...).as($CTYPE)"
},
{
"pattern-not": "Ok(...).as(\"...\")"
},
{
"pattern-either": [
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n"
},
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n"
}
]
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$REQ"
},
{
"pattern-either": [
{
"pattern-inside": "Action {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action.async {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$PARAM"
},
{
"pattern-either": [
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) {\n ...\n}\n"
}
]
}
]
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.play.security.tainted-slick-sqli",
"languages": [
"scala"
],
"message": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values",
"https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code"
],
"subcategory": [
"vuln"
],
"technology": [
"scala",
"slick",
"play"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$MODEL.overrideSql(...)"
},
{
"pattern": "sql\"...\""
}
]
},
{
"pattern-inside": "import slick.$DEPS\n...\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$REQ"
},
{
"pattern-either": [
{
"pattern-inside": "Action {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action.async {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$PARAM"
},
{
"pattern-either": [
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) {\n ...\n}\n"
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.play.security.tainted-sql-from-http-request",
"languages": [
"scala"
],
"message": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "HIGH",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html"
],
"subcategory": [
"vuln"
],
"technology": [
"scala",
"play"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "\"$SQLSTR\" + ...\n"
},
{
"pattern": "\"$SQLSTR\".format(...)\n"
},
{
"patterns": [
{
"pattern-inside": "$SB = new StringBuilder(\"$SQLSTR\");\n...\n"
},
{
"pattern": "$SB.append(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VAR = \"$SQLSTR\"\n...\n"
},
{
"pattern": "$VAR += ..."
}
]
}
]
},
{
"metavariable-regex": {
"metavariable": "$SQLSTR",
"regex": "(?i)(select|delete|insert|create|update|alter|drop)\\b"
}
}
]
},
{
"patterns": [
{
"pattern": "s\"...\""
},
{
"pattern-regex": ".*\\b(?i)(select|delete|insert|create|update|alter|drop)\\b.*\n"
}
]
}
]
},
{
"pattern-not-inside": "println(...)"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern": "$REQ"
},
{
"pattern-either": [
{
"pattern-inside": "Action {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action.async {\n $REQ: Request[$T] => \n ...\n}\n"
},
{
"pattern-inside": "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n"
}
]
}
]
},
{
"patterns": [
{
"pattern": "$PARAM"
},
{
"pattern-either": [
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async {\n ...\n}\n"
},
{
"pattern-inside": "def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) {\n ...\n}\n"
}
]
}
]
}
]
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.play.security.twirl-html-var",
"languages": [
"generic"
],
"message": "Raw html content controlled by a variable detected. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Try to avoid using `Html()` or consider properly sanitizing input data.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.playframework.com/documentation/2.8.x/ScalaTemplates#Escaping"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"play",
"twirl"
]
},
"paths": {
"include": [
"*.html"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "@Html($VAL)\n"
},
{
"pattern": "@Html(...$VAL + ...)\n"
},
{
"pattern": "@Html(... + $VAL...)\n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$VAL",
"regex": "\\w*"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.play.security.webservice-ssrf",
"languages": [
"scala"
],
"message": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-918: Server-Side Request Forgery (SSRF)"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A10:2021 - Server-Side Request Forgery (SSRF)"
],
"references": [
"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html",
"https://www.playframework.com/documentation/2.8.x/ScalaWS"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"play"
]
},
"patterns": [
{
"pattern": "$WS.url($URL)"
},
{
"pattern-either": [
{
"pattern-inside": "class $CLASS (..., $WS: WSClient, ...) {\n ...\n}\n"
},
{
"pattern-inside": "def $FUNC(..., $WS: WSClient, ...) = {\n ...\n}\n"
},
{
"pattern-inside": "$WS = AhcWSClient(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = $A {\n ...\n}\n"
},
{
"pattern-inside": "def $FUNC(..., $URL: $T, ...) = {\n ...\n}\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.scala.scala-jwt.security.scala-jwt-hardcoded-secret",
"languages": [
"scala"
],
"message": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": [
"CWE-522: Insufficiently Protected Credentials"
],
"cwe2021-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A02:2017 - Broken Authentication",
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"source-rule-url": "https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/",
"subcategory": [
"audit"
],
"technology": [
"jwt"
]
},
"pattern-either": [
{
"pattern": "com.auth0.jwt.algorithms.Algorithm.HMAC256(\"...\");\n"
},
{
"pattern": "$SECRET = \"...\";\n...\ncom.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET);\n"
},
{
"pattern": "class $CLASS {\n ...\n $DECL $SECRET = \"...\";\n ...\n def $FUNC (...): $RETURNTYPE = {\n ...\n com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET);\n ...\n }\n ...\n}\n"
},
{
"pattern": "com.auth0.jwt.algorithms.Algorithm.HMAC384(\"...\");\n"
},
{
"pattern": "$SECRET = \"...\";\n...\ncom.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET);\n"
},
{
"pattern": "class $CLASS {\n ...\n $DECL $SECRET = \"...\";\n ...\n def $FUNC (...): $RETURNTYPE = {\n ...\n com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET);\n ...\n }\n ...\n}\n"
},
{
"pattern": "com.auth0.jwt.algorithms.Algorithm.HMAC512(\"...\");\n"
},
{
"pattern": "$SECRET = \"...\";\n...\ncom.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET);\n"
},
{
"pattern": "class $CLASS {\n ...\n $DECL $SECRET = \"...\";\n ...\n def $FUNC (...): $RETURNTYPE = {\n ...\n com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET);\n ...\n }\n ...\n}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.slick.security.scala-slick-overrideSql-literal",
"languages": [
"scala"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"scala",
"slick"
]
},
"patterns": [
{
"pattern": "$MODEL.overrideSql($QUERY,...)"
},
{
"pattern-not": "$MODEL.overrideSql(\"...\",...)"
},
{
"pattern-not-inside": "$QUERY = \"...\"\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.scala.slick.security.scala-slick-sql-non-literal",
"languages": [
"scala"
],
"message": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2017 - Injection",
"A03:2021 - Injection"
],
"references": [
"https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values"
],
"source-rule-url": "https://find-sec-bugs.github.io/bugs.htm#SCALA_SQL_INJECTION_SLICK",
"subcategory": [
"audit"
],
"technology": [
"scala",
"slick"
]
},
"patterns": [
{
"pattern": "sql\"...\""
},
{
"pattern-regex": "\\#\\$"
},
{
"pattern-inside": "import slick.$DEPS\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.accessible-selfdestruct",
"languages": [
"solidity"
],
"message": "Contract can be destructed by anyone in $FUNC",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://www.parity.io/blog/a-postmortem-on-the-parity-multi-sig-library-self-destruct/"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern-either": [
{
"pattern": "selfdestruct(...);"
},
{
"pattern": "suicide(...);"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"focus-metavariable": [
"$ADDR"
]
},
{
"pattern-either": [
{
"pattern": "function $FUNC(..., address $ADDR, ...) external { ... }"
},
{
"pattern": "function $FUNC(..., address $ADDR, ...) public { ... }"
}
]
},
{
"pattern-not": "function $FUNC(...) $MODIFIER { ... }"
},
{
"pattern-not": "function $FUNC(...) $MODIFIER(...) { ... }"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n require(<... msg.sender ...>, ...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n assert(<... msg.sender ...>, ...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n require(<... _msgSender ...>, ...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n assert(<... _msgSender ...>, ...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n if (<... msg.sender ...>) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n if (<... _msgSender ...>) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n onlyOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n requireOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n _requireOwnership(...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n $C._enforceIsContractOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n $C._enforceOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function $FUNC(...) {\n ...\n $C.enforceIsContractOwner(...);\n ...\n}\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.arbitrary-low-level-call",
"languages": [
"solidity"
],
"message": "An attacker may perform call() to an arbitrary address with controlled calldata",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-20: Improper Input Validation",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://twitter.com/CertiKAlert/status/1512198846343954445",
"https://twitter.com/SlowMist_Team/status/1508787862791069700",
"https://twitter.com/Beosin_com/status/1509099103401127942",
"https://blocksecteam.medium.com/li-fi-attack-a-cross-chain-bridge-vulnerability-no-its-due-to-unchecked-external-call-c31e7dadf60f",
"https://etherscan.io/address/0xe7597f774fd0a15a617894dc39d45a28b97afa4f",
"https://etherscan.io/address/0x73a499e043b03fc047189ab1ba72eb595ff1fc8e"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) external { ... }\n"
},
{
"pattern-inside": "function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) public { ... }\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$ADDR.call($DATA);"
},
{
"pattern": "$ADDR.call{$VALUE:...}($DATA);"
},
{
"pattern": "$ADDR.call{$VALUE:..., $GAS:...}($DATA);"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.arbitrary-send-erc20",
"languages": [
"solidity"
],
"message": "msg.sender is not being used when calling erc20.transferFrom. Example - Alice approves this contract to spend her ERC20 tokens. Bob can call function 'a' and specify Alice's address as the from parameter in transferFrom, allowing him to transfer Alice's tokens to himself.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-285: Improper Authorization"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://github.com/crytic/slither/wiki/Detector-Documentation#arbitrary-from-in-transferfrom",
"https://cwe.mitre.org/data/definitions/285.html"
],
"subcategory": [
"audit"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "$FUNC.transferFrom(...)"
},
{
"pattern-not": "$FUNC.transferFrom(..., msg.sender, ...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.balancer-readonly-reentrancy-getpooltokens",
"languages": [
"solidity"
],
"message": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-841: Improper Enforcement of Behavioral Workflow",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376",
"https://hackmd.io/@sentimentxyz/SJCySo1z2"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "function $F(...) {\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n}\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$RETURN",
"pattern-regex": ".*uint256\\[].*"
}
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $RETURN = $VAULT.getPoolTokens(...);\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $F(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n}\n"
},
{
"pattern-not": "function $F(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n}\n"
},
{
"pattern-not-inside": "contract LinearPool {\n ...\n}\n"
},
{
"pattern-not-inside": "contract ComposableStablePool {\n ...\n}\n"
},
{
"pattern-not-inside": "contract BalancerQueries {\n ...\n} \n"
},
{
"pattern-not-inside": "contract ManagedPool {\n ...\n}\n"
},
{
"pattern-not-inside": "contract BaseWeightedPool {\n ...\n} \n"
},
{
"pattern-not-inside": "contract ComposableStablePoolStorage {\n ...\n}\n"
},
{
"pattern-not-inside": "contract RecoveryModeHelper {\n ...\n}\n"
},
{
"focus-metavariable": [
"$VAULT"
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.balancer-readonly-reentrancy-getrate",
"languages": [
"solidity"
],
"message": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-841: Improper Enforcement of Behavioral Workflow",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "function $F(...) {\n ...\n $VAR.getRate();\n ...\n}\n"
},
{
"pattern-not-inside": "function $F(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n}\n"
},
{
"pattern-not-inside": "function $F(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n}\n"
},
{
"pattern-not-inside": "function _updateTokenRateCache(...) {\n ...\n}\n"
},
{
"pattern-not-inside": "contract PoolRecoveryHelper {\n ...\n}\n"
},
{
"pattern-not-inside": "contract ComposableStablePoolRates {\n ...\n}\n"
},
{
"pattern-not-inside": "contract WeightedPoolProtocolFees {\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $VAR.getRate();\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n VaultReentrancyLib.ensureNotInVaultContext(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $VAR.getRate();\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $VAR.getRate();\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAULT.manageUserBalance(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $VAR.getRate();\n ...\n }\n ...\n}\n"
},
{
"focus-metavariable": "$VAR"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.basic-arithmetic-underflow",
"languages": [
"solidity"
],
"message": "Possible arithmetic underflow",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://medium.com/@Knownsec_Blockchain_Lab/knownsec-blockchain-lab-umbnetwork-attack-event-analysis-9bae1141e58",
"https://twitter.com/danielvf/status/1497194778278174724",
"https://etherscan.io/address/0xbbc3a290c7d2755b48681c87f25f9d7f480ad42f"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"mode": "taint",
"pattern-sinks": [
{
"pattern": "$Y - $X"
}
],
"pattern-sources": [
{
"pattern-either": [
{
"pattern-inside": "function $F(..., $X, ...) external { ... }\n"
},
{
"pattern-inside": "function $F(..., $X, ...) public { ... }\n"
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.solidity.security.basic-oracle-manipulation",
"languages": [
"solidity"
],
"message": "Price oracle can be manipulated via flashloan",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-682: Incorrect Calculation",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://medium.com/oneringfinance/onering-finance-exploit-post-mortem-after-oshare-hack-602a529db99b",
"https://twitter.com/peckshield/status/1506090607059431427",
"https://pwned-no-more.notion.site/The-Deus-Hack-Explained-647bf97afa2b4e4e9e8b882e68a75c0b",
"https://twitter.com/peckshield/status/1519530463337250817",
"https://ftmscan.com/address/0xc06826f52f29b34c5d8b2c61abf844cebcf78abf",
"https://ftmscan.com/address/0x5CEB2b0308a7f21CcC0915DB29fa5095bEAdb48D",
"https://ftmscan.com/address/0x8129026c585bcfa530445a6267f9389057761a00"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-inside": "function $F(...) {\n ...\n}\n"
},
{
"pattern-either": [
{
"pattern": "$X.div($Y)"
},
{
"pattern": "$X / $Y"
}
]
},
{
"metavariable-regex": {
"metavariable": "$F",
"regex": "(?i)get([a-z0-9_])*price"
}
},
{
"metavariable-pattern": {
"metavariable": "$X",
"pattern-either": [
{
"pattern": "underlying"
},
{
"pattern": "underlyingUnit"
},
{
"pattern": "pair"
},
{
"pattern": "reserve"
},
{
"pattern": "reserve0"
},
{
"pattern": "reserve1"
}
]
}
},
{
"metavariable-regex": {
"metavariable": "$Y",
"regex": ".*totalSupply.*"
}
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.solidity.security.compound-borrowfresh-reentrancy",
"languages": [
"solidity"
],
"message": "Function borrowFresh() in Compound performs state update after doTransferOut()",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-841: Improper Enforcement of Behavioral Workflow",
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://twitter.com/peckshield/status/1509431646818234369",
"https://twitter.com/blocksecteam/status/1509466576848064512",
"https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4",
"https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-inside": "function borrowFresh(...) {\n ...\n}\n"
},
{
"pattern-not-inside": "accountBorrows[borrower].interestIndex = borrowIndex;\n...\n"
},
{
"pattern": "doTransferOut(...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.compound-sweeptoken-not-restricted",
"languages": [
"solidity"
],
"message": "Function sweepToken is allowed to be called by anyone",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2",
"https://chainsecurity.com/security-audit/compound-ctoken/",
"https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/",
"https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-inside": "function sweepToken(...) {\n...\n}\n"
},
{
"pattern-not-inside": "function sweepToken(...) $M {\n...\n}\n"
},
{
"pattern": "token.transfer(...);"
},
{
"pattern-not-inside": "require(msg.sender == admin, \"...\");\n...\n"
},
{
"pattern-not-inside": "require(_msgSender() == admin, \"...\");\n...\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.curve-readonly-reentrancy",
"languages": [
"solidity"
],
"message": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-841: Improper Enforcement of Behavioral Workflow",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://chainsecurity.com/heartbreaks-curve-lp-oracles/",
"https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "$POOL.get_virtual_price()\n"
},
{
"pattern-not-inside": "function $F(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n}\n"
},
{
"pattern-not-inside": "function $F(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $CHECKFUNC(...);\n ...\n $POOL.get_virtual_price();\n ...\n }\n ...\n}\n"
},
{
"pattern-not-inside": "contract $C {\n ...\n function $CHECKFUNC(...) {\n ...\n $VAR.withdraw_admin_fees(...);\n ...\n }\n ...\n function $F(...) {\n ...\n $POOL.get_virtual_price();\n ...\n $CHECKFUNC(...);\n ...\n }\n ...\n}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.delegatecall-to-arbitrary-address",
"languages": [
"solidity"
],
"message": "An attacker may perform delegatecall() to an arbitrary address.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-20: Improper Input Validation",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-delegatecall"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"pattern-not-inside": "require(<... msg.sender ...>, ...);\n...\n"
},
{
"pattern-not-inside": "require(<... _msgSender() ...>, ...);\n...\n"
},
{
"pattern-not-inside": "if(<... msg.sender ...>) revert(...);\n...\n"
},
{
"pattern-not-inside": "if(<... _msgSender() ...>) revert(...);\n...\n"
},
{
"pattern-not": "address(this).delegatecall(...);"
},
{
"pattern-either": [
{
"pattern": "$CONTRACT.delegatecall(...);"
},
{
"pattern": "$CONTRACT.delegatecall{gas:$GAS}(...);"
}
]
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "function $ANY(..., address $CONTRACT, ...) public {...}"
},
{
"pattern": "function $ANY(..., address $CONTRACT, ...) external {...}"
},
{
"pattern": "function $ANY(..., address payable $CONTRACT, ...) public {...}"
},
{
"pattern": "function $ANY(..., address payable $CONTRACT, ...) external {...}"
}
]
},
{
"pattern-not": "constructor(...) { ... }"
},
{
"pattern-not": "function $ANY(...) $M { ... }"
},
{
"pattern-not": "function $ANY(...) $M(...) { ... }"
},
{
"focus-metavariable": "$CONTRACT"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.encode-packed-collision",
"languages": [
"solidity"
],
"message": "abi.encodePacked hash collision with variable length arguments in $F()",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-20: Improper Input Validation",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://swcregistry.io/docs/SWC-133"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function $F(..., bytes $A, ..., bytes $B, ...) public {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., string $A, ..., string $B, ...) public {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., bytes $A, ..., string $B, ...) public {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., string $A, ..., bytes $B, ...) public {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., address[] $A, ..., address[] $B, ...) public {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., uint256[] $A, ..., uint256[] $B, ...) public {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., bytes $A, ..., bytes $B, ...) external {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., string $A, ..., string $B, ...) external {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., bytes $A, ..., string $B, ...) external {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., string $A, ..., bytes $B, ...) external {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., address[] $A, ..., address[] $B, ...) external {\n ...\n}\n"
},
{
"pattern-inside": "function $F(..., uint256[] $A, ..., uint256[] $B, ...) external {\n ...\n}\n"
}
]
},
{
"pattern-either": [
{
"pattern": "keccak256(abi.encodePacked(..., $A, $B, ...))\n"
},
{
"pattern": "$X = abi.encodePacked(..., $A, $B, ...);\n...\nkeccak256($X);\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.erc20-public-burn",
"languages": [
"solidity"
],
"message": "Anyone can burn tokens of other accounts",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://twitter.com/danielvf/status/1511013322015051797",
"https://etherscan.io/address/0xf15ead6acb8ab52a1e335671a48f3a99e991614c"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "function burn(...) public { \n _burn($ACCOUNT, $AMOUNT);\n }\n"
},
{
"pattern": "function burn(...) external { \n _burn($ACCOUNT, $AMOUNT);\n }\n"
}
]
},
{
"pattern-not": "function burn(...) $M { ... }"
},
{
"pattern-not": "function burn(...) $M(...) { ... }"
},
{
"pattern-not": "function burn(...) {\n _burn(msg.sender, ...);\n}\n"
},
{
"pattern-not": "function burn(...) {\n _burn(_msgSender(), ...);\n}\n"
},
{
"pattern-not": "function burn(...) {\n _burn(tokenId, ...);\n}\n"
},
{
"pattern-not": "function burn(...) {\n _burn(_tokenId, ...);\n}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.erc20-public-transfer",
"languages": [
"solidity"
],
"message": "Custom ERC20 implementation exposes _transfer() as public",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://medium.com/@Knownsec_Blockchain_Lab/creat-future-was-tragically-transferred-coins-at-will-who-is-the-mastermind-behind-the-scenes-8ad42a7af814",
"https://bscscan.com/address/0x8B7218CF6Ac641382D7C723dE8aA173e98a80196"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "function _transfer(...) public { ... }\n"
},
{
"pattern": "function _transfer(...) external { ... }\n"
}
]
},
{
"pattern-not": "function _transfer(...) $M { ... }\n"
},
{
"pattern-not": "function _transfer(...) $M(...) { ... }\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.erc677-reentrancy",
"languages": [
"solidity"
],
"message": "ERC677 callAfterTransfer() reentrancy",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-841: Improper Enforcement of Behavioral Workflow",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://twitter.com/peckshield/status/1509431646818234369",
"https://twitter.com/blocksecteam/status/1509466576848064512",
"https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611",
"https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-inside": "function transfer(...) {\n ...\n}\n"
},
{
"pattern": "callAfterTransfer(...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.erc721-arbitrary-transferfrom",
"languages": [
"solidity"
],
"message": "Custom ERC721 implementation lacks access control checks in _transfer()",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://twitter.com/BlockSecAlert/status/1516289618605654024",
"https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-inside": "function _transfer(...) {\n...\n}\n"
},
{
"pattern-inside": "require(prevOwnership.addr == $FROM, ...);\n...\n"
},
{
"pattern-not-inside": "(<... _msgSender() == $FROM ...>);\n...\n"
},
{
"pattern-not-inside": "(<... _msgSender() == $PREV.$ADDR ...>);\n...\n"
},
{
"pattern-not-inside": "(<... msg.sender == $FROM ...>);\n...\n"
},
{
"pattern-not-inside": "require(_isApprovedOrOwner(...), ...);\n...\n"
},
{
"pattern": "_approve(...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.erc721-reentrancy",
"languages": [
"solidity"
],
"message": "ERC721 onERC721Received() reentrancy",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-841: Improper Enforcement of Behavioral Workflow",
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a",
"https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "_checkOnERC721Received(...)"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.erc777-reentrancy",
"languages": [
"solidity"
],
"message": "ERC777 tokensReceived() reentrancy",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-841: Improper Enforcement of Behavioral Workflow",
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0",
"https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "$X.tokensReceived(...);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.gearbox-tokens-path-confusion",
"languages": [
"solidity"
],
"message": "UniswapV3 adapter implemented incorrect extraction of path parameters",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input",
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://medium.com/@nnez/different-parsers-different-results-acecf84dfb0c",
"https://etherscan.io/address/0xbA7B57D7E4d4A7516FC1CbfF1CA5182eBC0c1491"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "$PATH.toAddress($PATH.length - $ADDR_SIZE);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.incorrect-use-of-blockhash",
"languages": [
"solidity"
],
"message": "blockhash(block.number) and blockhash(block.number + N) always returns 0.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-341: Predictable from Observable State",
"impact": "MEDIUM",
"likelihood": "LOW",
"references": [
"https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "blockhash(block.number)"
},
{
"pattern": "blockhash(block.number + $N)"
},
{
"pattern": "blockhash(block.number * $N)"
},
{
"pattern": "block.blockhash(block.number)"
},
{
"pattern": "block.blockhash(block.number + $N)"
},
{
"pattern": "block.blockhash(block.number * $N)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.keeper-network-oracle-manipulation",
"languages": [
"solidity"
],
"message": "Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-682: Incorrect Calculation",
"impact": "HIGH",
"likelihood": "LOW",
"references": [
"https://twitter.com/peckshield/status/1510232640338608131",
"https://twitter.com/FrankResearcher/status/1510239094777032713",
"https://twitter.com/larry0x/status/1510263618180464644",
"https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9",
"https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "$KEEPER.current($TOKENIN, $AMOUNTIN, $TOKENOUT);"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.missing-self-transfer-check-ercx",
"languages": [
"solidity"
],
"message": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers.",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-682: Incorrect Calculation",
"impact": "HIGH",
"likelihood": "HIGH",
"owasp": [
"A7:2021 Identification and Authentication Failures"
],
"references": [
"https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities",
"https://x.com/shoucccc/status/1757777764646859121"
],
"subcategory": [
"vuln"
],
"technology": [
"blockchain",
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "_balances[$FROM] = $FROM_BALANCE - value;\n"
},
{
"pattern": "_balances[$TO] = $TO_BALANCE + value;\n"
}
]
},
{
"pattern-not-inside": "if ($FROM != $TO) {\n ...\n _balances[$FROM] = $FROM_BALANCE - value;\n ...\n _balances[$TO] = $TO_BALANCE + value;\n ...\n}\n"
},
{
"pattern-inside": "function _update(address $FROM, address $TO, uint256 value, bool mint) internal virtual {\n ...\n}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.msg-value-multicall",
"languages": [
"solidity"
],
"message": "$F with constant msg.value can be called multiple times",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-837: Improper Enforcement of a Single, Unique Action",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://github.com/Uniswap/v3-periphery/issues/52",
"https://www.paradigm.xyz/2021/08/two-rights-might-make-a-wrong"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "contract $C is ..., BoringBatchable, ... {\n ...\n}\n"
},
{
"pattern-inside": "contract $C is ..., Multicall, ... {\n ...\n}\n"
}
]
},
{
"pattern-inside": "function $F(...) {\n ...\n}\n"
},
{
"pattern": "msg.value"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.no-bidi-characters",
"languages": [
"solidity"
],
"message": "The code must not contain any of Unicode Direction Control Characters",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-837: Improper Enforcement of a Single, Unique Action",
"impact": "LOW",
"likelihood": "LOW",
"references": [
"https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo"
],
"subcategory": [
"audit"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-regex": "\u202a"
},
{
"pattern-regex": "\u202b"
},
{
"pattern-regex": "\u202d"
},
{
"pattern-regex": "\u202e"
},
{
"pattern-regex": "\u2066"
},
{
"pattern-regex": "\u2067"
},
{
"pattern-regex": "\u2068"
},
{
"pattern-regex": "\u202c"
},
{
"pattern-regex": "\u2069"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.no-slippage-check",
"languages": [
"solidity"
],
"message": "No slippage check in a Uniswap v2/v3 trade",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-682: Incorrect Calculation",
"impact": "MEDIUM",
"likelihood": "HIGH",
"references": [
"https://uniswapv3book.com/docs/milestone_3/slippage-protection/"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$X.swapExactTokensForTokens($A, $LIMIT, $B, $C, $D)"
},
{
"pattern": "$X.swapExactTokensForTokensSupportingFeeOnTransferTokens($A, $LIMIT, $B, $C, $D)"
},
{
"pattern": "$X.swapExactTokensForETH($A, $LIMIT, $B, $C, $D)"
},
{
"pattern": "$X.swapExactTokensForETHSupportingFeeOnTransferTokens($A, $LIMIT, $B, $C, $D)"
},
{
"pattern": "$X.swapExactETHForTokens{$VALUE:...}($LIMIT, $A, $B, $C)"
},
{
"pattern": "$X.swapExactETHForTokensSupportingFeeOnTransferTokens{$VALUE:...}($LIMIT, $A, $B, $C)"
},
{
"pattern": "$X.swapTokensForExactTokens($A, $LIMIT, $B, $C, $D)"
},
{
"pattern": "$X.swapTokensForExactETH($A, $LIMIT, $B, $C, $D)"
},
{
"pattern": "function $FUNC(...) {\n ...\n $Y = $SWAPROUTER.ExactInputSingleParams({\n tokenIn: $A, \n tokenOut: $B, \n fee: $C, \n recipient: $D, \n deadline: $E, \n amountIn: $F, \n amountOutMinimum: $LIMIT, \n sqrtPriceLimitX96: 0\n });\n ...\n $X.exactInputSingle($Y);\n ...\n}\n"
},
{
"pattern": "$X.exactInputSingle($SWAPROUTER.ExactInputSingleParams({\n tokenIn: $A,\n tokenOut: $B,\n fee: $C,\n recipient: $D,\n deadline: $E,\n amountIn: $F,\n amountOutMinimum: $LIMIT,\n sqrtPriceLimitX96: 0\n}));\n"
},
{
"pattern": "function $FUNC(...) {\n ...\n $Y = $SWAPROUTER.ExactOutputSingleParams({\n tokenIn: $A,\n tokenOut: $B,\n fee: $C,\n recipient: $D,\n deadline: $E,\n amountOut: $F,\n amountInMaximum: $LIMIT,\n sqrtPriceLimitX96: 0\n });\n ...\n $X.exactOutputSingle($Y);\n ...\n}\n"
},
{
"pattern": "$X.exactOutputSingle($SWAPROUTER.ExactOutputSingleParams({\n tokenIn: $A,\n tokenOut: $B,\n fee: $C,\n recipient: $D,\n deadline: $E,\n amountOut: $F,\n amountInMaximum: $LIMIT,\n sqrtPriceLimitX96: 0\n}));\n"
},
{
"pattern": "$X.swap($RECIPIENT, $ZEROFORONE, $AMOUNTIN, $LIMIT, $DATA)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$LIMIT",
"regex": "^(0)|(0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)|(type\\(uint(256)?\\)\\.max)|(uint(256)?\\(-1)|(115792089237316195423570985008687907853269984665640564039457584007913129639935)|(2\\s?\\*\\*\\s?256\\s?-\\s?1)$"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.openzeppelin-ecdsa-recover-malleable",
"languages": [
"solidity"
],
"message": "Potential signature malleability in $F",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-347: Improper Verification of Cryptographic Signature",
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"references": [
"https://github.com/advisories/GHSA-4h98-2769-gh6h"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"pattern-either": [
{
"pattern": "function $F(..., bytes $Y, ...) {\n ...\n $Z = ECDSA.recover(..., $Y);\n ...\n $A[$Y] = ...;\n ...\n}\n"
},
{
"pattern": "function $F(..., bytes $Y, ...) {\n ...\n $Z = ECDSA.recover(..., $Y);\n ...\n $A[$B][$Y] = ...;\n ...\n}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.oracle-price-update-not-restricted",
"languages": [
"solidity"
],
"message": "Oracle price data can be submitted by anyone",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://twitter.com/BlockSecTeam/status/1514815673800663045",
"https://twitter.com/CertiKAlert/status/1514831117169405953",
"https://medium.com/@hacxyk/aave-v3s-price-oracle-manipulation-vulnerability-168e44e9e374",
"https://bscscan.com/address/0xd55f01b4b51b7f48912cd8ca3cdd8070a1a9dba5",
"https://polygonscan.com/address/0xaA5890362f36FeaAe91aF248e84e287cE6eCD1A9"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "function $F(...) public {...}"
},
{
"pattern": "function $F(...) external {...}"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$F",
"pattern-either": [
{
"pattern": "setOracleData"
},
{
"pattern": "setAssetPrice"
}
]
}
},
{
"pattern-not": "function $F(...) onlyOwner { ... }"
},
{
"pattern-not": "function $F(...) onlySybil { ... }"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.proxy-storage-collision",
"languages": [
"solidity"
],
"message": "Proxy declares a state var that may override a storage slot of the implementation",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-787: Out-of-bounds Write",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "contract $CONTRACT is ..., $PROXY, ... {\n ...\n $TYPE $VAR;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n"
},
{
"pattern": "contract $CONTRACT is ..., $PROXY, ... {\n ...\n $TYPE $VAR = ...;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n"
}
]
},
{
"pattern-not": "contract $CONTRACT is ..., $PROXY, ... {\n $TYPE immutable $VAR;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "contract $CONTRACT is ..., $PROXY, ... {\n $TYPE immutable $VAR = ...;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "contract $CONTRACT is ..., $PROXY, ... {\n $TYPE constant $VAR = ...;\n ...\n constructor(...) {\n ...\n }\n ...\n}\n"
},
{
"metavariable-regex": {
"metavariable": "$CONTRACT",
"regex": "^(?!AdminUpgradeabilityProxy|OwnedUpgrade*abilityProxy).*$"
}
},
{
"metavariable-regex": {
"metavariable": "$PROXY",
"regex": "(UpgradeabilityProxy|AdminUpgradeabilityProxy|OwnedUpgrade*abilityProxy|TransparentUpgradeableProxy|ERC1967Proxy)"
}
},
{
"focus-metavariable": "$PROXY"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.redacted-cartel-custom-approval-bug",
"languages": [
"solidity"
],
"message": "transferFrom() can steal allowance of other accounts",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5",
"https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-inside": "function transferFrom(...) {\n...\n}\n"
},
{
"pattern": "_approve(..., allowance(sender, recipient).sub(amount, ...), ...);"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.rigoblock-missing-access-control",
"languages": [
"solidity"
],
"message": "setMultipleAllowances() is missing onlyOwner modifier",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://twitter.com/danielvf/status/1494317265835147272",
"https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8",
"https://play.secdim.com/game/dapp/challenge/rigoownsol"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "function setMultipleAllowances(...) {...}"
},
{
"pattern-not": "function setMultipleAllowances(...) onlyOwner {...}"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.sense-missing-oracle-access-control",
"languages": [
"solidity"
],
"message": "Oracle update is not restricted in $F()",
"metadata": {
"author": "https://twitter.com/ArbazKiraak",
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function $F(...,$D $REQUEST,...) external {\n ...\n}\n"
},
{
"pattern-inside": "function $F(...,$D $REQUEST,...) public {\n ...\n}\n"
}
]
},
{
"pattern-not-inside": "function $F(...,$D $REQUEST,...) external onlyVault(...) {\n ...\n}\n"
},
{
"patterns": [
{
"pattern": "_updateOracle($LASTBLOCK,...,...)"
},
{
"pattern-not-inside": "...\nif (msg.sender == $BALANCER) { ... }\n...\n"
},
{
"pattern-not-inside": "...\nrequire(msg.sender == address($BALANCER),...);\n...\n"
},
{
"pattern-not-inside": "...\nif (_msgSender() == $BALANCER) { ... }\n...\n"
},
{
"pattern-not-inside": "...\nrequire(_msgSender() == address($BALANCER),...);\n...\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.superfluid-ctx-injection",
"languages": [
"solidity"
],
"message": "A specially crafted calldata may be used to impersonate other accounts",
"metadata": {
"category": "security",
"confidence": "HIGH",
"cwe": "CWE-20: Improper Input Validation",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://rekt.news/superfluid-rekt/",
"https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd",
"https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "$T.decodeCtx(ctx);"
},
{
"pattern-not-inside": "require($T.isCtxValid(...), \"...\");\n...\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.tecra-coin-burnfrom-bug",
"languages": [
"solidity"
],
"message": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": "CWE-688: Function Call With Incorrect Variable or Reference as Argument",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://twitter.com/Mauricio_0218/status/1490082073096462340",
"https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-inside": "function $BURN(..., address $FROM, ...) {\n ...\n _burn($FROM, ...);\n ...\n}\n"
},
{
"pattern-either": [
{
"pattern": "require(_allowances[$S][$FROM] >= $X, ...)"
},
{
"pattern": "require(allowance($S, $FROM) >= $X, ...)"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.solidity.security.uniswap-callback-not-protected",
"languages": [
"solidity"
],
"message": "Uniswap callback is not protected",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "MEDIUM",
"references": [
"https://docs.uniswap.org/contracts/v3/guides/flash-integrations/flash-callback"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern": "function $CALLBACK(...) { ... }\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n $VALIDATION.verifyCallback(...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n $CHECK(msg.sender == $U.$PAIR(...), ...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n $CHECK(_msgSender() == $U.$PAIR(...), ...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n require(msg.sender == $POOL, ...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n require(_msgSender() == $POOL, ...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n require($POOL == msg.sender, ...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n require($POOL == _msgSender(), ...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n if (msg.sender != $POOL) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n if (_msgSender() != $POOL) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n if (msg.sender == $POOL) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n if (_msgSender() == $POOL) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n if(!$POOLS[msg.sender]) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n if(!$POOLS[_msgSender()]) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n _verifyCallback(...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) isCallback {\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n require($POOLS[msg.sender], ...);\n ...\n}\n"
},
{
"pattern-not": "function $CALLBACK(...) {\n ...\n require($POOLS[_msgSender()], ...);\n ...\n}\n"
},
{
"metavariable-regex": {
"metavariable": "$CALLBACK",
"regex": "(uniswapV2Call|uniswapV3SwapCallback|uniswapV3FlashCallback|uniswapV3MintCallback)"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.solidity.security.unrestricted-transferownership",
"languages": [
"solidity"
],
"message": "Unrestricted transferOwnership",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": "CWE-284: Improper Access Control",
"impact": "HIGH",
"likelihood": "HIGH",
"references": [
"https://medium.com/quillhash/decoding-ragnarok-online-invasion-44k-exploit-quillaudits-261b7e23b55",
"https://www.bscscan.com/address/0xe48b75dc1b131fd3a8364b0580f76efd04cf6e9c"
],
"subcategory": [
"vuln"
],
"technology": [
"solidity"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "function transferOwnership(address $X) public {...}"
},
{
"pattern": "function transferOwnership(address $X) external {...}"
}
]
},
{
"pattern-not": "function transferOwnership(address $X) $M {...}\n"
},
{
"pattern-not": "function transferOwnership(address $X) $M(...) {...}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n require(<... msg.sender ...>, ...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n require(<... _msgSender ...>, ...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n if (<... msg.sender ...>) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n if (<... _msgSender ...>) {\n ...\n }\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n onlyOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n requireOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n _requireOwnership(...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n $C._enforceIsContractOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n $C._enforceOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {\n ...\n $C.enforceIsContractOwner(...);\n ...\n}\n"
},
{
"pattern-not": "function transferOwnership(address $X) {}\n"
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.typescript.angular.security.audit.angular-bypasssecuritytrust",
"languages": [
"typescript"
],
"message": "Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://angular.io/api/platform-browser/DomSanitizer",
"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
],
"subcategory": [
"vuln"
],
"technology": [
"angular",
"browser"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "$S = require(\"underscore.string\")\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$S.escapeHTML(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"dompurify\")\n...\n"
},
{
"pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$VALUE = $S(...)\n...\n"
},
{
"pattern": "$VALUE.sanitize(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VALUE = $S.sanitize\n...\n"
},
{
"pattern": "$S(...)"
}
]
},
{
"pattern": "$S.sanitize(...)"
},
{
"pattern": "$S(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'xss';\n...\n"
},
{
"pattern-inside": "import * as $S from 'xss';\n...\n"
},
{
"pattern-inside": "$S = require(\"xss\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'sanitize-html';\n...\n"
},
{
"pattern-inside": "import * as $S from \"sanitize-html\";\n...\n"
},
{
"pattern-inside": "$S = require(\"sanitize-html\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern": "sanitizer.sanitize(...)"
},
{
"pattern-not": "sanitizer.sanitize(SecurityContext.NONE, ...);"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$X.$TRUST($Y)"
}
]
},
{
"focus-metavariable": "$Y"
},
{
"pattern-not": "$X.$TRUST(`...`)\n"
},
{
"pattern-not": "$X.$TRUST(\"...\")\n"
},
{
"metavariable-regex": {
"metavariable": "$TRUST",
"regex": "(bypassSecurityTrustHtml|bypassSecurityTrustStyle|bypassSecurityTrustScript|bypassSecurityTrustUrl|bypassSecurityTrustResourceUrl)"
}
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ...({..., $X: string, ...}) { ... }\n"
},
{
"pattern-inside": "function ...(..., $X: string, ...) { ... }\n"
}
]
},
{
"focus-metavariable": "$X"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod",
"languages": [
"ts"
],
"message": "Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-306: Missing Authentication for Critical Function"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "HIGH",
"likelihood": "HIGH",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html"
],
"subcategory": [
"vuln"
],
"technology": [
"AWS-CDK"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "import {Bucket} from '@aws-cdk/aws-s3'\n...\n"
},
{
"pattern": "const $X = new Bucket(...)\n...\n$X.grantPublicAccess(...)\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "import * as $Y from '@aws-cdk/aws-s3'\n...\n"
},
{
"pattern": "const $X = new $Y.Bucket(...)\n...\n$X.grantPublicAccess(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.aws-cdk.security.awscdk-codebuild-project-public",
"languages": [
"ts"
],
"message": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-306: Missing Authentication for Critical Function"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html"
],
"subcategory": [
"vuln"
],
"technology": [
"AWS-CDK"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "import {Project} from '@aws-cdk/aws-codebuild'\n...\n"
},
{
"pattern": "const $X = new Project(..., {..., badge: true, ...})\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "import * as $Y from '@aws-cdk/aws-codebuild'\n...\n"
},
{
"pattern": "const $X = new $Y.Project(..., {..., badge: true, ...})\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.aws-cdk.security.audit.awscdk-bucket-encryption",
"languages": [
"typescript"
],
"message": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-311: Missing Encryption of Sensitive Data"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A04:2021 - Insecure Design"
],
"references": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html"
],
"subcategory": [
"vuln"
],
"technology": [
"AWS-CDK"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "import {Bucket} from '@aws-cdk/aws-s3'\n...\n"
},
{
"pattern": "const $X = new Bucket(...)"
},
{
"pattern-not": "const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS_MANAGED, ...})\n"
},
{
"pattern-not": "const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS, ...})\n"
},
{
"pattern-not": "const $X = new Bucket(..., {..., encryption: BucketEncryption.S3_MANAGED, ...})\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "import * as $Y from '@aws-cdk/aws-s3'\n...\n"
},
{
"pattern": "const $X = new $Y.Bucket(...)"
},
{
"pattern-not": "const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS_MANAGED, ...})\n"
},
{
"pattern-not": "const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS, ...})\n"
},
{
"pattern-not": "const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.S3_MANAGED, ...})\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.typescript.aws-cdk.security.audit.aws-cdk-bucket-enforcessl",
"languages": [
"ts"
],
"message": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "MEDIUM",
"likelihood": "MEDIUM",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html"
],
"subcategory": [
"vuln"
],
"technology": [
"AWS-CDK"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "import {Bucket} from '@aws-cdk/aws-s3';\n...\n"
},
{
"pattern": "const $X = new Bucket(...)"
},
{
"pattern-not": "const $X = new Bucket(..., {enforceSSL: true}, ...)\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "import * as $Y from '@aws-cdk/aws-s3';\n...\n"
},
{
"pattern": "const $X = new $Y.Bucket(...)"
},
{
"pattern-not": "const $X = new $Y.Bucket(..., {..., enforceSSL: true, ...})\n"
}
]
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue",
"languages": [
"ts"
],
"message": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-311: Missing Encryption of Sensitive Data"
],
"impact": "HIGH",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A04:2021 - Insecure Design"
],
"references": [
"https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html"
],
"subcategory": [
"vuln"
],
"technology": [
"AWS-CDK"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "import {Queue} from '@aws-cdk/aws-sqs'\n...\n"
},
{
"pattern": "const $X = new Queue(...)"
},
{
"pattern-not": "const $X = new Queue(..., {..., encryption: QueueEncryption.KMS_MANAGED, ...})\n"
},
{
"pattern-not": "const $X = new Queue(..., {..., encryption: QueueEncryption.KMS, ...})\n"
}
]
},
{
"patterns": [
{
"pattern-inside": "import * as $Y from '@aws-cdk/aws-sqs'\n...\n"
},
{
"pattern": "const $X = new $Y.Queue(...)"
},
{
"pattern-not": "const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS_MANAGED, ...})\n"
},
{
"pattern-not": "const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS, ...})\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.lang.security.audit.cors-regex-wildcard",
"languages": [
"ts"
],
"message": "Unescaped '.' character in CORS domain regex $CORS: $PATTERN",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-183: Permissive List of Allowed Inputs"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"subcategory": [
"audit"
],
"technology": [
"cors"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern": "$CORS = [...,/$PATTERN/,...]"
},
{
"pattern": "$CORS = /$PATTERN/"
}
]
},
{
"focus-metavariable": "$PATTERN"
},
{
"metavariable-regex": {
"metavariable": "$PATTERN",
"regex": ".+?(?<!\\\\).\\..+(?<!\\\\)\\..+"
}
},
{
"metavariable-regex": {
"metavariable": "$CORS",
"regex": "(?i)cors"
}
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.nestjs.security.audit.nestjs-header-cors-any",
"languages": [
"typescript"
],
"message": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.",
"metadata": {
"asvs": {
"control_id": "14.4.8 Permissive CORS",
"control_url": "https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements",
"section": "V14: Configuration Verification Requirements",
"version": "4"
},
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-183: Permissive List of Allowed Inputs"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A04:2021 - Insecure Design"
],
"references": [
"https://owasp.org/Top10/A04_2021-Insecure_Design"
],
"subcategory": [
"audit"
],
"technology": [
"nestjs"
]
},
"pattern-either": [
{
"pattern": "class $CN {\n @Header(\"=~/[Aa][Cc][Cc][Ee][Ss][Ss]-[Cc][Oo][Nn][Tt][Rr][Oo][Ll]-[Aa][Ll][Ll][Oo][Ww]-[Oo][Rr][Ii][Gg][Ii][Nn]/\", '*')\n $FN(...) {\n ...\n }\n}\n"
},
{
"pattern": "NestFactory.create($MODULE, {cors: true})\n"
},
{
"pattern": "NestFactory.create($MODULE, {cors: {origin: '*'}})\n"
},
{
"pattern": "$APP.enableCors()\n"
},
{
"pattern": "$APP.enableCors({origin: '*'})\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.nestjs.security.audit.nestjs-header-xss-disabled",
"languages": [
"typescript"
],
"message": "X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"subcategory": [
"audit"
],
"technology": [
"nestjs"
]
},
"pattern": "class $CN {\n ...\n @Header(\"=~/[Xx]-[Xx][Ss][Ss]-[Pp][Rr][Oo][Tt][Ee][Cc][Tt][Ii][Oo][Nn]/\", '0')\n $FN(...) {\n ...\n }\n ...\n}\n",
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.nestjs.security.audit.nestjs-open-redirect",
"languages": [
"typescript"
],
"message": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://owasp.org/Top10/A01_2021-Broken_Access_Control"
],
"subcategory": [
"audit"
],
"technology": [
"nestjs"
]
},
"patterns": [
{
"pattern": "return {url: $URL}\n"
},
{
"pattern-inside": "class $CN {\n @Redirect(...)\n $FN(...) {\n ...\n }\n}\n"
},
{
"pattern-not": "return {url: \"...\"}\n"
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.react.security.react-insecure-request",
"languages": [
"js",
"ts"
],
"message": "Unencrypted request over HTTP detected.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-319: Cleartext Transmission of Sensitive Information"
],
"impact": "MEDIUM",
"likelihood": "LOW",
"owasp": [
"A03:2017 - Sensitive Data Exposure",
"A02:2021 - Cryptographic Failures"
],
"references": [
"https://www.npmjs.com/package/axios"
],
"subcategory": [
"vuln"
],
"technology": [
"react"
],
"vulnerability": "Insecure Transport"
},
"patterns": [
{
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $AXIOS from 'axios';\n...\n$AXIOS.$METHOD(...)\n"
},
{
"pattern-inside": "$AXIOS = require('axios');\n...\n$AXIOS.$METHOD(...)\n"
}
]
},
{
"pattern": "$AXIOS.$VERB(\"$URL\",...)"
},
{
"metavariable-regex": {
"metavariable": "$VERB",
"regex": "^(get|post|delete|head|patch|put|options)"
}
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $AXIOS from 'axios';\n...\n$AXIOS(...)\n"
},
{
"pattern-inside": "$AXIOS = require('axios');\n...\n$AXIOS(...)\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$AXIOS({url: \"$URL\"}, ...)"
},
{
"pattern": "$OPTS = {url: \"$URL\"}\n...\n$AXIOS($OPTS, ...)\n"
}
]
}
]
},
{
"pattern": "fetch(\"$URL\", ...)"
}
]
},
{
"metavariable-regex": {
"metavariable": "$URL",
"regex": "^([Hh][Tt][Tt][Pp]:\\/\\/(?!localhost).*)"
}
}
],
"severity": "ERROR"
},
{
"id": "vendored-rules.typescript.react.security.react-markdown-insecure-html",
"languages": [
"js",
"ts"
],
"message": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://www.npmjs.com/package/react-markdown#security"
],
"subcategory": [
"audit"
],
"technology": [
"react"
]
},
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$X = require('react-markdown/with-html');\n...\n"
},
{
"pattern-inside": "$X = require('react-markdown');\n...\n"
},
{
"pattern-inside": "import 'react-markdown/with-html';\n...\n"
},
{
"pattern-inside": "import 'react-markdown';\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "<$EL allowDangerousHtml />\n"
},
{
"pattern": "<$EL escapeHtml={false} />\n"
},
{
"pattern": "<$EL transformLinkUri=... />\n"
},
{
"pattern": "<$EL transformImageUri=... />\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.react.security.audit.react-dangerouslysetinnerhtml",
"languages": [
"js",
"ts"
],
"message": "Detection of dangerouslySetInnerHTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html"
],
"subcategory": [
"vuln"
],
"technology": [
"react"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "$S = require(\"underscore.string\")\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$S.escapeHTML(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"dompurify\")\n...\n"
},
{
"pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$VALUE = $S(...)\n...\n"
},
{
"pattern": "$VALUE.sanitize(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VALUE = $S.sanitize\n...\n"
},
{
"pattern": "$S(...)"
}
]
},
{
"pattern": "$S.sanitize(...)"
},
{
"pattern": "$S(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'xss';\n...\n"
},
{
"pattern-inside": "import * as $S from 'xss';\n...\n"
},
{
"pattern-inside": "$S = require(\"xss\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'sanitize-html';\n...\n"
},
{
"pattern-inside": "import * as $S from \"sanitize-html\";\n...\n"
},
{
"pattern-inside": "$S = require(\"sanitize-html\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$S = new Remarkable()\n...\n"
}
]
},
{
"pattern": "$S.render(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$X"
},
{
"pattern-either": [
{
"pattern": "{...,dangerouslySetInnerHTML: {__html: $X},...}\n"
},
{
"pattern": "<$Y ... dangerouslySetInnerHTML={{__html: $X}} />\n"
}
]
},
{
"pattern-not": "<$Y ... dangerouslySetInnerHTML={{__html: \"...\"}} />\n"
},
{
"pattern-not": "{...,dangerouslySetInnerHTML:{__html: \"...\"},...}\n"
},
{
"metavariable-pattern": {
"metavariable": "$X",
"patterns": [
{
"pattern-not": "{...}\n"
}
]
}
},
{
"pattern-not": "<... {__html: \"...\"} ...>\n"
},
{
"pattern-not": "<... {__html: `...`} ...>\n"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ...({..., $X, ...}) { ... }\n"
},
{
"pattern-inside": "function ...(..., $X, ...) { ... }\n"
}
]
},
{
"focus-metavariable": "$X"
},
{
"pattern-not-inside": "$F. ... .$SANITIZEUNC(...)\n"
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.react.security.audit.react-href-var",
"languages": [
"js",
"ts"
],
"message": "Detected a variable used in an anchor tag with the 'href' attribute. A malicious actor may be able to input the 'javascript:' URI, which could cause cross-site scripting (XSS). It is recommended to disallow 'javascript:' URIs within your application.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "LOW",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://reactjs.org/blog/2019/08/08/react-v16.9.0.html#deprecating-javascript-urls",
"https://pragmaticwebsecurity.com/articles/spasecurity/react-xss-part1.html"
],
"subcategory": [
"audit"
],
"technology": [
"react"
]
},
"mode": "taint",
"pattern-sinks": [
{
"patterns": [
{
"focus-metavariable": "$X"
},
{
"pattern-either": [
{
"pattern": "<$EL href={$X} />\n"
},
{
"pattern": "React.createElement($EL, {href: $X})\n"
},
{
"pattern-inside": "$PARAMS = {href: $X};\n...\nReact.createElement($EL, $PARAMS);\n"
}
]
},
{
"metavariable-pattern": {
"metavariable": "$EL",
"patterns": [
{
"pattern-not-regex": "(?i)(button)"
}
]
}
}
],
"requires": "TAINTED and not CONCAT and not CLEAN"
}
],
"pattern-sources": [
{
"label": "TAINTED",
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ...({..., $X, ...}) { ... }\n"
},
{
"pattern-inside": "function ...(..., $X, ...) { ... }\n"
}
]
},
{
"focus-metavariable": "$X"
},
{
"pattern-either": [
{
"pattern": "$X.$Y"
},
{
"pattern": "$X[...]"
}
]
},
{
"pattern-not-inside": "$F. ... .$SANITIZEUNC(...)\n"
}
]
},
{
"label": "CONCAT",
"patterns": [
{
"pattern-either": [
{
"pattern": "`...${$X}...`\n"
},
{
"pattern": "$SANITIZE + <... $X ...>\n"
}
]
},
{
"pattern-not": "`${$X}...`\n"
},
{
"pattern-not": "$X + ...\n"
},
{
"focus-metavariable": "$X"
}
],
"requires": "TAINTED"
},
{
"by-side-effect": true,
"label": "CLEAN",
"patterns": [
{
"pattern-either": [
{
"pattern": "$A($SOURCE)"
},
{
"pattern": "$SANITIZE. ... .$A($SOURCE)"
},
{
"pattern": "$A. ... .$SANITIZE($SOURCE)"
}
]
},
{
"focus-metavariable": "$SOURCE"
},
{
"metavariable-regex": {
"metavariable": "$A",
"regex": "(?i)(.*valid|.*sanitiz)"
}
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.react.security.audit.react-jwt-decoded-property",
"languages": [
"js",
"ts"
],
"message": "Property decoded from JWT token without verifying and cannot be trustworthy.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-922: Insecure Storage of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html"
],
"subcategory": [
"audit"
],
"technology": [
"react"
]
},
"patterns": [
{
"pattern-inside": "import jwt_decode from \"jwt-decode\";\n...\n"
},
{
"pattern-inside": "$DECODED = jwt_decode($TOKEN,...);\n...\n"
},
{
"pattern": "$DECODED.$PROPERTY"
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.typescript.react.security.audit.react-jwt-in-localstorage",
"languages": [
"js",
"ts"
],
"message": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.",
"metadata": {
"category": "security",
"confidence": "LOW",
"cwe": [
"CWE-922: Insecure Storage of Sensitive Information"
],
"impact": "LOW",
"likelihood": "LOW",
"owasp": [
"A01:2021 - Broken Access Control"
],
"references": [
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies"
],
"subcategory": [
"audit"
],
"technology": [
"react"
]
},
"patterns": [
{
"pattern-inside": "import jwt_decode from \"jwt-decode\";\n...\n"
},
{
"pattern-either": [
{
"pattern": "$DECODED = jwt_decode($TOKEN,...);\n...\nlocalStorage.setItem($NAME, <... $TOKEN ...>);\n"
},
{
"pattern": "$DECODED = jwt_decode(...);\n...\nlocalStorage.setItem($NAME, <... $DECODED ...>);\n"
}
]
}
],
"severity": "INFO"
},
{
"id": "vendored-rules.typescript.react.security.audit.react-unsanitized-method",
"languages": [
"js",
"ts"
],
"message": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "HIGH",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln",
"https://developer.mozilla.org/en-US/docs/Web/API/Document/write",
"https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML"
],
"subcategory": [
"vuln"
],
"technology": [
"react"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "$S = require(\"underscore.string\")\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$S.escapeHTML(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"dompurify\")\n...\n"
},
{
"pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$VALUE = $S(...)\n...\n"
},
{
"pattern": "$VALUE.sanitize(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VALUE = $S.sanitize\n...\n"
},
{
"pattern": "$S(...)"
}
]
},
{
"pattern": "$S.sanitize(...)"
},
{
"pattern": "$S(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'xss';\n...\n"
},
{
"pattern-inside": "import * as $S from 'xss';\n...\n"
},
{
"pattern-inside": "$S = require(\"xss\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'sanitize-html';\n...\n"
},
{
"pattern-inside": "import * as $S from \"sanitize-html\";\n...\n"
},
{
"pattern-inside": "$S = require(\"sanitize-html\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$S = new Remarkable()\n...\n"
}
]
},
{
"pattern": "$S.render(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern": "this.window.document. ... .$HTML('...',$SINK) \n"
},
{
"pattern": "window.document. ... .$HTML('...',$SINK) \n"
},
{
"pattern": "document.$HTML($SINK) \n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTML",
"regex": "(writeln|write)"
}
},
{
"focus-metavariable": "$SINK"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "$PROP. ... .$HTML('...',$SINK) \n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTML",
"regex": "(insertAdjacentHTML)"
}
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ...({..., $X, ...}) { ... }\n"
},
{
"pattern-inside": "function ...(..., $X, ...) { ... }\n"
}
]
},
{
"focus-metavariable": "$X"
},
{
"pattern-either": [
{
"pattern": "$X.$Y"
},
{
"pattern": "$X[...]"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"id": "vendored-rules.typescript.react.security.audit.react-unsanitized-property",
"languages": [
"js",
"ts"
],
"message": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.",
"metadata": {
"category": "security",
"confidence": "MEDIUM",
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"cwe2021-top25": true,
"cwe2022-top25": true,
"impact": "MEDIUM",
"license": "Commons Clause License Condition v1.0[LGPL-2.1-only]",
"likelihood": "MEDIUM",
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"references": [
"https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html"
],
"subcategory": [
"vuln"
],
"technology": [
"react"
]
},
"mode": "taint",
"pattern-sanitizers": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "import $S from \"underscore.string\"\n...\n"
},
{
"pattern-inside": "$S = require(\"underscore.string\")\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$S.escapeHTML(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import { ..., $S,... } from \"dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"dompurify\")\n...\n"
},
{
"pattern-inside": "import $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "import * as $S from \"isomorphic-dompurify\"\n...\n"
},
{
"pattern-inside": "$S = require(\"isomorphic-dompurify\")\n...\n"
}
]
},
{
"pattern-either": [
{
"patterns": [
{
"pattern-inside": "$VALUE = $S(...)\n...\n"
},
{
"pattern": "$VALUE.sanitize(...)"
}
]
},
{
"patterns": [
{
"pattern-inside": "$VALUE = $S.sanitize\n...\n"
},
{
"pattern": "$S(...)"
}
]
},
{
"pattern": "$S.sanitize(...)"
},
{
"pattern": "$S(...)"
}
]
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'xss';\n...\n"
},
{
"pattern-inside": "import * as $S from 'xss';\n...\n"
},
{
"pattern-inside": "$S = require(\"xss\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import $S from 'sanitize-html';\n...\n"
},
{
"pattern-inside": "import * as $S from \"sanitize-html\";\n...\n"
},
{
"pattern-inside": "$S = require(\"sanitize-html\")\n...\n"
}
]
},
{
"pattern": "$S(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$S = new Remarkable()\n...\n"
}
]
},
{
"pattern": "$S.render(...)"
}
]
}
],
"pattern-sinks": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "$BODY = $REACT.useRef(...)\n...\n"
},
{
"pattern-inside": "$BODY = useRef(...)\n...\n"
},
{
"pattern-inside": "$BODY = findDOMNode(...)\n...\n"
},
{
"pattern-inside": "$BODY = createRef(...)\n...\n"
},
{
"pattern-inside": "$BODY = $REACT.findDOMNode(...)\n...\n"
},
{
"pattern-inside": "$BODY = $REACT.createRef(...)\n...\n"
}
]
},
{
"pattern-either": [
{
"pattern": "$BODY. ... .$HTML = $SINK \n"
},
{
"pattern": "$BODY.$HTML = $SINK \n"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTML",
"regex": "(innerHTML|outerHTML)"
}
},
{
"focus-metavariable": "$SINK"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern": "ReactDOM.findDOMNode(...).$HTML = $SINK"
}
]
},
{
"metavariable-regex": {
"metavariable": "$HTML",
"regex": "(innerHTML|outerHTML)"
}
},
{
"focus-metavariable": "$SINK"
}
]
}
],
"pattern-sources": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "function ...({..., $X, ...}) { ... }\n"
},
{
"pattern-inside": "function ...(..., $X, ...) { ... }\n"
}
]
},
{
"focus-metavariable": "$X"
},
{
"pattern-either": [
{
"pattern": "$X.$Y"
},
{
"pattern": "$X[...]"
}
]
}
]
}
],
"severity": "WARNING"
},
{
"fix": "/* Use sql`...` template literals or parameterized queries instead */",
"id": "replit-rules.javascript.drizzle-orm.security.audit.ban-drizzle-sql-raw",
"languages": [
"js",
"ts"
],
"message": "Use of sql.raw() is not allowed as it may lead to SQL injection. Use parameterized queries with Drizzle's query builders instead.",
"metadata": {
"category": "security",
"references": [
"https://orm.drizzle.team/docs/sql#sqlraw"
],
"subcategory": [
"audit"
],
"technology": [
"javascript",
"typescript",
"drizzle-orm"
]
},
"pattern-either": [
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "const { sql } = require('drizzle-orm')\n...\n"
},
{
"pattern-inside": "import { sql } from 'drizzle-orm'\n...\n"
}
]
},
{
"pattern": "sql.raw(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "import { sql as $ALIAS } from 'drizzle-orm'\n...\n"
},
{
"pattern-inside": "const { sql: $ALIAS } = require('drizzle-orm')\n...\n"
}
]
},
{
"pattern": "$ALIAS.raw(...)"
}
]
},
{
"patterns": [
{
"pattern-either": [
{
"pattern-inside": "const $DRIZZLE = require('drizzle-orm')\n...\n"
},
{
"pattern-inside": "import $DRIZZLE from 'drizzle-orm'\n...\n"
}
]
},
{
"pattern": "$DRIZZLE.sql.raw(...)"
}
]
}
],
"severity": "ERROR"
}
]
}
Reference in New Issue View Git Blame Copy Permalink