Merge pull request #316 from DataDog/fix-false-negative-exec-base64

Identify when code is decrypted and executed on the fly
DataDog · Apr 3, 2024 · ba5e53f · ba5e53f
2 parents fb663d1 + abfab37
commit ba5e53f
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/guarddog/analyzer/sourcecode/exec-base64.yml b/guarddog/analyzer/sourcecode/exec-base64.yml
@@ -55,4 +55,5 @@ rules:
           - pattern: decode("...")
           - pattern: __import__("base64").b64decode(...)
           - pattern: marshal.loads(zlib.decompress(...))
+          - pattern: $FUNC("...").decrypt(...)
     severity: WARNING
diff --git a/tests/analyzer/sourcecode/exec-base64.py b/tests/analyzer/sourcecode/exec-base64.py
@@ -111,4 +111,7 @@
         "<string>",
         "exec",
     )
-)
+)
+
+# ruleid: exec-base64
+exec(Fernet(b'E15Vxxx=').decrypt(b'gAAAxxx='))