Merge pull request #363 from DataDog/s.obregoso/new_download_executable

add download_executable missing detection
DataDog · May 23, 2024 · be95cc1 · be95cc1
2 parents 180543e + 57348bf
commit be95cc1
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 12 deletions.
diff --git a/guarddog/analyzer/sourcecode/download-executable.yml b/guarddog/analyzer/sourcecode/download-executable.yml
@@ -62,18 +62,36 @@ rules:
                             pattern-regex: (?i)^['"].*?\.exe['"]$
 
     pattern-sources:
-      - pattern: (...).send(...)
-      - pattern: send(...)
-      - pattern: (...).request(...)
-      - pattern: request(...)
-      - pattern: (...).urlopen(...)
-      - pattern: urlopen(...)
-      - pattern: (...).getresponse(...)
-      - pattern: getresponse(...)
-      - pattern: requests.$FUNC(...)
-      - pattern: (...).urlretrieve(...)
-      - pattern: urlretrieve(...)
-      - pattern: requests.get(...)
+      - pattern: |
+          (...).request(...)
+          ...
+      - pattern: |
+          request(...)
+          ...
+      - pattern: |
+          (...).urlopen(...)
+          ...
+      - pattern: |
+          urlopen(...)
+          ...
+      - pattern: |
+          (...).getresponse(...)
+          ...
+      - pattern: |
+          getresponse(...)
+          ...
+      - pattern: |
+          requests.$FUNC(...)
+          ...
+      - pattern: |
+          (...).urlretrieve(...)
+          ...
+      - pattern: |
+          urlretrieve(...)
+          ...
+      - pattern: |
+          requests.get(...)
+          ...
     severity: WARNING
     options: 
       symbolic_propagation: true
diff --git a/tests/analyzer/sourcecode/download-executable.py b/tests/analyzer/sourcecode/download-executable.py
@@ -145,3 +145,17 @@ def f():
             os.system(f'./{executable} &')
         elif 'windows' in operating_system:
             os.system(f'start /B {executable}')
+
+def f():
+    response = requests.get(url)
+    buf = response.content
+    out: list[int] = []
+
+    for b, k in zip(buf, run1):
+        out.append(b ^ k)
+
+    binary_path = os.path.join(local_bin_path, 'myfile')
+    # ruleid: download-executable
+    with open(binary_path, 'wb') as f:
+        f.write(bytes(out))
+    os.chmod(binary_path, stat.S_IREAD | stat.S_IEXEC | stat.S_IRGRP | stat.S_IXGRP)