-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #69 from trailofbits/mschwager-35-more-rules
Add rules for '35 more Semgrep rules' blog post
- Loading branch information
Showing
70 changed files
with
2,263 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
|
|
||
| # ruleid: amqp-unencrypted-transport | ||
| echo "Hello, World!" | amqp-publish --url=amqp://guest:[email protected]:5672 --routing-key=test_queue | ||
|
|
||
| # ok: amqp-unencrypted-transport | ||
| echo "Hello, World!" | amqp-publish --url=amqps://guest:[email protected]:5672 --routing-key=test_queue |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| rules: | ||
| - id: amqp-unencrypted-transport | ||
| message: | | ||
| Found unencrypted AMQP connection, prefer TLS encrypted `amqps://` transport | ||
| languages: [generic] | ||
| severity: WARNING | ||
| metadata: | ||
| category: security | ||
| subcategory: [audit] | ||
| cwe: "CWE-319: Cleartext Transmission of Sensitive Information" | ||
| confidence: HIGH | ||
| likelihood: HIGH | ||
| impact: HIGH | ||
| technology: [amqp, rabbitmq] | ||
| references: | ||
| - https://www.rabbitmq.com/docs/uri-spec#the-amqps-uri-scheme | ||
| options: | ||
| generic_ellipsis_max_span: 0 | ||
| pattern: amqp://... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| #!/bin/bash | ||
|
|
||
| # ruleid: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/" | ||
|
|
||
| # ruleid: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=true" | ||
|
|
||
| # ruleid: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=true&something=else" | ||
|
|
||
| # we want to be lenient here | ||
| # ruleid: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=truebutbug" | ||
|
|
||
| # ruleid: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=truebutbug&something=else" | ||
|
|
||
| # we want to be strict here | ||
| # ruleid: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=truebutbug" | ||
|
|
||
| # ruleid: mongodb-insecure-transport | ||
| mongo 'mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=truebutbug&something=else' | ||
|
|
||
| # ok: mongodb-insecure-transport | ||
| mongo 'mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=true' | ||
|
|
||
| # ok: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/?tls=true&something=else" | ||
|
|
||
| # ok: mongodb-insecure-transport | ||
| mongo "mongodb://user:[email protected],db1.example.com,db2.example.com/?ssl=true" | ||
|
|
||
| echo ' | ||
| # ok: mongodb-insecure-transport | ||
| mongodb://user:[email protected],db1.example.com,db2.example.com/?ssl=true | ||
| ' | ||
|
|
||
| echo ' | ||
| # ruleid: mongodb-insecure-transport | ||
| mongodb://user:[email protected],db1.example.com,db2.example.com/?ssl=truebutbug | ||
| ' | ||
|
|
||
| echo ' | ||
| # ok: mongodb-insecure-transport | ||
| mongodb://user:[email protected],db1.example.com,db2.example.com/?ssl=true&something=else | ||
| ' | ||
|
|
||
| echo ' | ||
| # ruleid: mongodb-insecure-transport | ||
| mongodb://user:[email protected],db1.example.com,db2.example.com/?ssl=truebutbug&something=else | ||
| ' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| rules: | ||
| - id: mongodb-insecure-transport | ||
| message: | | ||
| Found insecure MongoDB connection, prefer TLS encrypted transport by | ||
| setting the `tls=true` connection option and ensuring proper verification | ||
| languages: [regex] | ||
| severity: WARNING | ||
| metadata: | ||
| category: security | ||
| subcategory: [audit] | ||
| cwe: "CWE-295: Improper Certificate Validation" | ||
| confidence: HIGH | ||
| likelihood: HIGH | ||
| impact: HIGH | ||
| technology: [mongodb] | ||
| references: | ||
| - https://www.mongodb.com/docs/manual/reference/connection-string/#connection-options | ||
| pattern-either: | ||
| - patterns: | ||
| - pattern-regex: (?i)mongodb://.+$ | ||
| - pattern-not-regex: (?i)(?:(.)?)?mongodb://.+[?&]tls=true(?:\g{1}|$|&).* | ||
| - pattern-not-regex: (?i)(?:(.)?)?mongodb://.+[?&]ssl=true(?:\g{1}|$|&).* | ||
| - pattern-regex: (?i)mongodb://.+[?&]tlsAllowInvalidCertificates=true.*$ | ||
| - pattern-regex: (?i)mongodb://.+[?&]tlsAllowInvalidHostnames=true.*$ | ||
| - pattern-regex: (?i)mongodb://.+[?&]tlsInsecure=true.*$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/bash | ||
|
|
||
| # ruleid: mysql-insecure-sslmode | ||
| mysql mysql://myapplicationuser:mypass@myhost:1234/applicationdb?SslMode=Disabled | ||
|
|
||
| # ruleid: mysql-insecure-sslmode | ||
| mysql mysql://myapplicationuser:mypass@myhost:1234/applicationdb?useSSL=false | ||
|
|
||
| # ok: mysql-insecure-sslmode | ||
| mysql mysql://myapplicationuser:mypass@myhost:1234/applicationdb?SslMode=Required |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| rules: | ||
| - id: mysql-insecure-sslmode | ||
| message: | | ||
| Found MySQL connection string disabling SSL verification | ||
| languages: [regex] | ||
| severity: WARNING | ||
| metadata: | ||
| category: security | ||
| subcategory: [audit] | ||
| cwe: "CWE-295: Improper Certificate Validation" | ||
| confidence: MEDIUM | ||
| likelihood: HIGH | ||
| impact: HIGH | ||
| technology: [mysql] | ||
| references: | ||
| - https://dev.mysql.com/doc/connector-net/en/connector-net-8-0-connection-options.html | ||
| - https://dev.mysql.com/doc/connector-j/en/connector-j-connp-props-security.html | ||
| pattern-either: | ||
| - pattern-regex: "(?i)Ssl[ -]?Mode=(Disabled|None|Preferred)" | ||
| - pattern-regex: "(?i)sslMode=(DISABLED|PREFERRED)" | ||
| - pattern-regex: "(?i)useSSL=false" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| #!/bin/bash | ||
|
|
||
| # ruleid: node-disable-certificate-validation | ||
| export NODE_TLS_REJECT_UNAUTHORIZED=0 | ||
|
|
||
| # ok: node-disable-certificate-validation | ||
| export NODE_TLS_REJECT_UNAUTHORIZED=1 | ||
|
|
||
| # ok: node-disable-certificate-validation | ||
| export NODE_TLS_REJECT_UNAUTHORIZED=false | ||
|
|
||
| node app.js |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| rules: | ||
| - id: node-disable-certificate-validation | ||
| message: | | ||
| Setting this environment variable disables TLS certificate validation. | ||
| This makes TLS, and HTTPS by extension, insecure. The use of this | ||
| environment variable is strongly discouraged. | ||
| languages: [generic] | ||
| severity: WARNING | ||
| metadata: | ||
| category: security | ||
| subcategory: [audit] | ||
| cwe: "CWE-295: Improper Certificate Validation" | ||
| confidence: HIGH | ||
| likelihood: HIGH | ||
| impact: HIGH | ||
| technology: [nodejs] | ||
| references: | ||
| - https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue | ||
| pattern-either: | ||
| - pattern: NODE_TLS_REJECT_UNAUTHORIZED=0 | ||
| - pattern: NODE_TLS_REJECT_UNAUTHORIZED='0' | ||
| - pattern: NODE_TLS_REJECT_UNAUTHORIZED="0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| #!/bin/bash | ||
|
|
||
| # ruleid: postgres-insecure-sslmode | ||
| psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=disable | ||
|
|
||
| # ruleid: postgres-insecure-sslmode | ||
| psql postgres://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=disable | ||
|
|
||
| # ruleid: postgres-insecure-sslmode | ||
| psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=PREfered | ||
|
|
||
| # "This option is deprecated in favor of the sslmode setting." | ||
| # ruleid: postgres-insecure-sslmode | ||
| psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?requiressl=0 | ||
|
|
||
| # ruleid: postgres-insecure-sslmode | ||
| psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?ssl=false" | ||
|
|
||
| # ok: postgres-insecure-sslmode | ||
| psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require | ||
|
|
||
| # ok: postgres-insecure-sslmode | ||
| psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=verify-full&something=else" | ||
|
|
||
| # ok: postgres-insecure-sslmode | ||
| psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require&something=else" | ||
|
|
||
| # ok: postgres-insecure-sslmode | ||
| psql 'postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require&something=else' | ||
|
|
||
| echo ' | ||
| # ok: postgres-insecure-sslmode | ||
| postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require&something=else | ||
| ' | ||
|
|
||
| echo ' | ||
| # ok: postgres-insecure-sslmode | ||
| postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require | ||
| ' | ||
|
|
||
| # "for compatibility with JDBC connection URIs, instances of ssl=true are translated into sslmode=require." | ||
| # ok: postgres-insecure-sslmode | ||
| psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?ssl=true" | ||
|
|
||
| # ok: postgres-insecure-sslmode | ||
| psql "postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?ssl=true&something=else" | ||
|
|
||
| # ok: postgres-insecure-sslmode | ||
| psql 'postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?requiressl=1' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| rules: | ||
| - id: postgres-insecure-sslmode | ||
| message: | | ||
| Found PostgreSQL connection string disabling SSL verification | ||
| languages: [regex] | ||
| severity: WARNING | ||
| metadata: | ||
| category: security | ||
| subcategory: [audit] | ||
| cwe: "CWE-295: Improper Certificate Validation" | ||
| confidence: HIGH | ||
| likelihood: HIGH | ||
| impact: HIGH | ||
| technology: [postgresql] | ||
| references: | ||
| - https://www.postgresql.org/docs/current/libpq-connect.html | ||
| pattern-either: | ||
| - pattern-regex: (?i)postgresql://.+[?&]sslmode=(disable|allow|prefer).*$ | ||
| - pattern-regex: (?i)postgresql://.+[?&]requiressl=0.*$ | ||
| - pattern-regex: (?i)postgresql://.+[?&]ssl=false.*$ | ||
| - pattern-regex: (?i)postgres://.+[?&]sslmode=(disable|allow|prefer).*$ | ||
| - pattern-regex: (?i)postgres://.+[?&]requiressl=0.*$ | ||
| - pattern-regex: (?i)postgres://.+[?&]ssl=false.*$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
|
|
||
| # ruleid: redis-unencrypted-transport | ||
| redis-cli -u redis://user:password@host:port/dbnum PING | ||
|
|
||
| # ok: redis-unencrypted-transport | ||
| redis-cli -u rediss://user:password@host:port/dbnum PING |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| rules: | ||
| - id: redis-unencrypted-transport | ||
| message: | | ||
| Found unencrypted Redis connection, prefer TLS encrypted `rediss://` transport | ||
| languages: [generic] | ||
| severity: WARNING | ||
| metadata: | ||
| category: security | ||
| subcategory: [audit] | ||
| cwe: "CWE-319: Cleartext Transmission of Sensitive Information" | ||
| confidence: HIGH | ||
| likelihood: HIGH | ||
| impact: HIGH | ||
| technology: [redis] | ||
| references: | ||
| - https://redis.io/docs/latest/develop/connect/cli/#host-port-password-and-database | ||
| options: | ||
| generic_ellipsis_max_span: 0 | ||
| pattern: redis://... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| task "example" { | ||
| driver = "docker" | ||
|
|
||
| config { | ||
| image = "secret/service" | ||
|
|
||
| auth { | ||
| username = "dockerhub_user" | ||
|
|
||
| # ruleid: docker-hardcoded-password | ||
| password = "dockerhub_password" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| task "example" { | ||
| driver = "docker" | ||
|
|
||
| config { | ||
| image = "secret/service" | ||
|
|
||
| auth { | ||
| username = "dockerhub_user" | ||
|
|
||
| # ok: docker-hardcoded-password | ||
| password = "${PASSWORD}" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| task "example" { | ||
| driver = "podman" | ||
|
|
||
| config { | ||
| image = "secret/service" | ||
|
|
||
| auth { | ||
| username = "dockerhub_user" | ||
|
|
||
| # ruleid: docker-hardcoded-password | ||
| password = "dockerhub_password" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| rules: | ||
| - id: docker-hardcoded-password | ||
| message: | | ||
| Found Nomad task using Docker auth with hardcoded password | ||
| languages: [hcl] | ||
| severity: WARNING | ||
| metadata: | ||
| category: security | ||
| cwe: "CWE-798: Use of Hard-coded Credentials" | ||
| subcategory: [audit] | ||
| confidence: HIGH | ||
| likelihood: HIGH | ||
| impact: HIGH | ||
| technology: [nomad, docker, podman] | ||
| references: | ||
| - https://developer.hashicorp.com/nomad/docs/drivers/docker#password | ||
| patterns: | ||
| - pattern-inside: | | ||
| task "..." { | ||
| ... | ||
| driver = "$RUNTIME" | ||
| ... | ||
| config { | ||
| ... | ||
| auth { | ||
| ... | ||
| } | ||
| ... | ||
| } | ||
| ... | ||
| } | ||
| - pattern: password = "..." | ||
| - metavariable-regex: | ||
| metavariable: $RUNTIME | ||
| regex: (docker|podman) |
Oops, something went wrong.