Merge branch 'develop' into andre/enable-case-insensitive-php-tests

semgrep · Aug 11, 2023 · 68c9765 · 68c9765
2 parents 1a6c5a0 + d5bec93
commit 68c9765
Show file tree

Hide file tree

Showing 16 changed files with 921 additions and 424 deletions.
diff --git a/.github/rulerascal/poetry.lock b/.github/rulerascal/poetry.lock
diff --git a/.github/workflows/semgrep-rules-test-historical.yml b/.github/workflows/semgrep-rules-test-historical.yml
@@ -38,7 +38,7 @@ jobs:
       env:
         GH_TOKEN: ${{ github.token }}
       run: |
-        SEMGREP_OLD_VERSION=$(gh api --method GET /repos/returntocorp/semgrep/releases | jq -r '.[].tag_name' | sed -n 5p | tr -d v)
+        SEMGREP_OLD_VERSION=$(gh api --method GET /repos/returntocorp/semgrep/releases | jq -r '.[].tag_name' | sed -n 10p | tr -d v)
         echo $SEMGREP_OLD_VERSION
         echo "SEMGREP_OLD_VERSION=$SEMGREP_OLD_VERSION" >> $GITHUB_ENV
     - name: validate rules on historical semgrep version

diff --git a/bash/curl/security/curl-pipe-bash.bash b/bash/curl/security/curl-pipe-bash.bash
@@ -12,6 +12,9 @@ curl http://10.110.1.200/deployment/scripts/SLAVE00-flight-setup.bash | sudo /bi
 # ruleid: curl-pipe-bash
 sudo bash <(curl -Ls "https://raw.githubusercontent.com/pusox/pusox/main/script/_A.sh")
 
+# ruleid: curl-pipe-bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+
 # ok: curl-pipe-bash
 curl http://10.110.1.200/deployment/scripts/SLAVE00-flight-setup.bash | tee -a /tmp/mainscript-default-output
 
diff --git a/bash/curl/security/curl-pipe-bash.yaml b/bash/curl/security/curl-pipe-bash.yaml
@@ -27,7 +27,9 @@ rules:
     impact: LOW
   patterns:
     - pattern-either:
-        - pattern: curl ... | ... bash ... 
+        - pattern: curl ... | ... bash ...
         - pattern: curl ... | ... /bin/bash ...
         - pattern: ... bash <(curl ...)
         - pattern: ... /bin/bash <(curl ...)
+        - pattern: ... bash -c "$(curl ...)"
+        - pattern: ... /bin/bash -c "$(curl ...)"
diff --git a/dockerfile/security/no-sudo-in-dockerfile.dockerfile b/dockerfile/security/no-sudo-in-dockerfile.dockerfile
@@ -0,0 +1,21 @@
+# Use an official Ubuntu 20.04 as base image
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# ok: no-sudo-in-dockerfile
+RUN apt-get update && apt-get upgrade -y
+
+# ok: no-sudo-in-dockerfile
+RUN apt-get install -y sudo
+
+RUN useradd -ms /bin/bash newuser
+
+RUN echo "newuser ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+USER newuser
+
+# ruleid: no-sudo-in-dockerfile
+RUN sudo apt-get install -y curl
+
+CMD ["echo", "Hello, Docker!"]
diff --git a/dockerfile/security/no-sudo-in-dockerfile.yaml b/dockerfile/security/no-sudo-in-dockerfile.yaml
@@ -0,0 +1,27 @@
+rules:
+- id: no-sudo-in-dockerfile
+  patterns:
+  - pattern: |
+      RUN sudo ...
+  message: >-
+    Avoid using sudo in Dockerfiles. Running processes as a non-root user can help 
+    reduce the potential impact of configuration errors and security vulnerabilities.
+  metadata:
+    category: security
+    technology:
+    - dockerfile
+    cwe: 
+    - 'CWE-250: Execution with Unnecessary Privileges'
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    references:
+    - https://cwe.mitre.org/data/definitions/250.html
+    - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: HIGH
+  languages:
+  - dockerfile
+  severity: WARNING
diff --git a/dockerfile/security/secret-in-build-arg.dockerfile b/dockerfile/security/secret-in-build-arg.dockerfile
@@ -26,6 +26,15 @@ ARG SECRET_KEY_BASE
 # ruleid: secret-in-build-arg
 ARG SECRET_TOKEN
 
+# ruleid: secret-in-build-arg
+ARG AUTH_TOKEN="this-is-a-secret"
+
+# ruleid: secret-in-build-arg
+ARG SSH_PRIVATE_KEY
+
+# ruleid: secret-in-build-arg
+ARG CERT_PASSWORD
+
 # ruleid: secret-in-build-arg
 ARG DJANGO_SECRET_KEY
 

diff --git a/dockerfile/security/secret-in-build-arg.yaml b/dockerfile/security/secret-in-build-arg.yaml
@@ -1,16 +1,18 @@
 rules:
 - id: secret-in-build-arg
   patterns:
-  - pattern: ARG $ARG
+  - pattern-either:
+    - pattern: ARG $ARG
+    - pattern: ARG $ARG=...
   - metavariable-regex:
       metavariable: $ARG
-      regex: (?i).*(password|secret|token)
+      regex: (?i).*(password|secret|token|key|cert|api|auth)
   message: >-
     Docker build time arguments are not suited for secrets, because the
     argument values are saved with the image. Running `docker image history` on the
     image will show information on how the image was built, including arguments. If
-    these contain secrets, anyone with access to the docker image can access those
-    secrets.
+    these contain plain text secrets, anyone with access to the docker image can access
+    those secrets and exploit them.
   metadata:
     category: security
     technology:
@@ -23,10 +25,10 @@ rules:
     - https://cwe.mitre.org/data/definitions/538.html
     - https://docs.docker.com/engine/reference/builder/#arg
     subcategory:
-    - audit
+      - audit
     likelihood: LOW
     impact: HIGH
     confidence: LOW
   languages:
-  - dockerfile
+    - dockerfile
   severity: WARNING
diff --git a/python/lang/security/audit/sqli/asyncpg-sqli.py b/python/lang/security/audit/sqli/asyncpg-sqli.py
@@ -58,6 +58,17 @@ async def bad9(conn: Connection, user_input):
     conn.execute(
     "insert into %s values (%%s, %%s)" % ext.quote_ident(table_name),[10, 20])
 
+def bad10(conn: asyncpg.Connection):
+    async with conn.transaction():
+        sql_query = 'SELECT * FROM {}'.format(user_input)
+        # ruleid: asyncpg-sqli
+        cur = await conn.cursor(sql_query)
+
+def bad11(conn: asyncpg.Connection):
+    import common
+    # ruleid: asyncpg-sqli
+    cur = conn.fetch(common.bad_query_1.format(user_input))
+
 def ok1(user_input):
     con = await asyncpg.connect(user='postgres')
     # ok: asyncpg-sqli

diff --git a/python/lang/security/audit/sqli/asyncpg-sqli.yaml b/python/lang/security/audit/sqli/asyncpg-sqli.yaml
@@ -63,6 +63,7 @@ rules:
           $QUERY = '...' % ()
           ...
     - pattern: $CONN.$METHOD(..., $X + $Y, ...)
+    - pattern: $CONN.$METHOD(..., $Y.format(...), ...)
     - pattern: $CONN.$METHOD(..., '...'.format(...), ...)
     - pattern: $CONN.$METHOD(..., '...' % (...), ...)
     - pattern: $CONN.$METHOD(..., f'...{$USERINPUT}...', ...)
@@ -82,6 +83,9 @@ rules:
     - pattern-inside: |
         def $FUNCNAME(..., $CONN: Connection, ...):
             ...
+    - pattern-inside: |
+        def $FUNCNAME(..., $CONN: asyncpg.Connection, ...):
+            ...
   - pattern-not: $CONN.$METHOD(..., "..." + "...", ...)
   - pattern-not: $CONN.$METHOD(..., '...'.format(), ...)
   - pattern-not: $CONN.$METHOD(..., '...'%(), ...)

diff --git a/swift/lang/storage/sensitive-storage-userdefaults.swift b/swift/lang/storage/sensitive-storage-userdefaults.swift
@@ -0,0 +1,35 @@
+let username = getUsername()
+let passphrase = getPass()
+
+
+// okid: swift-user-defaults
+UserDefaults.standard.set(username, forKey: "userName")
+// ruleid: swift-user-defaults
+UserDefaults.standard.set(passphrase, forKey: "passphrase")
+// ruleid: swift-user-defaults
+UserDefaults.standard.set(passWord, forKey: "userPassword")
+
+// ruleid: swift-user-defaults
+UserDefaults.standard.set("12717-127163-a71367-127ahc", forKey: "apiKey")
+
+let apiKey = "12717-127163-a71367-127ahc"
+// ruleid: swift-user-defaults
+UserDefaults.standard.set(apiKey, forKey: "GOOGLE_TOKEN")
+
+
+let key = "1sdad3SADSD33131"
+// ruleid: swift-user-defaults
+UserDefaults.standard.set(key, forKey: "cryptoKey")
+
+
+let key = "foobar"
+// ruleid: swift-user-defaults
+UserDefaults.standard.set(key, forKey: "clientSecret")
+
+
+let key = "foobar"
+// ruleid: swift-user-defaults
+UserDefaults.standard.set(key, forKey: "rsaPrivateKey")
+
+// ruleid: swift-user-defaults
+UserDefaults.standard.set(passphrase, forKey: "pass_phrase")
diff --git a/swift/lang/storage/sensitive-storage-userdefaults.yaml b/swift/lang/storage/sensitive-storage-userdefaults.yaml
@@ -0,0 +1,144 @@
+rules:
+- id: swift-user-defaults
+  message: >-
+    Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection
+    of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.
+  severity: WARNING
+  metadata:
+    likelihood: LOW
+    impact: HIGH
+    confidence: MEDIUM
+    category: security
+    cwe:
+    - 'CWE-311: Missing Encryption of Sensitive Data'
+    masvs:
+    - 'MASVS-STORAGE-1: The app securely stores sensitive data'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A04:2021 - Insecure Design
+    references:
+    - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html
+    - https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/
+    subcategory:
+    - vuln
+    technology:
+    - ios
+    - macos
+  languages:
+  - swift
+  options:
+    taint_propagation: true
+  patterns:
+  - pattern-either:
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: (?i).*(passcode|password|pass_word|passphrase|pass_code|pass_word|pass_phrase)$
+      - focus-metavariable: $VALUE
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: (?i).*(passcode|password|pass_word|passphrase|pass_code|pass_word|pass_phrase)$
+      - focus-metavariable: $KEY
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: (?i).*(api_key|apikey)$
+      - focus-metavariable: $VALUE
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: (?i).*(api_key|apikey)$
+      - focus-metavariable: $KEY
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: (?i).*(secretkey|secret_key|secrettoken|secret_token|clientsecret|client_secret)$
+      - focus-metavariable: $VALUE
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: (?i).*(secretkey|secret_key|secrettoken|secret_token|clientsecret|client_secret)$
+      - focus-metavariable: $KEY
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: (?i).*(cryptkey|cryptokey|crypto_key|cryptionkey|symmetrickey|privatekey|symmetric_key|private_key)$
+      - focus-metavariable: $VALUE
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set("$VALUE", forKey: $KEY)
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: "$KEY")
+        - pattern: |
+            UserDefaults.standard.set($VALUE, forKey: $KEY)
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: (?i).*(cryptkey|cryptokey|crypto_key|cryptionkey|symmetrickey|privatekey|symmetric_key|private_key)$
+      - focus-metavariable: $KEY