diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..f45e1fda --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,82 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '31 2 * * 1' + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..bc5d231f --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ "Testing-2" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "Testing-2" ] + schedule: + - cron: '44 18 * * 2' + +permissions: + contents: read + +jobs: + semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Scan + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + steps: + # Checkout project source + - uses: actions/checkout@v3 + - name: Semgrep Scan + id: scan + #run: semgrep ci --config=auto --suppress-errors --sarif || true + run: | + semgrep \ + --sarif --output report.sarif \ + --config=semgrep_rules.yaml + + # Scan code using project's configuration on https://semgrep.dev/manage + # - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + # with: + #publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + #publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + # generateSarif: "1" + + # Upload SARIF file generated in previous step + + - name: Add Labels to Code Scanning Issues + env: + SEMGREP_SEVERITY: ${{ steps.scan.outputs.severity }} + run: | + if [[ "$SEMGREP_SEVERITY" == "error" ]]; then + gh issue list | grep "Semgrep" | grep "error" | cut -d' ' -f1 | xargs -I {} gh issue add-label {} "High" + elif [[ "$SEMGREP_SEVERITY" == "warning" ]]; then + gh issue list | grep "Semgrep" | grep "warning" | cut -d' ' -f1 | xargs -I {} gh issue add-label {} "Medium" + elif [[ "$SEMGREP_SEVERITY" == "info" ]]; then + gh issue list | grep "Semgrep" | grep "info" | cut -d' ' -f1 | xargs -I {} gh issue add-label {} "Low" + fi + + # Make sure you have the GitHub CLI (gh) available and configured in your workflow. + + # - name: Save Report as Pipeline Artifact + # uses: actions/upload-artifact@v3 + # with: + # name: report.sarif + # path: report.sarif + + # step 4 + - name: Publish Code Scanning Alerts + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: report.sarif diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml new file mode 100644 index 00000000..c1f81e5f --- /dev/null +++ b/.github/workflows/sonarqube.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarQube analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# (this feature is available starting from SonarQube 9.7, Developer Edition and above) + +# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) + +# 2. Import your project on SonarQube +# * Add your repository as a new project by clicking "Create project" from your homepage. +# +# 3. Select GitHub Actions as your CI and follow the tutorial +# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) +# +# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL +# +# * c. Copy/paste the project Key into the args parameter below +# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) + +# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10) + +name: SonarQube analysis + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarQube to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarQube + + # You can pin the exact commit or the version. + uses: SonarSource/sonarqube-scan-action@v1.1.0 + #uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8 + #env: + # GITHUB_TOKEN: ${{ secrets.GT_TOKEN }} # Needed to get PR information + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) + # mandatory + -Dsonar.projectKey= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false diff --git a/semgrep_rules.yaml b/semgrep_rules.yaml new file mode 100644 index 00000000..a54e591b --- /dev/null +++ b/semgrep_rules.yaml @@ -0,0 +1,65657 @@ +rules: +- id: c.lang.security.double-free.double-free + patterns: + - pattern-not: | + free($VAR); + ... + $VAR = NULL; + ... + free($VAR); + - pattern-not: | + free($VAR); + ... + $VAR = malloc(...); + ... + free($VAR); + - pattern-inside: | + free($VAR); + ... + $FREE($VAR); + - metavariable-pattern: + metavariable: $FREE + pattern: free + - focus-metavariable: $FREE + message: Variable '$VAR' was freed twice. This can lead to undefined behavior. + metadata: + cwe: + - 'CWE-415: Double Free' + owasp: + - A03:2021 - Injection + - A01:2017 - Injection + references: + - https://cwe.mitre.org/data/definitions/415.html + - https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory + category: security + technology: + - c + confidence: MEDIUM + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Memory Issues + source: https://semgrep.dev/r/c.lang.security.double-free.double-free + shortlink: https://sg.run/eLl0 + semgrep.dev: + rule: + rule_id: JDUyw8 + version_id: w8Te3K + url: https://semgrep.dev/playground/r/w8Te3K/c.lang.security.double-free.double-free + origin: community + languages: + - c + severity: ERROR +- id: c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string + message: Use %s, %d, %c... to format your variables, otherwise this could leak information. + metadata: + cwe: + - 'CWE-532: Insertion of Sensitive Information into Log File' + references: + - http://nebelwelt.net/files/13PPREW.pdf + category: security + technology: + - c + confidence: MEDIUM + owasp: + - A09:2021 - Security Logging and Monitoring Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string + shortlink: https://sg.run/vzwn + semgrep.dev: + rule: + rule_id: 5rUOlg + version_id: O9TPyd + url: https://semgrep.dev/playground/r/O9TPyd/c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string + origin: community + languages: + - c + severity: WARNING + pattern: printf(argv[$NUM]); +- id: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn + pattern: gets(...) + message: Avoid 'gets()'. This function does not consider buffer boundaries and can + lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead. + metadata: + cwe: + - 'CWE-676: Use of Potentially Dangerous Function' + references: + - https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s + category: security + technology: + - c + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn + shortlink: https://sg.run/dKqX + semgrep.dev: + rule: + rule_id: GdU7OE + version_id: e1T6xy + url: https://semgrep.dev/playground/r/e1T6xy/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn + origin: community + languages: + - c + severity: ERROR +- id: c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn + message: Avoid using user-controlled format strings passed into 'sprintf', 'printf' + and 'vsprintf'. These functions put you at risk of buffer overflow vulnerabilities + through the use of format string exploits. Instead, use 'snprintf' and 'vsnprintf'. + metadata: + cwe: + - 'CWE-134: Use of Externally-Controlled Format String' + references: + - https://doc.castsoftware.com/display/SBX/Never+use+sprintf%28%29+or+vsprintf%28%29+functions + - https://www.cvedetails.com/cwe-details/134/Uncontrolled-Format-String.html + category: security + technology: + - c + confidence: MEDIUM + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn + shortlink: https://sg.run/ZvJx + semgrep.dev: + rule: + rule_id: ReUgWx + version_id: YDTPeG + url: https://semgrep.dev/playground/r/YDTPeG/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn + origin: community + languages: + - c + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $FUNC($BUFFER, argv[$NUM], ...); + ... + vsprintf(..., $BUFFER, ...); + - pattern: vsprintf(..., argv[$NUM], ...) + - pattern: | + $FUNC($BUFFER, argv[$NUM], ...); + ... + sprintf(..., $BUFFER, ...); + - pattern: sprintf(...,argv[$NUM],...) + - pattern: | + $FUNC($BUFFER, argv[$NUM], ...); + ... + printf(..., $BUFFER, ...); + - pattern: printf(...,argv[$NUM],...) + - metavariable-comparison: + metavariable: $NUM + comparison: int($NUM) > 0 +- id: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn + pattern: scanf(...) + message: Avoid using 'scanf()'. This function, when used improperly, does not consider + buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for + reading input. + metadata: + cwe: + - 'CWE-676: Use of Potentially Dangerous Function' + references: + - http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html + category: security + technology: + - c + confidence: LOW + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn + shortlink: https://sg.run/nd1g + semgrep.dev: + rule: + rule_id: AbUzPd + version_id: ZRTLwx + url: https://semgrep.dev/playground/r/ZRTLwx/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn + origin: community + languages: + - c + severity: WARNING +- id: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn + pattern: strtok(...) + message: Avoid using 'strtok()'. This function directly modifies the first argument + buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead. + metadata: + cwe: + - 'CWE-676: Use of Potentially Dangerous Function' + references: + - https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged + - https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS + - https://stackoverflow.com/a/40335556 + category: security + technology: + - c + confidence: LOW + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn + shortlink: https://sg.run/LwqG + semgrep.dev: + rule: + rule_id: WAUo5v + version_id: 7ZTLOY + url: https://semgrep.dev/playground/r/7ZTLOY/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn + origin: community + languages: + - c + severity: WARNING +- id: c.lang.security.random-fd-exhaustion.random-fd-exhaustion + pattern-either: + - patterns: + - pattern: | + $FD = open("/dev/urandom", ...); + ... + read($FD, ...); + - pattern-not: | + $FD = open("/dev/urandom", ...); + ... + $BYTES_READ = read($FD, ...); + - patterns: + - pattern: | + $FD = open("/dev/random", ...); + ... + read($FD, ...); + - pattern-not: | + $FD = open("/dev/random", ...); + ... + $BYTES_READ = read($FD, ...); + message: Call to 'read()' without error checking is susceptible to file descriptor + exhaustion. Consider using the 'getrandom()' function. + metadata: + cwe: + - 'CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling' + references: + - https://lwn.net/Articles/606141/ + category: security + technology: + - c + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion + shortlink: https://sg.run/8yNj + semgrep.dev: + rule: + rule_id: 0oU5k4 + version_id: LjT10x + url: https://semgrep.dev/playground/r/LjT10x/c.lang.security.random-fd-exhaustion.random-fd-exhaustion + origin: community + languages: + - c + severity: WARNING +- id: c.lang.security.use-after-free.use-after-free + patterns: + - pattern-either: + - pattern: $VAR->$ACCESSOR + - pattern: (*$VAR).$ACCESSOR + - pattern: $VAR[$NUM] + - pattern-inside: free($VAR); ... + - pattern-not-inside: $VAR = NULL; ... + - pattern-not-inside: free($VAR); ... $VAR = malloc(...); ... + message: Variable '$VAR' was used after being freed. This can lead to undefined + behavior. + metadata: + cwe: + - 'CWE-416: Use After Free' + references: + - https://cwe.mitre.org/data/definitions/416.html + - https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/ + category: security + technology: + - c + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Memory Issues + source: https://semgrep.dev/r/c.lang.security.use-after-free.use-after-free + shortlink: https://sg.run/gL6e + semgrep.dev: + rule: + rule_id: KxUb9l + version_id: 8KTdb0 + url: https://semgrep.dev/playground/r/8KTdb0/c.lang.security.use-after-free.use-after-free + origin: community + languages: + - c + severity: WARNING +- id: contrib.nodejsscan.crypto_node.node_md5 + message: The MD5 hashing algorithm is considered to be weak. If this is used in + any sensitive operation such as password hashing, or is used to ensure data integrity + (collision sensitive) then you should use a stronger hashing algorithm. For passwords, + consider using `Argon2id`, `scrypt`, or `bcrypt`. For data integrity, consider + using `SHA-256` + severity: WARNING + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + technology: + - node.js + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/contrib.nodejsscan.crypto_node.node_md5 + shortlink: https://sg.run/dKBX + semgrep.dev: + rule: + rule_id: GdU75E + version_id: yeT6L5 + url: https://semgrep.dev/playground/r/yeT6L5/contrib.nodejsscan.crypto_node.node_md5 + origin: community + languages: + - javascript + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + "md5" + - pattern: | + "MD5" + pattern-sinks: + - patterns: + - pattern-inside: | + $CRYPTO.createHash(...) +- id: contrib.nodejsscan.crypto_node.node_sha1 + message: The SHA1 hashing algorithm is considered to be weak. If this is used in + any sensitive operation such as password hashing, or is used to ensure data integrity + (collision sensitive) then you should use a stronger hashing algorithm. For passwords, + consider using `Argon2id`, `scrypt`, or `bcrypt`. For data integrity, consider + using `SHA-256` + severity: WARNING + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + technology: + - node.js + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/contrib.nodejsscan.crypto_node.node_sha1 + shortlink: https://sg.run/ZvEx + semgrep.dev: + rule: + rule_id: ReUgYx + version_id: rxT5Y8 + url: https://semgrep.dev/playground/r/rxT5Y8/contrib.nodejsscan.crypto_node.node_sha1 + origin: community + languages: + - javascript + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + "SHA1" + - pattern: | + "sha1" + pattern-sinks: + - patterns: + - pattern-inside: | + $CRYPTO.createHash(...) +- id: generic.dockerfile.security.last-user-is-root.last-user-is-root + patterns: + - pattern: USER root + - pattern-not-inside: | + USER root + ... + USER $ANYTHING + message: The last user in the container is 'root'. This is a security hazard because + if an attacker gains control of the container they will have root access. Switch + back to another user after running commands as 'root'. + severity: ERROR + languages: + - dockerfile + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002 + references: + - https://github.com/hadolint/hadolint/wiki/DL3002 + category: security + technology: + - dockerfile + confidence: MEDIUM + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/generic.dockerfile.security.last-user-is-root.last-user-is-root + shortlink: https://sg.run/N461 + semgrep.dev: + rule: + rule_id: L1UyO5 + version_id: LjT072 + url: https://semgrep.dev/playground/r/LjT072/generic.dockerfile.security.last-user-is-root.last-user-is-root + origin: community +- id: generic.html-templates.security.var-in-script-src.var-in-script-src + message: Detected a template variable used as the 'src' in a script tag. Although + template variables are HTML escaped, HTML escaping does not always prevent malicious + URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. + Prefer not to dynamically generate the 'src' attribute and use static URLs instead. + If you must do this, carefully check URLs against an allowlist and be sure to + URL-encode the result. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A + - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough + - https://github.com/ESAPI/owasp-esapi-js + category: security + technology: + - html-templates + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/generic.html-templates.security.var-in-script-src.var-in-script-src + shortlink: https://sg.run/OPob + semgrep.dev: + rule: + rule_id: 3qUPnO + version_id: QkTJ8p + url: https://semgrep.dev/playground/r/QkTJ8p/generic.html-templates.security.var-in-script-src.var-in-script-src + origin: community + languages: + - generic + paths: + include: + - '*.mustache' + - '*.hbs' + - '*.html' + severity: WARNING + patterns: + - pattern-inside: + - pattern-not-inside: + - pattern: '` ... {{ ... }} ...`' +- id: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter + message: Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. + This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. + Instead, use the 'html/template' package to render data to users. + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ + - https://golang.org/pkg/io/#WriteString + category: security + technology: + - go + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter + shortlink: https://sg.run/gLwn + semgrep.dev: + rule: + rule_id: DbUpEr + version_id: BjTEzK + url: https://semgrep.dev/playground/r/BjTEzK/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter + origin: community + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + func $HANDLER(..., $WRITER http.ResponseWriter, ...) { + ... + } + - pattern-inside: | + func(..., $WRITER http.ResponseWriter, ...) { + ... + } + - pattern-not: io.WriteString($WRITER, "...") + - pattern: io.WriteString($WRITER, $STRING) + languages: + - go +- id: go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter + message: Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses + HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use + the 'html/template' package to render data to users. + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ + category: security + technology: + - go + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter + shortlink: https://sg.run/Q5BP + semgrep.dev: + rule: + rule_id: WAUoLp + version_id: DkTQxN + url: https://semgrep.dev/playground/r/DkTQxN/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter + origin: community + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + func $HANDLER(..., $WRITER http.ResponseWriter, ...) { + ... + } + - pattern-inside: | + func(..., $WRITER http.ResponseWriter, ...) { + ... + } + - pattern: | + $WRITER.Write(<... fmt.$PRINTF(...) ...>, ...) + languages: + - go +- id: go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type + message: Semgrep could not determine that the argument to 'template.HTML()' is a + constant. 'template.HTML()' and similar does not escape contents. Be absolutely + sure there is no user-controlled data in this template. If user data can reach + this template, you may have a XSS vulnerability. Instead, do not use this function + and use 'template.Execute()'. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://golang.org/pkg/html/template/#HTML + - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33 + category: security + technology: + - go + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type + shortlink: https://sg.run/3xDb + semgrep.dev: + rule: + rule_id: 0oU5n3 + version_id: WrTbNQ + url: https://semgrep.dev/playground/r/WrTbNQ/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type + origin: community + languages: + - go + severity: WARNING + patterns: + - pattern-not: template.$ANY("..." + "...") + - pattern-not: template.$ANY("...") + - pattern-either: + - pattern: template.HTML(...) + - pattern: template.CSS(...) + - pattern: template.HTMLAttr(...) + - pattern: template.JS(...) + - pattern: template.JSStr(...) + - pattern: template.Srcset(...) + - pattern: template.URL(...) +- id: go.otto.security.audit.dangerous-execution.dangerous-execution + message: Detected non-static script inside otto VM. Audit the input to 'VM.Run'. + If unverified user data can reach this call site, this is a code injection vulnerability. + A malicious actor can inject a malicious script to execute arbitrary code. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - otto + - vm + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution + shortlink: https://sg.run/4xWE + semgrep.dev: + rule: + rule_id: KxUbxk + version_id: pZTrzq + url: https://semgrep.dev/playground/r/pZTrzq/go.otto.security.audit.dangerous-execution.dangerous-execution + origin: community + severity: ERROR + patterns: + - pattern-inside: | + $VM = otto.New(...) + ... + - pattern-not: $VM.Run("...", ...) + - pattern: $VM.Run(...) + languages: + - go +- id: go.template.security.insecure-types.go-insecure-templates + patterns: + - pattern-inside: | + import "html/template" + ... + - pattern-either: + - pattern: var $VAR template.HTML = $EXP + - pattern: var $VAR template.CSS = $EXP + - pattern: var $VAR template.HTMLAttr = $EXP + - pattern: var $VAR template.JS = $EXP + - pattern: var $VAR template.JSStr = $EXP + - pattern: var $VAR template.Srcset = $EXP + message: usage of insecure template types. They are documented as a security risk. + See https://golang.org/pkg/html/template/#HTML. + severity: WARNING + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://golang.org/pkg/html/template/#HTML + - https://twitter.com/empijei/status/1275177219011350528 + category: security + technology: + - template + confidence: LOW + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/go.template.security.insecure-types.go-insecure-templates + shortlink: https://sg.run/PJAq + semgrep.dev: + rule: + rule_id: qNUjDy + version_id: d6TndD + url: https://semgrep.dev/playground/r/d6TndD/go.template.security.insecure-types.go-insecure-templates + origin: community + languages: + - go +- id: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + technology: + - java + - secrets + - jwt + category: security + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret + shortlink: https://sg.run/RoDK + semgrep.dev: + rule: + rule_id: oqUeAn + version_id: xyT4G7 + url: https://semgrep.dev/playground/r/xyT4G7/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret + origin: community + languages: + - java + severity: WARNING + patterns: + - pattern-either: + - pattern: | + (Algorithm $ALG) = $ALGO.$HMAC("$Y"); + - pattern: | + $SECRET = "$Y"; + ... + (Algorithm $ALG) = $ALGO.$HMAC($SECRET); + - pattern: | + class $CLASS { + ... + $TYPE $SECRET = "$Y"; + ... + $RETURNTYPE $FUNC (...) { + ... + (Algorithm $ALG) = $ALGO.$HMAC($SECRET); + ... + } + ... + } + - focus-metavariable: $Y + - metavariable-regex: + metavariable: $HMAC + regex: (HMAC384|HMAC256|HMAC512) +- id: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg + message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm + assumes the integrity of the token has already been verified. This would allow + a malicious actor to forge a JWT token that will automatically be verified. Do + not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + confidence: HIGH + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg + shortlink: https://sg.run/Av14 + semgrep.dev: + rule: + rule_id: zdUkzR + version_id: O9TylW + url: https://semgrep.dev/playground/r/O9TylW/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg + origin: community + languages: + - java + severity: ERROR + pattern-either: + - pattern: | + $JWT.sign(com.auth0.jwt.algorithms.Algorithm.none()); + - pattern: | + $NONE = com.auth0.jwt.algorithms.Algorithm.none(); + ... + $JWT.sign($NONE); + - pattern: |- + class $CLASS { + ... + $TYPE $NONE = com.auth0.jwt.algorithms.Algorithm.none(); + ... + $RETURNTYPE $FUNC (...) { + ... + $JWT.sign($NONE); + ... + } + ... + } +- id: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify + message: Detected the decoding of a JWT token without a verify step. JWT tokens + must be verified before use, otherwise the token's integrity is unknown. This + means a malicious actor could forge a JWT token with any claims. Call '.verify()' + before using the token. + metadata: + cwe: + - 'CWE-345: Insufficient Verification of Data Authenticity' + owasp: + - A08:2021 - Software and Data Integrity Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + confidence: MEDIUM + references: + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify + shortlink: https://sg.run/Bk95 + semgrep.dev: + rule: + rule_id: pKUOE9 + version_id: w8T3lO + url: https://semgrep.dev/playground/r/w8T3lO/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify + origin: community + languages: + - java + severity: WARNING + patterns: + - pattern: | + com.auth0.jwt.JWT.decode(...); + - pattern-not-inside: |- + class $CLASS { + ... + $RETURNTYPE $FUNC (...) { + ... + $VERIFIER.verify(...); + ... + } + } +- id: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal + metadata: + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN + references: + - https://www.owasp.org/index.php/Path_Traversal + category: security + technology: + - jax-rs + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal + shortlink: https://sg.run/DoWj + semgrep.dev: + rule: + rule_id: 2ZUb9l + version_id: d6TD4W + url: https://semgrep.dev/playground/r/d6TD4W/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal + origin: community + message: Detected a potential path traversal. A malicious actor could control the + location of this file, to include going backwards in the directory with '../'. + To address this, ensure that user-controlled variables in file paths are sanitized. + You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) + to only retrieve the file name from the path. + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + $RETURNTYPE $FUNC (..., @PathParam(...) $TYPE $VAR, ...) { + ... + new File(..., $VAR, ...); + ... + } + - pattern: |- + $RETURNTYPE $FUNC (..., @javax.ws.rs.PathParam(...) $TYPE $VAR, ...) { + ... + new File(..., $VAR, ...); + ... + } +- id: java.jboss.security.session_sqli.find-sql-string-concatenation + message: In $METHOD, $X is used to construct a SQL query via string concatenation. + languages: + - java + severity: ERROR + pattern-either: + - pattern: | + $RETURN $METHOD(...,String $X,...){ + ... + Session $SESSION = ...; + ... + String $QUERY = ... + $X + ...; + ... + PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY); + ... + ResultSet $RESULT = $PS.executeQuery(); + ... + } + - pattern: | + $RETURN $METHOD(...,String $X,...){ + ... + String $QUERY = ... + $X + ...; + ... + Session $SESSION = ...; + ... + PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY); + ... + ResultSet $RESULT = $PS.executeQuery(); + ... + } + metadata: + category: security + technology: + - jboss + confidence: MEDIUM + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation + shortlink: https://sg.run/W8kA + semgrep.dev: + rule: + rule_id: X5U8rQ + version_id: nWT7GB + url: https://semgrep.dev/playground/r/nWT7GB/java.jboss.security.session_sqli.find-sql-string-concatenation + origin: community +- id: java.jjwt.security.jwt-none-alg.jjwt-none-alg + message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm + assumes the integrity of the token has already been verified. This would allow + a malicious actor to forge a JWT token that will automatically be verified. Do + not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.3 Insecue Stateless Session Tokens + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jwt + confidence: LOW + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg + shortlink: https://sg.run/0Q7b + semgrep.dev: + rule: + rule_id: j2Uvol + version_id: ExTnq9 + url: https://semgrep.dev/playground/r/ExTnq9/java.jjwt.security.jwt-none-alg.jjwt-none-alg + origin: community + languages: + - java + severity: ERROR + patterns: + - pattern: | + io.jsonwebtoken.Jwts.builder(); + - pattern-not-inside: |- + $RETURNTYPE $FUNC(...) { + ... + $JWTS.signWith(...); + ... + } +- id: java.lang.security.do-privileged-use.do-privileged-use + severity: WARNING + languages: + - java + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + references: + - https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html + - https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation + - http://phrack.org/papers/escaping_the_java_sandbox.html + category: security + technology: + - java + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use + shortlink: https://sg.run/6n76 + semgrep.dev: + rule: + rule_id: bwUw28 + version_id: l4T5Xb + url: https://semgrep.dev/playground/r/l4T5Xb/java.lang.security.do-privileged-use.do-privileged-use + origin: community + message: Marking code as privileged enables a piece of trusted code to temporarily + enable access to more resources than are available directly to the code that called + it. Be very careful in your use of the privileged construct, and always remember + to make the privileged code section as small as possible. + patterns: + - pattern-inside: | + import java.security.*; + ... + - pattern-either: + - pattern: AccessController.doPrivileged(...); + - pattern: class $ACTION implements PrivilegedAction { ... } +- id: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN + references: + - https://www.owasp.org/index.php/Path_Traversal + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal + shortlink: https://sg.run/oxXN + semgrep.dev: + rule: + rule_id: NbUk7X + version_id: YDToYW + url: https://semgrep.dev/playground/r/YDToYW/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal + origin: community + message: Detected a potential path traversal. A malicious actor could control the + location of this file, to include going backwards in the directory with '../'. + To address this, ensure that user-controlled variables in file paths are sanitized. + You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) + to only retrieve the file name from the path. + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ) + - patterns: + - pattern-inside: | + (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); + ... + for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { + ... + } + - pattern: | + $COOKIE.getValue(...) + - patterns: + - pattern-inside: | + $TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(...); + ... + - pattern: | + $PARAM = $VALS[$INDEX]; + pattern-sanitizers: + - pattern: org.apache.commons.io.FilenameUtils.getName(...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + (java.io.File $FILE) = ... + - pattern: | + (java.io.FileOutputStream $FOS) = ... + - pattern: | + new java.io.FileInputStream(...) + severity: ERROR + languages: + - java +- id: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization + severity: WARNING + languages: + - java + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.3 Insecue Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization + shortlink: https://sg.run/zvO1 + semgrep.dev: + rule: + rule_id: kxUk12 + version_id: 6xTeyB + url: https://semgrep.dev/playground/r/6xTeyB/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization + origin: community + message: JMS Object messages depend on Java Serialization for marshalling/unmarshalling + of the message payload when ObjectMessage.getObject() is called. Deserialization + of untrusted data can lead to security flaws; a remote attacker could via a crafted + JMS ObjectMessage to execute arbitrary code with the permissions of the application + listening/consuming JMS Messages. In this case, the JMS MessageListener consume + an ObjectMessage type received inside the onMessage method, which may lead to + arbitrary code execution when calling the $Y.getObject method. + patterns: + - pattern-inside: | + public class $JMS_LISTENER implements MessageListener { + ... + public void onMessage(Message $JMS_MSG) { + ... + } + } + - pattern-either: + - pattern-inside: $X = $Y.getObject(...); + - pattern-inside: $X = ($Z) $Y.getObject(...); +- id: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss + message: 'Cross-site scripting detected in HttpServletResponse writer with variable + ''$VAR''. User input was detected going directly from the HttpServletRequest into + output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: + ''Encode.forHtml($VAR)''.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss + shortlink: https://sg.run/pxjN + semgrep.dev: + rule: + rule_id: wdUJOk + version_id: zyT5G7 + url: https://semgrep.dev/playground/r/zyT5G7/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss + origin: community + severity: ERROR + patterns: + - pattern-inside: $TYPE $FUNC(..., HttpServletResponse $RESP, ...) { ... } + - pattern-inside: $VAR = $REQ.getParameter(...); ... + - pattern-either: + - pattern: $RESP.getWriter(...).write(..., $VAR, ...); + - pattern: | + $WRITER = $RESP.getWriter(...); + ... + $WRITER.write(..., $VAR, ...); + languages: + - java +- id: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled + shortlink: https://sg.run/2x75 + semgrep.dev: + rule: + rule_id: x8Unkq + version_id: 2KT1dO + url: https://semgrep.dev/playground/r/2KT1dO/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled + origin: community + message: XML external entities are enabled for this XMLInputFactory. This is vulnerable + to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" + to false. + pattern: $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", + true); + languages: + - java +- id: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe + severity: WARNING + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf + - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe + shortlink: https://sg.run/XBwA + semgrep.dev: + rule: + rule_id: OrU35O + version_id: X0TPAy + url: https://semgrep.dev/playground/r/X0TPAy/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe + origin: community + message: XML external entities are not explicitly disabled for this XMLInputFactory. + This could be vulnerable to XML external entity vulnerabilities. Explicitly disable + external entities by setting "javax.xml.stream.isSupportingExternalEntities" to + false. + patterns: + - pattern-not-inside: | + $RETURNTYPE $METHOD(...) { + ... + $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); + ... + } + - pattern-not-inside: | + $RETURNTYPE $METHOD(...) { + ... + $XMLFACTORY.setProperty(java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + ... + } + - pattern-either: + - pattern: $XMLFACTORY = $W.newFactory(...); + - pattern: $XMLFACTORY = new XMLInputFactory(...); + languages: + - java +- id: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind + metadata: + cwe: + - 'CWE-287: Improper Authentication' + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS + category: security + technology: + - java + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind + shortlink: https://sg.run/jR6A + semgrep.dev: + rule: + rule_id: eqU8J3 + version_id: 7ZTOWO + url: https://semgrep.dev/playground/r/7ZTOWO/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind + origin: community + message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP + statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html + for more information. + severity: WARNING + pattern: | + $ENV.put($CTX.SECURITY_AUTHENTICATION, "none"); + ... + $DCTX = new InitialDirContext($ENV, ...); + languages: + - java +- id: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion + metadata: + cwe: + - 'CWE-704: Incorrect Type Conversion or Cast' + owasp: A03:2017 - Sensitive Data Exposure + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION + category: security + technology: + - java + references: + - https://cwe.mitre.org/data/definitions/704.html + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion + shortlink: https://sg.run/1Z7D + semgrep.dev: + rule: + rule_id: v8Uny0 + version_id: LjT0PY + url: https://semgrep.dev/playground/r/LjT0PY/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion + origin: community + message: '''Integer.toHexString()'' strips leading zeroes from each byte if read + byte-by-byte. This mistake weakens the hash value computed since it introduces + more collisions. Use ''String.format("%02X", ...)'' instead.' + severity: WARNING + languages: + - java + pattern: |- + $X $METHOD(...) { + ... + MessageDigest $MD = ...; + ... + $MD.digest(...); + ... + Integer.toHexString(...); + } +- id: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size + shortlink: https://sg.run/9o74 + semgrep.dev: + rule: + rule_id: d8UjJ3 + version_id: 8KTbAe + url: https://semgrep.dev/playground/r/8KTbAe/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size + origin: community + message: Using less than 128 bits for Blowfish is considered insecure. Use 128 bits + or more, or switch to use AES instead. + severity: WARNING + languages: + - java + patterns: + - pattern: | + $KEYGEN = KeyGenerator.getInstance("Blowfish"); + ... + $KEYGEN.init($SIZE); + - metavariable-comparison: + metavariable: $SIZE + comparison: $SIZE < 128 +- id: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle + message: Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A + malicious actor could discern the difference between plaintext with valid or invalid + padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' + instead. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE + references: + - https://capec.mitre.org/data/definitions/463.html + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes + - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY + category: security + technology: + - java + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle + shortlink: https://sg.run/ydxr + semgrep.dev: + rule: + rule_id: ZqU5oD + version_id: gETqyZ + url: https://semgrep.dev/playground/r/gETqyZ/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle + origin: community + severity: WARNING + fix: | + "AES/GCM/NoPadding" + languages: + - java + patterns: + - pattern-inside: Cipher.getInstance("=~/.*\/CBC\/PKCS5Padding/") + - pattern: | + "=~/.*\/CBC\/PKCS5Padding/" +- id: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + patterns: + - metavariable-pattern: + metavariable: $RUNTIME + patterns: + - pattern-either: + - pattern: (java.lang.Runtime $R) + - pattern: java.lang.Runtime.getRuntime(...) + - pattern-either: + - pattern: $RUNTIME.exec($X + $Y); + - pattern: $RUNTIME.exec(String.format(...)); + - pattern: $RUNTIME.loadLibrary($X + $Y); + - pattern: $RUNTIME.loadLibrary(String.format(...)); + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $ARG,...) + - pattern: | + $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...) + - pattern: | + $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...) + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec($CMD,"-c",$ARG,...) + - pattern: | + $RUNTIME.exec(Arrays.asList($CMD,"-c",$ARG,...),...) + - pattern: | + $RUNTIME.exec(new String[]{$CMD,"-c",$ARG,...},...) + - pattern-inside: | + $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; + ... + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec($CMD, $EXECUTE, $ARG, ...) + - pattern-inside: | + $CMD = new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/", ...}; + ... + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", $BASH, $ARG,...) + - pattern: | + $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...),...) + - pattern: | + $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...},...) + - pattern-inside: | + $BASH = new String[]{"=~/(-c)/", ...}; + ... + - pattern-not-inside: | + $ARG = "..."; + ... + - pattern-not: | + $RUNTIME.exec("...","...","...",...) + - pattern-not: | + $RUNTIME.exec(new String[]{"...","...","...",...},...) + - pattern-not: | + $RUNTIME.exec(Arrays.asList("...","...","...",...),...) + message: A formatted or concatenated string was detected as input to a java.lang.Runtime + call. This is dangerous if a variable is controlled by user input and could result + in a command injection. Ensure your variables are not controlled by users or sufficiently + sanitized. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION. + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + shortlink: https://sg.run/rd90 + semgrep.dev: + rule: + rule_id: nJUzvJ + version_id: QkTJkW + url: https://semgrep.dev/playground/r/QkTJkW/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + origin: community + severity: ERROR + languages: + - java +- id: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly + metadata: + cwe: + - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' + owasp: + - A05:2021 - Security Misconfiguration + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.4.2 Missing Cookie Attribute + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly + shortlink: https://sg.run/b7Be + semgrep.dev: + rule: + rule_id: EwU2z6 + version_id: 44ToQA + url: https://semgrep.dev/playground/r/44ToQA/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly + origin: community + message: A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' + flag for cookies instructs the browser to forbid client-side scripts from reading + the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);' + severity: WARNING + languages: + - java + patterns: + - pattern-not-inside: $COOKIE.setValue(""); ... + - pattern-either: + - pattern: $COOKIE.setHttpOnly(false); + - patterns: + - pattern-not-inside: $COOKIE.setHttpOnly(...); ... + - pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ... + - pattern: $RESPONSE.addCookie($COOKIE); +- id: java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.4.3 Missing Cookie Attribute + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management + version: '4' + references: + - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite + shortlink: https://sg.run/N427 + semgrep.dev: + rule: + rule_id: 7KUQkX + version_id: PkTYxZ + url: https://semgrep.dev/playground/r/PkTYxZ/java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite + origin: community + message: Detected cookie without the SameSite attribute. + severity: WARNING + languages: + - java + patterns: + - pattern: a() + - pattern: b() +- id: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag + metadata: + cwe: + - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' + owasp: + - A05:2021 - Security Misconfiguration + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.4.1 Missing Cookie Attribute + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag + shortlink: https://sg.run/kXoK + semgrep.dev: + rule: + rule_id: L1Uyvp + version_id: JdTqlP + url: https://semgrep.dev/playground/r/JdTqlP/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag + origin: community + message: A cookie was detected without setting the 'secure' flag. The 'secure' flag + for cookies prevents the client from transmitting the cookie over insecure channels + such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);' + severity: WARNING + languages: + - java + patterns: + - pattern-not-inside: $COOKIE.setValue(""); ... + - pattern-either: + - pattern: $COOKIE.setSecure(false); + - patterns: + - pattern-not-inside: $COOKIE.setSecure(...); ... + - pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ... + - pattern: $RESPONSE.addCookie($COOKIE); +- id: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs + message: When data from an untrusted source is put into a logger and not neutralized + correctly, an attacker could forge log entries or include malicious content. + metadata: + cwe: + - 'CWE-93: Improper Neutralization of CRLF Sequences (''CRLF Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs + shortlink: https://sg.run/wek0 + semgrep.dev: + rule: + rule_id: 8GUjwW + version_id: 5PT6y8 + url: https://semgrep.dev/playground/r/5PT6y8/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + class $CLASS { + ... + Logger $LOG = ...; + ... + } + - pattern-either: + - pattern-inside: | + $X $METHOD(...,HttpServletRequest $REQ,...) { + ... + } + - pattern-inside: | + $X $METHOD(...,ServletRequest $REQ,...) { + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + HttpServletRequest $REQ = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + ServletRequest $REQ = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + Logger $LOG = ...; + ... + HttpServletRequest $REQ = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + Logger $LOG = ...; + ... + ServletRequest $REQ = ...; + ... + } + - pattern-either: + - pattern: | + String $VAL = $REQ.getParameter(...); + ... + $LOG.$LEVEL(<... $VAL ...>); + - pattern: | + String $VAL = $REQ.getParameter(...); + ... + $LOG.log($LEVEL,<... $VAL ...>); + - pattern: | + $LOG.$LEVEL(<... $REQ.getParameter(...) ...>); + - pattern: | + $LOG.log($LEVEL,<... $REQ.getParameter(...) ...>); +- id: java.lang.security.audit.el-injection.el-injection + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection + shortlink: https://sg.run/x1wp + semgrep.dev: + rule: + rule_id: gxU1Np + version_id: 6xTeDB + url: https://semgrep.dev/playground/r/6xTeDB/java.lang.security.audit.el-injection.el-injection + origin: community + message: An expression is built with a dynamic value. The source of the value(s) + should be verified to avoid that unfiltered values fall into this risky code evaluation. + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF; + ... + $X $METHOD(...) { + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF = ...; + ... + $X $METHOD(...) { + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + $X $METHOD(...) { + ... + ExpressionFactory $EF = ...; + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ExpressionFactory $EF,...) { + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF; + ... + $X $METHOD(...) { + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF = ...; + ... + $X $METHOD(...) { + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + $X $METHOD(...) { + ... + ExpressionFactory $EF = ...; + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ExpressionFactory $EF,...) { + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + - pattern: | + $X $METHOD(String $INPUT, ...) { + ... + $OBJECT.buildConstraintViolationWithTemplate($INPUT, ...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $EF.createValueExpression($CTX,"...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $EF.createValueExpression($CTX,$S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $EF.createMethodExpression($CTX,"...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $EF.createMethodExpression($CTX,$S,...); + ... + } +- id: java.lang.security.audit.formatted-sql-string.formatted-sql-string + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.5 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + - https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps + - https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string + shortlink: https://sg.run/OPXp + semgrep.dev: + rule: + rule_id: QrUzxR + version_id: WrTxK0 + url: https://semgrep.dev/playground/r/WrTxK0/java.lang.security.audit.formatted-sql-string.formatted-sql-string + origin: community + options: + taint_assume_safe_numbers: true + taint_assume_safe_booleans: true + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ) + - patterns: + - pattern-inside: | + $ANNOT $FUNC (..., $INPUT, ...) { + ... + } + - pattern: (String $INPUT) + - focus-metavariable: $INPUT + label: INPUT + - patterns: + - pattern-either: + - pattern: $X + $INPUT + - pattern: $X += $INPUT + - pattern: $STRB.append($INPUT) + - pattern: String.format(..., $INPUT, ...) + - pattern: String.join(..., $INPUT, ...) + - pattern: (String $STR).concat($INPUT) + - pattern: $INPUT.concat(...) + - pattern: new $STRB(..., $INPUT, ...) + label: CONCAT + requires: INPUT + pattern-propagators: + - pattern: (StringBuffer $S).append($X) + from: $X + to: $S + - pattern: (StringBuilder $S).append($X) + from: $X + to: $S + pattern-sinks: + - patterns: + - pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE *$/" ...>) + - pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE %s$/" ...>) + - pattern-either: + - pattern: (Statement $S).$SQLFUNC(...) + - pattern: (PreparedStatement $P).$SQLFUNC(...) + - pattern: (Connection $C).createStatement(...).$SQLFUNC(...) + - pattern: (Connection $C).prepareStatement(...).$SQLFUNC(...) + - pattern: (EntityManager $EM).$SQLFUNC(...) + - metavariable-regex: + metavariable: $SQLFUNC + regex: execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare + requires: CONCAT + pattern-sanitizers: + - patterns: + - pattern: (CriteriaBuilder $CB).$ANY(...) + severity: ERROR + languages: + - java +- id: java.lang.security.audit.http-response-splitting.http-response-splitting + metadata: + cwe: + - 'CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (''HTTP + Request/Response Splitting'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING + references: + - https://www.owasp.org/index.php/HTTP_Response_Splitting + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting + shortlink: https://sg.run/eL0l + semgrep.dev: + rule: + rule_id: 3qUPyK + version_id: zyT5W7 + url: https://semgrep.dev/playground/r/zyT5W7/java.lang.security.audit.http-response-splitting.http-response-splitting + origin: community + message: Older Java application servers are vulnerable to HTTP response splitting, + which may occur if an HTTP request can be injected with CRLF characters. This + finding is reported for completeness; it is recommended to ensure your environment + is not affected by testing this yourself. + severity: INFO + languages: + - java + pattern-either: + - pattern: | + $VAR = $REQ.getParameter(...); + ... + $COOKIE = new Cookie(..., $VAR, ...); + ... + $RESP.addCookie($COOKIE, ...); + - patterns: + - pattern-inside: | + $RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) { + ... + } + - pattern: | + $COOKIE = new Cookie(..., $VAR, ...); + ... + $RESP.addCookie($COOKIE, ...); +- id: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection + metadata: + cwe: + - 'CWE-297: Improper Validation of Certificate with Host Mismatch' + owasp: + - A07:2021 - Identification and Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL + category: security + technology: + - java + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection + shortlink: https://sg.run/vzN4 + semgrep.dev: + rule: + rule_id: 4bUkrW + version_id: pZTrXj + url: https://semgrep.dev/playground/r/pZTrXj/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection + origin: community + message: Insecure SMTP connection detected. This connection will trust any SSL certificate. + Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'. + severity: WARNING + patterns: + - pattern-not-inside: | + $EMAIL.setSSLCheckServerIdentity(true); + ... + - pattern-inside: | + $EMAIL = new SimpleEmail(...); + ... + - pattern: $EMAIL.send(...); + languages: + - java +- id: java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.5 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + category: security + technology: + - jdbc + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string + shortlink: https://sg.run/dKWY + semgrep.dev: + rule: + rule_id: PeUZNX + version_id: X0TP5y + url: https://semgrep.dev/playground/r/X0TP5y/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string + origin: community + message: 'Possible JDBC injection detected. Use the parameterized query feature + available in queryForObject instead of concatenating or formatting strings: ''jdbc.queryForObject("select + * from table where name = ?", Integer.class, parameterName);''' + patterns: + - pattern-inside: | + $JDBC = new JdbcTemplate(...); + ... + - pattern-either: + - pattern: $JDBC.queryForObject($STR + $VAR, ...); + - pattern: $JDBC.queryForObject(String.format(...), ...); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.queryForObject($Q, ...); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.queryForObject($Q, ...); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.queryForObject($Q, ...); + - pattern: $JDBC.queryForList($STR + $VAR); + - pattern: $JDBC.queryForList(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.queryForList($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.queryForList($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.queryForList($Q, ...); + - pattern: $JDBC.update($STR + $VAR); + - pattern: $JDBC.update(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.update($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.update($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.update($Q, ...); + - pattern: $JDBC.execute($STR + $VAR); + - pattern: $JDBC.execute(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.execute($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.execute($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.execute($Q, ...); + - pattern: $JDBC.insert($STR + $VAR); + - pattern: $JDBC.insert(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.insert($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.insert($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.insert($Q, ...); + severity: WARNING + languages: + - java +- id: java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP + Injection'')' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.7 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf + - https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + category: security + technology: + - java + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - LDAP Injection + source: https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning + shortlink: https://sg.run/ZvOn + semgrep.dev: + rule: + rule_id: JDUy8B + version_id: jQTKr2 + url: https://semgrep.dev/playground/r/jQTKr2/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning + origin: community + message: An object-returning LDAP search will allow attackers to control the LDAP + response. This could lead to Remote Code Execution. + severity: WARNING + pattern-either: + - pattern: | + new SearchControls($S, $CL, $TL, $AT, true, $DEREF) + - pattern: | + SearchControls $VAR = new SearchControls(); + ... + $VAR.setReturningObjFlag(true); + languages: + - java +- id: java.lang.security.audit.ldap-injection.ldap-injection + message: Detected non-constant data passed into an LDAP query. If this data can + be controlled by an external user, this is an LDAP injection. Ensure data passed + to an LDAP query is not controllable; or properly sanitize the data. + metadata: + cwe: + - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP + Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.7 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - LDAP Injection + source: https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection + shortlink: https://sg.run/nd2O + semgrep.dev: + rule: + rule_id: 5rUObQ + version_id: 1QTjPl + url: https://semgrep.dev/playground/r/1QTjPl/java.lang.security.audit.ldap-injection.ldap-injection + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + $X $METHOD(...) { + ... + InitialDirContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + DirContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + InitialLdapContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + LdapContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + LdapCtx $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + EventDirContext $CTX = ...; + ... + } + - pattern: | + $X $METHOD(...) { + ... + $CTX.search($Y,$INPUT,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $CTX.search($Y,"...",...); + ... + } +- id: java.lang.security.audit.object-deserialization.object-deserialization + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION + references: + - https://www.owasp.org/index.php/Deserialization_of_untrusted_data + - https://www.oracle.com/java/technologies/javase/seccodeguide.html#8 + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization + shortlink: https://sg.run/Ek0A + semgrep.dev: + rule: + rule_id: GdU7py + version_id: yeTXN6 + url: https://semgrep.dev/playground/r/yeTXN6/java.lang.security.audit.object-deserialization.object-deserialization + origin: community + message: Found object deserialization using ObjectInputStream. Deserializing entire + Java objects is dangerous because malicious actors can create Java object streams + with unintended consequences. Ensure that the objects being deserialized are not + user-controlled. If this must be done, consider using HMACs to sign the data stream + to make sure it is not tampered with, or consider only transmitting object fields + and populating a new object. + severity: WARNING + languages: + - java + pattern: new ObjectInputStream(...); +- id: java.lang.security.audit.ognl-injection.ognl-injection + message: A expression is built with a dynamic value. The source of the value(s) + should be verified to avoid that unfiltered values fall into this risky code evaluation. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION + category: security + technology: + - ognl + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection + shortlink: https://sg.run/7o7R + semgrep.dev: + rule: + rule_id: ReUgjJ + version_id: rxTxDx + url: https://semgrep.dev/playground/r/rxTxDx/java.lang.security.audit.ognl-injection.ognl-injection + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern: | + $X $METHOD(...,OgnlReflectionProvider $P,...) { + ... + $P.getGetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlReflectionProvider $P,...) { + ... + $P.getSetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlReflectionProvider $P,...) { + ... + $P.getField($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlReflectionProvider $P,...) { + ... + $P.setProperties($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlReflectionProvider $P,...) { + ... + $P.setProperty($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlReflectionProvider $P,...) { + ... + $P.getValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlReflectionProvider $P,...) { + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ReflectionProvider $P,...) { + ... + $P.getGetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ReflectionProvider $P,...) { + ... + $P.getSetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ReflectionProvider $P,...) { + ... + $P.getField($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ReflectionProvider $P,...) { + ... + $P.setProperties($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ReflectionProvider $P,...) { + ... + $P.setProperty($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ReflectionProvider $P,...) { + ... + $P.getValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ReflectionProvider $P,...) { + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,TextParseUtil $P,...) { + ... + $P.translateVariables($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,TextParseUtil $P,...) { + ... + $P.translateVariablesCollection($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,TextParseUtil $P,...) { + ... + $P.shallBeIncluded($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,TextParseUtil $P,...) { + ... + $P.commaDelimitedStringToSet($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,TextParser $P,...) { + ... + $P.evaluate($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlTextParser $P,...) { + ... + $P.evaluate($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlUtil $P,...) { + ... + $P.setProperties($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlUtil $P,...) { + ... + $P.setProperty($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlUtil $P,...) { + ... + $P.getValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlUtil $P,...) { + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlUtil $P,...) { + ... + $P.callMethod($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlUtil $P,...) { + ... + $P.compile($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,VelocityStrutsUtil $P,...) { + ... + $P.evaluate($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,StrutsUtil $P,...) { + ... + $P.isTrue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,StrutsUtil $P,...) { + ... + $P.findString($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,StrutsUtil $P,...) { + ... + $P.findValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,StrutsUtil $P,...) { + ... + $P.getText($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,StrutsUtil $P,...) { + ... + $P.translateVariables($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,StrutsUtil $P,...) { + ... + $P.makeSelectList($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,OgnlTool $P,...) { + ... + $P.findValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ValueStack $P,...) { + ... + $P.findString($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ValueStack $P,...) { + ... + $P.findValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ValueStack $P,...) { + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ValueStack $P,...) { + ... + $P.setParameter($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlReflectionProvider $P = ...; + ... + $P.getGetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlReflectionProvider $P = ...; + ... + $P.getSetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlReflectionProvider $P = ...; + ... + $P.getField($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlReflectionProvider $P = ...; + ... + $P.setProperties($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlReflectionProvider $P = ...; + ... + $P.setProperty($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlReflectionProvider $P = ...; + ... + $P.getValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlReflectionProvider $P = ...; + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ReflectionProvider $P = ...; + ... + $P.getGetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ReflectionProvider $P = ...; + ... + $P.getSetMethod($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ReflectionProvider $P = ...; + ... + $P.getField($T, $INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ReflectionProvider $P = ...; + ... + $P.setProperties($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ReflectionProvider $P = ...; + ... + $P.setProperty($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ReflectionProvider $P = ...; + ... + $P.getValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ReflectionProvider $P = ...; + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + TextParseUtil $P = ...; + ... + $P.translateVariables($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + TextParseUtil $P = ...; + ... + $P.translateVariablesCollection($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + TextParseUtil $P = ...; + ... + $P.shallBeIncluded($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + TextParseUtil $P = ...; + ... + $P.commaDelimitedStringToSet($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + TextParser $P = ...; + ... + $P.evaluate($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlTextParser $P = ...; + ... + $P.evaluate($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlUtil $P = ...; + ... + $P.setProperties($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlUtil $P = ...; + ... + $P.setProperty($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlUtil $P = ...; + ... + $P.getValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlUtil $P = ...; + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlUtil $P = ...; + ... + $P.callMethod($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlUtil $P = ...; + ... + $P.compile($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + VelocityStrutsUtil $P = ...; + ... + $P.evaluate($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + StrutsUtil $P = ...; + ... + $P.isTrue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + StrutsUtil $P = ...; + ... + $P.findString($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + StrutsUtil $P = ...; + ... + $P.findValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + StrutsUtil $P = ...; + ... + $P.getText($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + StrutsUtil $P = ...; + ... + $P.translateVariables($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + StrutsUtil $P = ...; + ... + $P.makeSelectList($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + OgnlTool $P = ...; + ... + $P.findValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ValueStack $P = ...; + ... + $P.findString($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ValueStack $P = ...; + ... + $P.findValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ValueStack $P = ...; + ... + $P.setValue($INPUT,...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + ValueStack $P = ...; + ... + $P.setParameter($INPUT,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.getGetMethod($T,"...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.getSetMethod($T,"...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.getField($T,"...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.setProperties("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.setProperty("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.getValue("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.setValue("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.translateVariables("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.translateVariablesCollection("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.shallBeIncluded("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.commaDelimitedStringToSet("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.evaluate("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.callMethod("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.compile("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.isTrue("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.findString("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.findValue("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.getText("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.makeSelectList("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $P.setParameter("...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.getGetMethod($T,$S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.getSetMethod($T,$S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.getField($T,$S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.setProperties($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.setProperty($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.getValue($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.setValue($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.translateVariables($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.translateVariablesCollection($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.shallBeIncluded($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.commaDelimitedStringToSet($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.evaluate($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.callMethod($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.compile($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.isTrue($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.findString($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.findValue($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.getText($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.makeSelectList($S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $P.setParameter($S,...); + ... + } +- id: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission + message: Detected file permissions that are overly permissive (read, write, and + execute). It is generally a bad practices to set overly permissive file permission + such as read+write+exec for all users. If the file affected is a configuration, + a binary, a script or sensitive data, it can lead to privilege escalation or information + leakage. Instead, follow the principle of least privilege and give users only + the permissions they need. + severity: WARNING + languages: + - java + metadata: + cwe: + - 'CWE-276: Incorrect Default Permissions' + owasp: + - A01:2021 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION + category: security + technology: + - java + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission + shortlink: https://sg.run/LwzJ + semgrep.dev: + rule: + rule_id: AbUzwB + version_id: bZTGBk + url: https://semgrep.dev/playground/r/bZTGBk/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission + origin: community + pattern-either: + - pattern: java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/")); + - pattern: | + $TYPE $P = java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/"); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); + - pattern: | + $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); + - pattern: | + $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); + - pattern: |- + $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); +- id: java.lang.security.audit.permissive-cors.permissive-cors + message: https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS + policy will allow a malicious application to communicate with the victim application + in an inappropriate way, leading to spoofing, data theft, relay and other attacks. + metadata: + cwe: + - 'CWE-183: Permissive List of Allowed Inputs' + asvs: + section: 'V14: Configuration Verification Requirements' + control_id: 14.4.8 Permissive CORS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements + version: '4' + category: security + technology: + - java + owasp: + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors + shortlink: https://sg.run/8y77 + semgrep.dev: + rule: + rule_id: BYUN66 + version_id: NdT1Bn + url: https://semgrep.dev/playground/r/NdT1Bn/java.lang.security.audit.permissive-cors.permissive-cors + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + HttpServletResponse $RES = ...; + ... + $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + HttpServletResponse $RES = ...; + ... + $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + ServerHttpResponse $RES = ...; + ... + $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + HttpHeaders $HEADERS = ...; + ... + $HEADERS.set("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + ServerWebExchange $SWE = ...; + ... + $SWE.getResponse().getHeaders().add("Access-Control-Allow-Origin", "*"); + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: | + $X $METHOD(...,ServerHttpResponse $RES,...) { + ... + $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: | + $X $METHOD(...,ServerWebExchange $SWE,...) { + ... + $SWE.getResponse().getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: ResponseEntity.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i") + - pattern: ServerResponse.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i") +- id: java.lang.security.audit.script-engine-injection.script-engine-injection + message: Detected potential code injection using ScriptEngine. Ensure user-controlled + data cannot enter '.eval()', otherwise, this is a code injection vulnerability. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection + shortlink: https://sg.run/gLqn + semgrep.dev: + rule: + rule_id: DbUpAr + version_id: kbT7OK + url: https://semgrep.dev/playground/r/kbT7OK/java.lang.security.audit.script-engine-injection.script-engine-injection + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + class $CLASS { + ... + ScriptEngine $SE; + ... + } + - pattern-inside: | + class $CLASS { + ... + ScriptEngine $SE = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + ScriptEngine $SE = ...; + ... + } + - pattern: | + $X $METHOD(...) { + ... + $SE.eval(...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $SE.eval("..."); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $SE.eval($S); + ... + } +- id: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure + shortlink: https://sg.run/J96Q + semgrep.dev: + rule: + rule_id: lBU9Gj + version_id: A8TRNx + url: https://semgrep.dev/playground/r/A8TRNx/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure + origin: community + message: It looks like you're using an implementation of XSSRequestWrapper from + dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) + The XSS filtering in this code is not secure and can be bypassed by malicious + actors. It is recommended to use a stack that automatically escapes in your view + or templates instead of filtering yourself. + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + class XSSRequestWrapper extends HttpServletRequestWrapper { + ... + } + - pattern: |- + $P = $X.compile("", $X.CASE_INSENSITIVE); + $V = $P.matcher(...).replaceAll(""); +- id: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated + message: DES is considered deprecated. AES is the recommended cipher. Upgrade to + use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + for more information. + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DES_USAGE + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated + shortlink: https://sg.run/5Q73 + semgrep.dev: + rule: + rule_id: PeUZNg + version_id: GxT2Dr + url: https://semgrep.dev/playground/r/GxT2Dr/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated + origin: community + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: $CIPHER.getInstance("=~/DES/.*/") + - pattern-inside: $CIPHER.getInstance("DES") + - pattern-either: + - pattern: | + "=~/DES/.*/" + - pattern: | + "DES" + fix: | + "AES/GCM/NoPadding" + languages: + - java + - kt +- id: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated + message: Triple DES (3DES or DESede) is considered deprecated. AES is the recommended + cipher. Upgrade to use AES. + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE + references: + - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated + shortlink: https://sg.run/Geqn + semgrep.dev: + rule: + rule_id: JDUy8J + version_id: RGTbKq + url: https://semgrep.dev/playground/r/RGTbKq/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated + origin: community + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $CIPHER.getInstance("=~/DESede.*/") + - pattern: | + $CRYPTO.KeyGenerator.getInstance("DES") + languages: + - java + - kt +- id: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#ECB_MODE + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher + shortlink: https://sg.run/Ro9K + semgrep.dev: + rule: + rule_id: 5rUOb6 + version_id: A8TR33 + url: https://semgrep.dev/playground/r/A8TR33/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher + origin: community + message: Cipher in ECB mode is detected. ECB mode produces the same output for the + same input each time which allows an attacker to intercept and replay the data. + Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. + severity: WARNING + languages: + - java + patterns: + - pattern: | + Cipher $VAR = $CIPHER.getInstance($MODE); + - metavariable-regex: + metavariable: $MODE + regex: .*ECB.* +- id: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher + patterns: + - pattern-either: + - pattern: new NullCipher(...); + - pattern: new javax.crypto.NullCipher(...); + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher + shortlink: https://sg.run/AvA4 + semgrep.dev: + rule: + rule_id: GdU7pw + version_id: WrTbdQ + url: https://semgrep.dev/playground/r/WrTbdQ/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher + origin: community + message: 'NullCipher was detected. This will not encrypt anything; the cipher text + will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). + See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for + more information.' + severity: WARNING + languages: + - java +- id: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector + message: Initialization Vectors (IVs) for block ciphers should be randomly generated + each time they are used. Using a static IV means the same plaintext encrypts to + the same ciphertext every time, weakening the strength of the encryption. + metadata: + cwe: + - 'CWE-329: Generation of Predictable IV with CBC Mode' + owasp: + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#STATIC_IV + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://cwe.mitre.org/data/definitions/329.html + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector + shortlink: https://sg.run/BkB5 + semgrep.dev: + rule: + rule_id: ReUgj1 + version_id: 0bTvwe + url: https://semgrep.dev/playground/r/0bTvwe/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + byte[] $IV = { + ... + }; + ... + new IvParameterSpec($IV, ...); + - pattern: | + class $CLASS { + byte[] $IV = { + ... + }; + ... + $METHOD(...) { + ... + new IvParameterSpec($IV, ...); + ... + } + } +- id: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING + references: + - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + - kotlin + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding + shortlink: https://sg.run/DoOj + semgrep.dev: + rule: + rule_id: AbUzoj + version_id: K3TlrK + url: https://semgrep.dev/playground/r/K3TlrK/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding + origin: community + message: Using RSA without OAEP mode weakens the encryption. + severity: WARNING + languages: + - java + - kt + pattern: $CIPHER.getInstance("=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/") +- id: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket + shortlink: https://sg.run/W8zA + semgrep.dev: + rule: + rule_id: BYUN3X + version_id: 5PT6y3 + url: https://semgrep.dev/playground/r/5PT6y3/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket + origin: community + message: Detected use of a Java socket that is not encrypted. As a result, the traffic + could be read by an attacker intercepting the network traffic. Use an SSLSocket + created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead. + severity: WARNING + languages: + - java + pattern-either: + - pattern: new ServerSocket(...) + - pattern: new Socket(...) +- id: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key + message: RSA keys should be at least 2048 bits based on NIST recommendation. + languages: + - java + severity: WARNING + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key + shortlink: https://sg.run/4x6x + semgrep.dev: + rule: + rule_id: 0oU5P5 + version_id: l4T5yb + url: https://semgrep.dev/playground/r/l4T5yb/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key + origin: community + patterns: + - pattern: | + KeyPairGenerator $KEY = $G.getInstance("RSA"); + ... + $KEY.initialize($BITS); + - metavariable-comparison: + metavariable: $BITS + comparison: $BITS < 2048 +- id: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.2 Insecure Custom Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms + category: security + technology: + - java + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests + shortlink: https://sg.run/PJ0p + semgrep.dev: + rule: + rule_id: KxUbW4 + version_id: qkTNQO + url: https://semgrep.dev/playground/r/qkTNQO/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests + origin: community + message: 'Cryptographic algorithms are notoriously difficult to get right. By implementing + a custom message digest, you risk introducing security issues into your program. + Use one of the many sound message digests already available to you: MessageDigest + sha256Digest = MessageDigest.getInstance("SHA256");' + severity: WARNING + languages: + - java + pattern: |- + class $CLASS extends MessageDigest { + ... + } +- id: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT + asvs: + section: V9 Communications Verification Requirements + control_id: 9.1.3 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + shortlink: https://sg.run/J9Gj + semgrep.dev: + rule: + rule_id: qNUj8b + version_id: l4T5yp + url: https://semgrep.dev/playground/r/l4T5yp/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + origin: community + message: DefaultHttpClient is deprecated. Further, it does not support connections + using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder + instead. + severity: WARNING + languages: + - java + pattern: new DefaultHttpClient(...); + fix-regex: + regex: DefaultHttpClient + replacement: HttpClientBuilder +- id: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier + message: Insecure HostnameVerifier implementation detected. This will accept any + SSL certificate with any hostname, which creates the possibility for man-in-the-middle + attacks. + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER + asvs: + section: V9 Communications Verification Requirements + control_id: 9.2.1 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier + shortlink: https://sg.run/5QoD + semgrep.dev: + rule: + rule_id: lBU9n8 + version_id: YDTolk + url: https://semgrep.dev/playground/r/YDTolk/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + class $CLASS implements HostnameVerifier { + ... + public boolean verify(...) { return true; } + } + - pattern: |- + new HostnameVerifier(...){ + public boolean verify(...) { + return true; + } + } + - pattern: import org.apache.http.conn.ssl.NoopHostnameVerifier; +- id: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER + asvs: + section: V9 Communications Verification Requirements + control_id: 9.2.1 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements + version: '4' + references: + - https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https + category: security + technology: + - java + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager + shortlink: https://sg.run/GePy + semgrep.dev: + rule: + rule_id: YGUR9A + version_id: JdTqlK + url: https://semgrep.dev/playground/r/JdTqlK/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager + origin: community + message: Detected empty trust manager implementations. This is dangerous because + it accepts any certificate, enabling man-in-the-middle attacks. Consider using + a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https + for more information. + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + class $CLASS implements X509TrustManager { + ... + } + - pattern-inside: | + new X509TrustManager() { + ... + } + - pattern-inside: | + class $CLASS implements X509ExtendedTrustManager { + ... + } + - pattern-inside: | + new X509ExtendedTrustManager() { + ... + } + - pattern-not: public void checkClientTrusted(...) { $SOMETHING; } + - pattern-not: public void checkServerTrusted(...) { $SOMETHING; } + - pattern-either: + - pattern: public void checkClientTrusted(...) {} + - pattern: public void checkServerTrusted(...) {} + - pattern: public X509Certificate[] getAcceptedIssuers(...) { return null; } +- id: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli + pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $VAL $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: org.hibernate.criterion.Restrictions.sqlRestriction($SQL,...) + - pattern: org.hibernate.criterion.Restrictions.sqlRestriction(String.format(...),...) + - patterns: + - pattern: org.hibernate.criterion.Restrictions.sqlRestriction($X + $Y,...) + - pattern-not: org.hibernate.criterion.Restrictions.sqlRestriction("..." + "...",...) + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $TYPE $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $SESSION.$METHOD($SQL,...) + - pattern: | + $SESSION.$METHOD(String.format(...),...); + - pattern: | + $SESSION.$METHOD($X + $Y,...); + - pattern-either: + - pattern-inside: | + org.hibernate.Session $SESSION = ...; + ... + - pattern-inside: | + $TYPE $FUNC(...,org.hibernate.Session $SESSION,...) { + ... + } + - pattern-not: | + $SESSION.$METHOD("..." + "...",...); + - metavariable-regex: + metavariable: $METHOD + regex: ^(createQuery|createSQLQuery)$ + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE + asvs: + section: V5 Stored Cryptography Verification Requirements + control_id: 5.3.5 Insecure Custom Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + category: security + technology: + - hibernate + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli + shortlink: https://sg.run/Roqg + semgrep.dev: + rule: + rule_id: 6JUjPD + version_id: w8T3k9 + url: https://semgrep.dev/playground/r/w8T3k9/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli + origin: community + languages: + - java + severity: WARNING +- id: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + languages: + - java + severity: WARNING + patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $VAL $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $S.$METHOD($SQL,...) + - pattern: | + $S.$METHOD(String.format(...),...); + - pattern: | + $S.$METHOD($X + $Y,...); + - pattern-either: + - pattern-inside: | + java.sql.Statement $S = ...; + ... + - pattern-inside: | + $TYPE $FUNC(...,java.sql.Statement $S,...) { + ... + } + - pattern-not: | + $S.$METHOD("..." + "...",...); + - metavariable-regex: + metavariable: $METHOD + regex: ^(executeQuery|execute|executeUpdate|executeLargeUpdate|addBatch|nativeSQL)$ + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - jdbc + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli + shortlink: https://sg.run/AvkL + semgrep.dev: + rule: + rule_id: oqUe8K + version_id: xyT4dv + url: https://semgrep.dev/playground/r/xyT4dv/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli + origin: community +- id: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli + pattern-either: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $TYPE $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $Q.$METHOD($SQL,...) + - pattern: | + $Q.$METHOD(String.format(...),...); + - pattern: | + $Q.$METHOD($X + $Y,...); + - pattern-either: + - pattern-inside: | + javax.jdo.Query $Q = ...; + ... + - pattern-inside: | + $TYPE $FUNC(...,javax.jdo.Query $Q,...) { + ... + } + - pattern-not: | + $Q.$METHOD("..." + "...",...); + - metavariable-regex: + metavariable: $METHOD + regex: ^(setFilter|setGrouping)$ + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $VAL $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $PM.newQuery(...,$SQL,...) + - pattern: | + $PM.newQuery(...,String.format(...),...); + - pattern: | + $PM.newQuery(...,$X + $Y,...); + - pattern-either: + - pattern-inside: | + javax.jdo.PersistenceManager $PM = ...; + ... + - pattern-inside: | + $TYPE $FUNC(...,javax.jdo.PersistenceManager $PM,...) { + ... + } + - pattern-not: | + $PM.newQuery(...,"..." + "...",...); + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + languages: + - java + severity: WARNING + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - java + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli + shortlink: https://sg.run/Bkwx + semgrep.dev: + rule: + rule_id: zdUk7l + version_id: O9Tyvn + url: https://semgrep.dev/playground/r/O9Tyvn/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli + origin: community +- id: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + languages: + - java + severity: WARNING + patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $TYPE $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $EM.$METHOD($SQL,...) + - pattern: | + $EM.$METHOD(String.format(...),...); + - pattern: | + $EM.$METHOD($X + $Y,...); + - pattern-either: + - pattern-inside: | + EntityManager $EM = ...; + ... + - pattern-inside: | + $TYPE $FUNC(...,EntityManager $EM,...) { + ... + } + - pattern-not: | + $EM.$METHOD("..." + "...",...); + - metavariable-regex: + metavariable: $METHOD + regex: ^(createQuery|createNativeQuery)$ + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - jpa + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli + shortlink: https://sg.run/DoOd + semgrep.dev: + rule: + rule_id: pKUO7y + version_id: e1TxZ8 + url: https://semgrep.dev/playground/r/e1TxZ8/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli + origin: community +- id: java.lang.security.audit.sqli.turbine-sqli.turbine-sqli + pattern-either: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $VAL $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $PEER.executeQuery($SQL,...) + - pattern: | + $PEER.executeQuery(String.format(...),...) + - pattern: | + $PEER.executeQuery($X + $Y,...) + - pattern-not: | + $PEER.executeQuery("..." + "...",...) + - metavariable-regex: + metavariable: $PEER + regex: (BasePeer|GroupPeer) + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $VAL $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $P.executeQuery($SQL,...) + - pattern: | + $P.executeQuery(String.format(...),...) + - pattern: | + $P.executeQuery($X + $Y,...) + - pattern-either: + - pattern-inside: | + BasePeer $P = ...; + ... + - pattern-inside: | + GroupPeer $P = ...; + ... + - pattern-inside: | + $VAL $FUNC(...,GroupPeer $P,...) { + ... + } + - pattern-inside: | + $VAL $FUNC(...,BasePeer $P,...) { + ... + } + - pattern-not: | + $P.executeQuery("..." + "...",...) + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + languages: + - java + severity: WARNING + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - turbine + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli + shortlink: https://sg.run/W8zL + semgrep.dev: + rule: + rule_id: 2ZUbJ3 + version_id: d6TD6l + url: https://semgrep.dev/playground/r/d6TD6l/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli + origin: community +- id: java.lang.security.audit.sqli.vertx-sqli.vertx-sqli + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + languages: + - java + severity: WARNING + patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + String $SQL = $X + $Y; + ... + - pattern-inside: | + String $SQL = String.format(...); + ... + - pattern-inside: | + $TYPE $FUNC(...,String $SQL,...) { + ... + } + - pattern-not-inside: | + String $SQL = "..." + "..."; + ... + - pattern: $SC.$METHOD($SQL,...) + - pattern: | + $SC.$METHOD(String.format(...),...); + - pattern: | + $SC.$METHOD($X + $Y,...); + - pattern-either: + - pattern-inside: | + SqlClient $SC = ...; + ... + - pattern-inside: | + SqlConnection $SC = ...; + ... + - pattern-inside: | + $TYPE $FUNC(...,SqlClient $SC,...) { + ... + } + - pattern-inside: | + $TYPE $FUNC(...,SqlConnection $SC,...) { + ... + } + - pattern-not: | + $SC.$METHOD("..." + "...",...); + - metavariable-regex: + metavariable: $METHOD + regex: ^(query|preparedQuery|prepare)$ + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - vertx + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli + shortlink: https://sg.run/0QKB + semgrep.dev: + rule: + rule_id: X5U86z + version_id: ZRTweO + url: https://semgrep.dev/playground/r/ZRTweO/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli + origin: community +- id: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer + message: Detected a request with potential user-input going into a OutputStream + or Writer object. This bypasses any view or template environments, including HTML + escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. + Consider using a view technology such as JavaServer Faces (JSFs) which automatically + escapes HTML views. + severity: WARNING + metadata: + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + category: security + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html + subcategory: + - vuln + technology: + - java + - servlets + interfile: true + license: "proprietary license - copyright \xA9 Semgrep, Inc." + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer + shortlink: https://sg.run/KlRL + semgrep.dev: + rule: + rule_id: j2Uv7B + version_id: RGTb2B + url: https://semgrep.dev/playground/r/RGTb2B/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer + origin: community + languages: + - java + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ).$REQFUNC(...) + - pattern: "(ServletRequest $REQ).$REQFUNC(...) \n" + - metavariable-regex: + metavariable: $REQFUNC + regex: (getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + (HttpServletResponse $RESPONSE).getWriter(...).$WRITE(...) + - pattern: | + (HttpServletResponse $RESPONSE).getOutputStream(...).$WRITE(...) + - pattern: | + (java.io.PrintWriter $WRITER).$WRITE(...) + - pattern: | + (PrintWriter $WRITER).$WRITE(...) + - pattern: | + (javax.servlet.ServletOutputStream $WRITER).$WRITE(...) + - pattern: | + (ServletOutputStream $WRITER).$WRITE(...) + - pattern: | + (java.io.OutputStream $WRITER).$WRITE(...) + - pattern: | + (OutputStream $WRITER).$WRITE(...) + pattern-sanitizers: + - pattern-either: + - pattern: Encode.forHtml(...) + - pattern: (PolicyFactory $POLICY).sanitize(...) + - pattern: (AntiSamy $AS).scan(...) + - pattern: JSoup.clean(...) +- id: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled + message: Detected an element with disabled HTML escaping. If external data can reach + this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data + can reach here, or remove 'escape=false' from this element. + metadata: + owasp: A07:2017 - Cross-Site Scripting (XSS) + cwe: + - 'CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences' + references: + - https://stackoverflow.com/a/7442668 + category: security + technology: + - jsf + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled + shortlink: https://sg.run/qxne + semgrep.dev: + rule: + rule_id: 10UKqE + version_id: PkTYj2 + url: https://semgrep.dev/playground/r/PkTYj2/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled + origin: community + pattern-regex: .*escape.*?=.*?false.* + paths: + include: + - '*.html' + - '*.xhtml' + languages: + - regex + severity: WARNING +- id: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization + severity: WARNING + languages: + - java + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ + category: security + technology: + - rmi + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization + shortlink: https://sg.run/oxg6 + semgrep.dev: + rule: + rule_id: bwUwj4 + version_id: 9lTzAg + url: https://semgrep.dev/playground/r/9lTzAg/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization + origin: community + message: Using a non-primitive class with Java RMI may be an insecure deserialization + vulnerability. Depending on the underlying implementation. This object could be + manipulated by a malicious actor allowing them to execute code on your system. + Instead, use an integer ID to look up your object, or consider alternative serialization + schemes such as JSON. + patterns: + - pattern: | + interface $INTERFACE extends Remote { + $RETURNTYPE $METHOD($CLASS $PARAM) throws RemoteException; + } + - metavariable-regex: + metavariable: $CLASS + regex: (?!int|boolean|short|long|byte|char|float|double) +- id: java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization + severity: ERROR + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ + - https://frohoff.github.io/appseccali-marshalling-pickles/ + category: security + technology: + - rmi + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization + shortlink: https://sg.run/zvnl + semgrep.dev: + rule: + rule_id: NbUkw5 + version_id: yeTXD6 + url: https://semgrep.dev/playground/r/yeTXD6/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization + origin: community + message: Using an arbitrary object ('Object $PARAM') with Java RMI is an insecure + deserialization vulnerability. This object can be manipulated by a malicious actor + allowing them to execute code on your system. Instead, use an integer ID to look + up your object, or consider alternative serialization schemes such as JSON. + languages: + - java + pattern: | + interface $INTERFACE extends Remote { + $RETURNTYPE $METHOD(Object $PARAM) throws RemoteException; + } +- id: java.servlets.security.cookie-issecure-false.cookie-issecure-false + patterns: + - pattern: | + $COOKIE = new Cookie(...); + - pattern-not-inside: | + $COOKIE = new Cookie(...); + ... + $COOKIE.setSecure(true); + message: 'Default session middleware settings: `setSecure` not set to true. This + ensures that the cookie is sent only over HTTPS to prevent cross-site scripting + attacks.' + fix-regex: + regex: setSecure\(false\) + replacement: setSecure(true) + metadata: + vulnerability: Insecure Transport + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://tomcat.apache.org/tomcat-5.5-doc/servletapi/ + category: security + technology: + - servlet + - tomcat + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false + shortlink: https://sg.run/pxn0 + semgrep.dev: + rule: + rule_id: kxUkn9 + version_id: rxTxjx + url: https://semgrep.dev/playground/r/rxTxjx/java.servlets.security.cookie-issecure-false.cookie-issecure-false + origin: community + languages: + - java + severity: WARNING +- id: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping + patterns: + - pattern-inside: | + @RequestMapping(...) + $RETURNTYPE $METHOD(...) { ... } + - pattern-not-inside: | + @RequestMapping(..., method = $X, ...) + $RETURNTYPE $METHOD(...) { ... } + - pattern: | + RequestMapping + message: Detected a method annotated with 'RequestMapping' that does not specify + the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, + and by default all HTTP methods are allowed when the HTTP method is not explicitly + specified. This means that a method that performs state changes could be vulnerable + to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method + (such as 'RequestMethod.POST'). + severity: WARNING + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING + references: + - https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING + category: security + technology: + - spring + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping + shortlink: https://sg.run/2xlq + semgrep.dev: + rule: + rule_id: wdUJ7q + version_id: gETqeO + url: https://semgrep.dev/playground/r/gETqeO/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping + origin: community + languages: + - java +- id: java.spring.security.audit.spel-injection.spel-injection + message: A Spring expression is built with a dynamic value. The source of the value(s) + should be verified to avoid that unfiltered values fall into this risky code evaluation. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION + category: security + technology: + - spring + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection + shortlink: https://sg.run/XBp4 + semgrep.dev: + rule: + rule_id: x8Un7b + version_id: bZTGLk + url: https://semgrep.dev/playground/r/bZTGLk/java.spring.security.audit.spel-injection.spel-injection + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + class $CLASS { + ... + ExpressionParser $PARSER; + ... + } + - pattern-inside: | + class $CLASS { + ... + ExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + ExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + class $CLASS { + ... + SpelExpressionParser $PARSER; + ... + } + - pattern-inside: | + class $CLASS { + ... + SpelExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + SpelExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + class $CLASS { + ... + TemplateAwareExpressionParser $PARSER; + ... + } + - pattern-inside: | + class $CLASS { + ... + TemplateAwareExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + TemplateAwareExpressionParser $PARSER = ...; + ... + } + - pattern: | + $X $METHOD(...) { + ... + $PARSER.parseExpression(...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $PARSER.parseExpression("..."); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $PARSER.parseExpression($S); + ... + } +- id: java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled + message: CSRF protection is disabled for this configuration. This is a security + risk. + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED + asvs: + section: V4 Access Control + control_id: 4.2.2 CSRF + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v42-operation-level-access-control + version: '4' + category: security + technology: + - spring + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled + shortlink: https://sg.run/jRnl + semgrep.dev: + rule: + rule_id: OrU3gK + version_id: O9TyXn + url: https://semgrep.dev/playground/r/O9TyXn/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled + origin: community + severity: WARNING + languages: + - java + pattern: $OBJ.csrf(...).disable(...) +- id: java.spring.security.audit.spring-sqli.spring-sqli + mode: taint + pattern-sources: + - patterns: + - pattern: $ARG + - pattern-inside: | + public $T $M (..., String $ARG,...){...} + pattern-sanitizers: + - not_conflicting: true + pattern-either: + - patterns: + - focus-metavariable: $A + - pattern-inside: | + new $TYPE(...,$A,...); + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - focus-metavariable: $A + - pattern: | + new PreparedStatementCreatorFactory($A,...); + - patterns: + - focus-metavariable: $A + - pattern: | + (JdbcTemplate $T).$M($A,...) + - patterns: + - pattern: (String $A) + - pattern-inside: | + (JdbcTemplate $T).batchUpdate(...) + - patterns: + - focus-metavariable: $A + - pattern: | + NamedParameterBatchUpdateUtils.$M($A,...) + - patterns: + - focus-metavariable: $A + - pattern: | + BatchUpdateUtils.$M($A,...) + message: Detected a string argument from a public method contract in a raw SQL statement. + This could lead to SQL injection if variables in the SQL statement are not properly + sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You + can obtain a PreparedStatement using 'connection.prepareStatement'. + languages: + - java + severity: WARNING + options: + taint_assume_safe_numbers: true + taint_assume_safe_booleans: true + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - spring + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli + shortlink: https://sg.run/1Z3x + semgrep.dev: + rule: + rule_id: eqU8N2 + version_id: 0bTOzP + url: https://semgrep.dev/playground/r/0bTOzP/java.spring.security.audit.spring-sqli.spring-sqli + origin: community +- id: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect + message: Application redirects a user to a destination URL specified by a user supplied + parameter that is not validated. + metadata: + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + owasp: + - A01:2021 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT + category: security + technology: + - spring + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect + shortlink: https://sg.run/9oXz + semgrep.dev: + rule: + rule_id: v8Un7w + version_id: d6TDPl + url: https://semgrep.dev/playground/r/d6TDPl/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + $X $METHOD(...,String $URL,...) { + return "redirect:" + $URL; + } + - pattern: | + $X $METHOD(...,String $URL,...) { + ... + String $REDIR = "redirect:" + $URL; + ... + return $REDIR; + ... + } + - pattern: | + $X $METHOD(...,String $URL,...) { + ... + new ModelAndView("redirect:" + $URL); + ... + } + - pattern: |- + $X $METHOD(...,String $URL,...) { + ... + String $REDIR = "redirect:" + $URL; + ... + new ModelAndView($REDIR); + ... + } +- id: javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods + message: Use of angular.element can lead to XSS if user-input is treated as part + of the HTML element within `$SINK`. It is recommended to contextually output encode + user-input, before inserting into `$SINK`. If the HTML needs to be preserved it + is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize. + metadata: + confidence: LOW + references: + - https://docs.angularjs.org/api/ng/function/angular.element + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + technology: + - angularjs + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods + shortlink: https://sg.run/ydnO + semgrep.dev: + rule: + rule_id: d8Ujdo + version_id: 3ZTdOR + url: https://semgrep.dev/playground/r/3ZTdOR/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods + origin: community + languages: + - javascript + - typescript + severity: INFO + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + function(..., $SCOPE, ...) { ... } + - focus-metavariable: $SCOPE + - metavariable-regex: + metavariable: $SCOPE + regex: ^\$scope$ + - pattern: $rootScope + - pattern: $injector.get('$rootScope') + - pattern: $injector.get('$scope') + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + angular.element(...). ... .$SINK($QUERY) + - pattern-inside: | + $ANGULAR = angular.element(...) + ... + $ANGULAR. ... .$SINK($QUERY) + - metavariable-regex: + metavariable: $SINK + regex: ^(after|append|html|prepend|replaceWith|wrap)$ + - focus-metavariable: $QUERY + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern: $sce.getTrustedHtml(...) + - pattern: $sanitize(...) + - pattern: DOMPurify.sanitize(...) +- id: javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect + message: Use of $window.location.href can lead to open-redirect if user input is + used for redirection. + metadata: + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.1 Insecue Redirect + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation + version: '4' + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + technology: + - angular + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect + shortlink: https://sg.run/rdn1 + semgrep.dev: + rule: + rule_id: ZqU5Yn + version_id: PkTYQ2 + url: https://semgrep.dev/playground/r/PkTYQ2/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern: | + $window.location.href = ... + - pattern-not: | + $window.location.href = "..." +- id: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading + message: $sceDelegateProvider allowlisting can introduce security issues if wildcards + are used. + metadata: + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + technology: + - angular + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading + shortlink: https://sg.run/b7kd + semgrep.dev: + rule: + rule_id: nJUzgX + version_id: JdTqDK + url: https://semgrep.dev/playground/r/JdTqDK/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern-either: + - pattern: | + $sceDelegateProvider.resourceUrlWhitelist([...,'**',...]); + - patterns: + - pattern: | + $sceDelegateProvider.resourceUrlWhitelist([...,$DOM,...]); + - metavariable-regex: + metavariable: $DOM + regex: ^'.*\*\*.+'$ +- id: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled + message: $sceProvider is set to false. Disabling Strict Contextual escaping (SCE) + in an AngularJS application could provide additional attack surface for XSS vulnerabilities. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://docs.angularjs.org/api/ng/service/$sce + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + technology: + - angular + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled + shortlink: https://sg.run/N4DG + semgrep.dev: + rule: + rule_id: EwU20Z + version_id: 5PT693 + url: https://semgrep.dev/playground/r/5PT693/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled + origin: community + languages: + - javascript + - typescript + severity: ERROR + pattern: | + $sceProvider.enabled(false); +- id: javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method + message: The use of $sce.trustAsCss can be dangerous if unsanitized user input flows + through this API. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsCss + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + technology: + - angular + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method + shortlink: https://sg.run/kXgo + semgrep.dev: + rule: + rule_id: 7KUQ4k + version_id: GxT2PW + url: https://semgrep.dev/playground/r/GxT2PW/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $SOURCE = $scope.$INPUT; + $sce.trustAsCss($SOURCE); + - pattern: | + $sce.trustAsCss($scope.$INPUT); + - pattern-inside: | + app.controller(..., function($scope,$sce){ + ... + }); +- id: javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method + message: The use of $sce.trustAsHtml can be dangerous if unsanitized user input + flows through this API. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + technology: + - angular + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method + shortlink: https://sg.run/wenn + semgrep.dev: + rule: + rule_id: L1Uy88 + version_id: RGTbAB + url: https://semgrep.dev/playground/r/RGTbAB/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $SOURCE = $scope.$INPUT; + $sce.trustAsHtml($SOURCE); + - pattern: | + $sce.trustAsHtml($scope.$INPUT); + - pattern-inside: | + app.controller(..., function($scope,$sce){ + ... + }); +- id: javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method + message: The use of $sce.trustAsJs can be dangerous if unsanitized user input flows + through this API. + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + category: security + technology: + - angular + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method + shortlink: https://sg.run/x1nA + semgrep.dev: + rule: + rule_id: 8GUj8k + version_id: A8TRJx + url: https://semgrep.dev/playground/r/A8TRJx/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $SOURCE = $scope.$INPUT; + $sce.trustAsJs($SOURCE); + - pattern: | + $sce.trustAsJs($scope.$INPUT); + - pattern-inside: | + app.controller(..., function($scope,$sce){ + ... + }); +- id: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method + message: The use of $sce.trustAs can be dangerous if unsanitized user input flows + through this API. + metadata: + references: + - https://docs.angularjs.org/api/ng/service/$sce + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + technology: + - angular + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method + shortlink: https://sg.run/OPW2 + semgrep.dev: + rule: + rule_id: gxU1QX + version_id: BjTE14 + url: https://semgrep.dev/playground/r/BjTE14/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + app.controller(..., function($scope,$sce) { + ... + }); + - pattern: $scope.$X + pattern-sinks: + - pattern: $sce.trustAs(...) + - pattern: $sce.trustAsHtml(...) +- id: javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method + message: The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user + input flows through this API. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + technology: + - angular + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method + shortlink: https://sg.run/eLOd + semgrep.dev: + rule: + rule_id: QrUzeq + version_id: DkTQNo + url: https://semgrep.dev/playground/r/DkTQNo/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $SOURCE = $scope.$INPUT; + $sce.trustAsResourceUrl($SOURCE); + - pattern: | + $sce.trustAsResourceUrl($scope.$INPUT); + - pattern-inside: | + app.controller(..., function($scope,$sce){ + ... + }); +- id: javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method + message: The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows + through this API. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + technology: + - angular + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method + shortlink: https://sg.run/vznl + semgrep.dev: + rule: + rule_id: 3qUP01 + version_id: WrTbE2 + url: https://semgrep.dev/playground/r/WrTbE2/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $SOURCE = $scope.$INPUT; + $sce.trustAsUrl($SOURCE); + - pattern: | + $sce.trustAsUrl($scope.$INPUT); + - pattern-inside: | + app.controller(..., function($scope,$sce){ + ... + }); +- id: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method + message: The use of $translateProvider.translations method can be dangerous if user + input is provided to this API. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + technology: + - angular + - typescript + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method + shortlink: https://sg.run/ZvXp + semgrep.dev: + rule: + rule_id: PeUZPg + version_id: 0bTv1Y + url: https://semgrep.dev/playground/r/0bTv1Y/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method + origin: community + languages: + - javascript + severity: WARNING + patterns: + - pattern: | + $translateProvider.translations(...,$SOURCE); + - pattern-inside: | + app.controller(..., function($scope,$sce){ + ... + }); +- id: javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution + message: Potential arbitrary code execution, whatever is provided to `toFastProperties` + is sent straight to eval() + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - bluebird + references: + - http://bluebirdjs.com/docs/getting-started.html + cwe2022-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution + shortlink: https://sg.run/ndnZ + semgrep.dev: + rule: + rule_id: JDUy9J + version_id: qkTN4N + url: https://semgrep.dev/playground/r/qkTN4N/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: function ... (..., $ARG,...) {...} + - focus-metavariable: $ARG + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $UTIL.toFastProperties($SINK,...) + - pattern: toFastProperties($SINK,...) + - pattern-either: + - pattern-inside: | + $BB = require('bluebird'); + ... + - pattern-inside: | + import 'bluebird'; + ... + - focus-metavariable: $SINK +- id: javascript.browser.security.dom-based-xss.dom-based-xss + message: 'Detected possible DOM-based XSS. This occurs because a portion of the + URL is being used to construct an element added directly to the page. For example, + a malicious actor could send someone a link like this: http://www.some.site/page.html?default= + which would add the script to the page. Consider allowlisting appropriate values + or using an approach which does not involve the URL.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://owasp.org/www-community/attacks/DOM_Based_XSS + category: security + technology: + - browser + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss + shortlink: https://sg.run/EkeL + semgrep.dev: + rule: + rule_id: 5rUOg6 + version_id: l4T5xP + url: https://semgrep.dev/playground/r/l4T5xP/javascript.browser.security.dom-based-xss.dom-based-xss + origin: community + languages: + - javascript + - typescript + severity: ERROR + pattern-either: + - pattern: document.write(<... document.location.$W ...>) + - pattern: document.write(<... location.$W ...>) +- id: javascript.browser.security.eval-detected.eval-detected + message: Detected the use of eval(). eval() can be dangerous if used to evaluate + dynamic content. If this content can be input from outside the program, this may + be a code injection vulnerability. Ensure evaluated content is not definable by + external sources. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.2.4 Dynamic Code Execution Features + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing + version: '4' + category: security + technology: + - browser + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected + shortlink: https://sg.run/7ope + semgrep.dev: + rule: + rule_id: GdU7dw + version_id: YDTovX + url: https://semgrep.dev/playground/r/YDTovX/javascript.browser.security.eval-detected.eval-detected + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-not: eval("...") + - pattern: eval(...) +- id: javascript.browser.security.insecure-document-method.insecure-document-method + message: User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` + is an anti-pattern that can lead to XSS vulnerabilities + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - browser + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method + shortlink: https://sg.run/LwA9 + semgrep.dev: + rule: + rule_id: ReUg41 + version_id: 6xTeJb + url: https://semgrep.dev/playground/r/6xTeJb/javascript.browser.security.insecure-document-method.insecure-document-method + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern-either: + - pattern: | + $EL.innerHTML = $HTML; + - pattern: | + $EL.outerHTML = $HTML; + - pattern: document.write(...) + - pattern-not: | + $EL.innerHTML = "..."; + - pattern-not: | + $EL.outerHTML = "..."; + - pattern-not: document.write("...") +- id: javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation + message: No validation of origin is done by the addEventListener API. It may be + possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site + Scripting(XSS). + metadata: + owasp: + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-345: Insufficient Verification of Data Authenticity' + category: security + technology: + - browser + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation + shortlink: https://sg.run/gL9x + semgrep.dev: + rule: + rule_id: BYUN0X + version_id: zyT58j + url: https://semgrep.dev/playground/r/zyT58j/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern-either: + - patterns: + - pattern: | + window.addEventListener('message', $FUNC, ...) + - metavariable-pattern: + patterns: + - pattern: | + function($OBJ) { ... } + - pattern-not: | + function($OBJ) { ... if (<... $OBJ.origin ...>) { ... } ... } + metavariable: $FUNC + - patterns: + - pattern-either: + - pattern-inside: | + function $FNAME($OBJ) { $CONTEXT } + ... + - pattern-inside: | + $FNAME = (...) => { $CONTEXT } + ... + - pattern: | + window.addEventListener('message', $FNAME,...) + - metavariable-pattern: + patterns: + - pattern-not: | + ... if (<... $OBJ.origin ...>) { ... } ... + metavariable: $CONTEXT +- id: javascript.browser.security.new-function-detected.new-function-detected + message: this rule has been deprecated. + metadata: + deprecated: true + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - browser + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.browser.security.new-function-detected.new-function-detected + shortlink: https://sg.run/Q5Pk + semgrep.dev: + rule: + rule_id: DbUp0q + version_id: pZTry6 + url: https://semgrep.dev/playground/r/pZTry6/javascript.browser.security.new-function-detected.new-function-detected + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: javascript.browser.security.open-redirect.js-open-redirect + message: The application accepts potentially user-controlled input `$PROP` which + can control the location of the current window context. This can lead two types + of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript + URIs. It is recommended to validate user-controllable input before allowing it + to control the redirection. + metadata: + interfile: true + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + owasp: + - A01:2021 - Broken Access Control + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.1 Insecue Redirect + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation + version: '4' + category: security + confidence: HIGH + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + technology: + - browser + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect + shortlink: https://sg.run/3xRe + semgrep.dev: + rule: + rule_id: WAUopl + version_id: X0TPxZ + url: https://semgrep.dev/playground/r/X0TPxZ/javascript.browser.security.open-redirect.js-open-redirect + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + $PROP = new URLSearchParams($WINDOW. ... .location.search).get('...') + ... + - pattern-inside: | + $PROP = new URLSearchParams(location.search).get('...') + ... + - pattern-inside: | + $PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...') + ... + - pattern-inside: | + $PROP = new URLSearchParams(location.hash.substring(1)).get('...') + ... + - pattern: $PROP + - patterns: + - pattern-either: + - pattern-inside: | + $PROPS = new URLSearchParams($WINDOW. ... .location.search) + ... + - pattern-inside: | + $PROPS = new URLSearchParams(location.search) + ... + - pattern-inside: | + $PROPS = new URLSearchParams($WINDOW. ... .location.hash.substring(1)) + ... + - pattern-inside: | + $PROPS = new URLSearchParams(location.hash.substring(1)) + ... + - pattern: $PROPS.get('...') + - patterns: + - pattern-either: + - pattern-inside: | + $PROPS = new URL($WINDOW. ... .location.href) + ... + - pattern-inside: | + $PROPS = new URL(location.href) + ... + - pattern: $PROPS.searchParams.get('...') + - patterns: + - pattern-either: + - pattern-inside: | + $PROPS = new URL($WINDOW. ... .location.href).searchParams.get('...') + ... + - pattern-inside: | + $PROPS = new URL(location.href).searchParams.get('...') + ... + - pattern: $PROPS + pattern-sinks: + - patterns: + - pattern-either: + - pattern: location.href = $SINK + - pattern: $THIS. ... .location.href = $SINK + - pattern: location.replace($SINK) + - pattern: $THIS. ... .location.replace($SINK) + - pattern: location = $SINK + - pattern: $WINDOW. ... .location = $SINK + - focus-metavariable: $SINK + - metavariable-pattern: + patterns: + - pattern-not: | + "..." + $VALUE + - pattern-not: | + `...${$VALUE}` + metavariable: $SINK +- id: javascript.browser.security.raw-html-concat.raw-html-concat + message: User controlled data in a HTML string may result in XSS + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://owasp.org/www-community/attacks/xss/ + category: security + technology: + - browser + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat + shortlink: https://sg.run/4xAx + semgrep.dev: + rule: + rule_id: 0oU5b5 + version_id: jQTKYR + url: https://semgrep.dev/playground/r/jQTKYR/javascript.browser.security.raw-html-concat.raw-html-concat + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: location.href + - pattern: location.hash + - pattern: location.search + - pattern: $WINDOW. ... .location.href + - pattern: $WINDOW. ... .location.hash + - pattern: $WINDOW. ... .location.search + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: $STRING + $EXPR + - pattern-not: $STRING + "..." + - metavariable-pattern: + patterns: + - pattern: <$TAG ... + - pattern-not: <$TAG ...>...... + metavariable: $STRING + language: generic + - patterns: + - pattern: $EXPR + $STRING + - pattern-not: '"..." + $STRING' + - metavariable-pattern: + patterns: + - pattern: '... + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('phantom'); + ... + - pattern-inside: | + import 'phantom'; + ... + - pattern-either: + - pattern: $PAGE.open($SINK,...) + - pattern: $PAGE.setContent($SINK,...) + - pattern: $PAGE.openUrl($SINK,...) + - pattern: $PAGE.evaluateJavaScript($SINK,...) + - pattern: $PAGE.property("content",$SINK,...) + - focus-metavariable: $SINK +- id: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection + message: If unverified user data can reach the `puppeteer` methods it can result + in Server-Side Request Forgery vulnerabilities + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - express + references: + - https://pptr.dev/api/puppeteer.page + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection + shortlink: https://sg.run/0QJB + semgrep.dev: + rule: + rule_id: X5U8Nz + version_id: kbT7LL + url: https://semgrep.dev/playground/r/kbT7LL/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('puppeteer'); + ... + - pattern-inside: | + import 'puppeteer'; + ... + - pattern-either: + - pattern: $PAGE.goto($SINK,...) + - pattern: $PAGE.setContent($SINK,...) + - pattern: $PAGE.evaluate($SINK,...) + - pattern: $PAGE.evaluate($CODE,$SINK,...) + - pattern: $PAGE.evaluateHandle($SINK,...) + - pattern: $PAGE.evaluateHandle($CODE,$SINK,...) + - pattern: $PAGE.evaluateOnNewDocument($SINK,...) + - pattern: $PAGE.evaluateOnNewDocument($CODE,$SINK,...) + - focus-metavariable: $SINK +- id: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection + message: Make sure that unverified user data can not reach `sandbox`. + metadata: + owasp: + - A03:2021 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - express + cwe2022-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection + shortlink: https://sg.run/KlwL + semgrep.dev: + rule: + rule_id: j2UvXB + version_id: w8T3DR + url: https://semgrep.dev/playground/r/w8T3DR/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-inside: | + $SANDBOX = require('sandbox'); + ... + - pattern-either: + - patterns: + - pattern-inside: | + $S = new $SANDBOX(...); + ... + - pattern: | + $S.run(...) + - pattern: | + new $SANDBOX($OPTS).run(...) + - pattern: new $SANDBOX().run(...) +- id: javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection + message: If unverified user data can reach the `phantom` methods it can result in + Server-Side Request Forgery vulnerabilities + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - express + references: + - https://www.npmjs.com/package/wkhtmltopdf + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection + shortlink: https://sg.run/pxe0 + semgrep.dev: + rule: + rule_id: kxUkl9 + version_id: e1Tx3b + url: https://semgrep.dev/playground/r/e1Tx3b/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection + origin: community + severity: ERROR + languages: + - javascript + - typescript + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern: $WK.generate($SINK,...) + - focus-metavariable: $SINK +- id: javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection + message: If unverified user data can reach the `wkhtmltopdf` methods it can result + in Server-Side Request Forgery vulnerabilities + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - express + references: + - https://www.npmjs.com/package/wkhtmltopdf + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection + shortlink: https://sg.run/2xGq + semgrep.dev: + rule: + rule_id: wdUJxq + version_id: vdT28d + url: https://semgrep.dev/playground/r/vdT28d/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-inside: | + $WK = require('wkhtmltopdf'); + ... + - pattern: $WK($SINK,...) + - focus-metavariable: $SINK +- id: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe + message: Make sure that unverified user data can not reach the XML Parser, as it + can result in XML External or Internal Entity (XXE) Processing vulnerabilities + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + category: security + technology: + - express + references: + - https://www.npmjs.com/package/xml2json + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe + shortlink: https://sg.run/XBD4 + semgrep.dev: + rule: + rule_id: x8Uneb + version_id: d6TDvp + url: https://semgrep.dev/playground/r/d6TDvp/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - pattern: $REQ.files.$ANYTHING.data.toString('utf8') + - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + - pattern: files.$ANYTHING.data.toString('utf8') + - pattern: files.$ANYTHING['data'].toString('utf8') + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('xml2json'); + ... + - pattern-inside: | + import 'xml2json'; + ... + - pattern: $EXPAT.toJson($SINK,...) + - focus-metavariable: $SINK +- id: javascript.express.security.require-request.require-request + message: If an attacker controls the x in require(x) then they can cause code to + load that was not intended to run on the server. + metadata: + interfile: true + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' + source-rule-url: https://nodesecroadmap.fyi/chapter-1/threat-UIR.html + category: security + technology: + - express + references: + - https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/javascript.express.security.require-request.require-request + shortlink: https://sg.run/jRbl + semgrep.dev: + rule: + rule_id: OrU3WK + version_id: ExTnAb + url: https://semgrep.dev/playground/r/ExTnAb/javascript.express.security.require-request.require-request + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern: require($SINK) + - focus-metavariable: $SINK +- id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name + message: "Don\u2019t use the default session cookie name Using the default session + cookie name can open your app to attacks. The security issue posed is similar + to X-Powered-By: a potential attacker can use it to fingerprint the server and + target attacks accordingly." + severity: WARNING + languages: + - javascript + - typescript + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html + category: security + technology: + - express + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name + shortlink: https://sg.run/1Z5x + semgrep.dev: + rule: + rule_id: eqU8k2 + version_id: vdT2Nd + url: https://semgrep.dev/playground/r/vdT2Nd/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name + origin: community + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('cookie-session'); + ... + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern: $SESSION(...) + - pattern-not-inside: $SESSION(<... {name:...} ...>,...) + - pattern-not-inside: | + $OPTS = <... {name:...} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.name = ...; + ... + $SESSION($OPTS,...); +- id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure + message: 'Default session middleware settings: `secure` not set. It ensures the + browser only sends the cookie over HTTPS.' + severity: WARNING + languages: + - javascript + - typescript + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html + category: security + technology: + - express + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure + shortlink: https://sg.run/9oKz + semgrep.dev: + rule: + rule_id: v8Unzw + version_id: d6TDAp + url: https://semgrep.dev/playground/r/d6TDAp/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure + origin: community + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('cookie-session'); + ... + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern: $SESSION(...) + - pattern-not-inside: $SESSION(<... {cookie:{secure:true}} ...>,...) + - pattern-not-inside: | + $OPTS = <... {cookie:{secure:true}} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE = <... {secure:true} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie = <... {secure:true} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE.secure = true; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie.secure = true; + ... + $SESSION($OPTS,...); +- id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly + message: 'Default session middleware settings: `httpOnly` not set. It ensures the + cookie is sent only over HTTP(S), not client JavaScript, helping to protect against + cross-site scripting attacks.' + severity: WARNING + languages: + - javascript + - typescript + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html + category: security + technology: + - express + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly + shortlink: https://sg.run/ydBO + semgrep.dev: + rule: + rule_id: d8UjGo + version_id: ZRTwNy + url: https://semgrep.dev/playground/r/ZRTwNy/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly + origin: community + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('cookie-session'); + ... + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern: $SESSION(...) + - pattern-not-inside: $SESSION(<... {cookie:{httpOnly:true}} ...>,...) + - pattern-not-inside: | + $OPTS = <... {cookie:{httpOnly:true}} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE = <... {httpOnly:true} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie = <... {httpOnly:true} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE.httpOnly = true; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie.httpOnly = true; + ... + $SESSION($OPTS,...); +- id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain + message: 'Default session middleware settings: `domain` not set. It indicates the + domain of the cookie; use it to compare against the domain of the server in which + the URL is being requested. If they match, then check the path attribute next.' + severity: WARNING + languages: + - javascript + - typescript + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html + category: security + technology: + - express + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain + shortlink: https://sg.run/rd41 + semgrep.dev: + rule: + rule_id: ZqU5Pn + version_id: nWT7Pd + url: https://semgrep.dev/playground/r/nWT7Pd/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain + origin: community + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('cookie-session'); + ... + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern: $SESSION(...) + - pattern-not-inside: $SESSION(<... {cookie:{domain:...}} ...>,...) + - pattern-not-inside: | + $OPTS = <... {cookie:{domain:...}} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE = <... {domain:...} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie = <... {domain:...} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE.domain = ...; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie.domain = ...; + ... + $SESSION($OPTS,...); +- id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path + message: 'Default session middleware settings: `path` not set. It indicates the + path of the cookie; use it to compare against the request path. If this and domain + match, then send the cookie in the request.' + severity: WARNING + languages: + - javascript + - typescript + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html + category: security + technology: + - express + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path + shortlink: https://sg.run/b7pd + semgrep.dev: + rule: + rule_id: nJUz4X + version_id: ExTnNb + url: https://semgrep.dev/playground/r/ExTnNb/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path + origin: community + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('cookie-session'); + ... + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern: $SESSION(...) + - pattern-not-inside: $SESSION(<... {cookie:{path:...}} ...>,...) + - pattern-not-inside: | + $OPTS = <... {cookie:{path:...}} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE = <... {path:...} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie = <... {path:...} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE.path = ...; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie.path = ...; + ... + $SESSION($OPTS,...); +- id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires + message: 'Default session middleware settings: `expires` not set. Use it to set + expiration date for persistent cookies.' + severity: WARNING + languages: + - javascript + - typescript + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html + category: security + technology: + - express + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires + shortlink: https://sg.run/N4eG + semgrep.dev: + rule: + rule_id: EwU2DZ + version_id: 7ZTOoJ + url: https://semgrep.dev/playground/r/7ZTOoJ/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires + origin: community + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('cookie-session'); + ... + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern: $SESSION(...) + - pattern-not-inside: $SESSION(<... {cookie:{expires:...}} ...>,...) + - pattern-not-inside: | + $OPTS = <... {cookie:{expires:...}} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE = <... {expires:...} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $OPTS.cookie = <... {expires:...} ...>; + ... + $SESSION($OPTS,...); + - pattern-not-inside: | + $OPTS = ...; + ... + $COOKIE.expires = ...; + ... + $SESSION($OPTS,...); + - pattern-not-inside: |- + $OPTS = ...; + ... + $OPTS.cookie.expires = ...; + ... + $SESSION($OPTS,...); +- id: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked + message: No token revoking configured for `express-jwt`. A leaked token could still + be used and unable to be revoked. Consider using function as the `isRevoked` option. + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/security/expirejwt.md + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.3 Insecue Stateless Session Tokens + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - express + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked + shortlink: https://sg.run/kXNo + semgrep.dev: + rule: + rule_id: 7KUQ9k + version_id: 8KTb9O + url: https://semgrep.dev/playground/r/8KTb9O/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-inside: | + $JWT = require('express-jwt'); + ... + - pattern: $JWT(...) + - pattern-not-inside: $JWT(<... {isRevoked:...} ...>,...) + - pattern-not-inside: |- + $OPTS = <... {isRevoked:...} ...>; + ... + $JWT($OPTS,...); +- id: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal + message: Possible writing outside of the destination, make sure that the target + path is nested in the intended destination + metadata: + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + category: security + references: + - https://owasp.org/www-community/attacks/Path_Traversal + technology: + - express + - node.js + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal + shortlink: https://sg.run/weRn + semgrep.dev: + rule: + rule_id: L1Uyb8 + version_id: 44Tolp + url: https://semgrep.dev/playground/r/44Tolp/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - focus-metavariable: $SINK + - pattern-either: + - pattern-inside: | + $PATH = require('path'); + ... + - pattern-inside: | + import $PATH from 'path'; + ... + - pattern-either: + - pattern: $PATH.join(...,$SINK,...) + - pattern: $PATH.resolve(...,$SINK,...) + - patterns: + - focus-metavariable: $SINK + - pattern-inside: | + import 'path'; + ... + - pattern-either: + - pattern: path.join(...,$SINK,...) + - pattern: path.resolve(...,$SINK,...) + pattern-sanitizers: + - pattern: $Y.replace(...) + - pattern: $Y.indexOf(...) + - pattern: | + function ... (...) { + ... + <... $Y.indexOf(...) ...> + ... + } + - patterns: + - pattern: $FUNC(...) + - metavariable-regex: + metavariable: $FUNC + regex: sanitize +- id: javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event + message: Xml Parser is used inside Request Event. Make sure that unverified user + data can not reach the XML Parser, as it can result in XML External or Internal + Entity (XXE) Processing vulnerabilities + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + category: security + technology: + - express + references: + - https://www.npmjs.com/package/xml2json + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event + shortlink: https://sg.run/x1AA + semgrep.dev: + rule: + rule_id: 8GUjkk + version_id: RGTbkG + url: https://semgrep.dev/playground/r/RGTbkG/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('xml2json'); + ... + - pattern-inside: | + import 'xml2json'; + ... + - pattern: $REQ.on('...', function(...) { ... $EXPAT.toJson($INPUT,...); ... }) +- id: javascript.express.security.audit.res-render-injection.res-render-injection + message: User controllable data `$REQ` enters `$RES.render(...)` this can lead to + the loading of other HTML/templating pages that they may not be authorized to + render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` + to access other HTML pages on the file system. Where possible, do not allow users + to define what should be loaded in $RES.render or use an allow list for the existing + application. + metadata: + interfile: true + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' + category: security + technology: + - express + references: + - http://expressjs.com/en/4x/api.html#res.render + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection + shortlink: https://sg.run/eLjd + semgrep.dev: + rule: + rule_id: QrUzrq + version_id: DkTQnj + url: https://semgrep.dev/playground/r/DkTQnj/javascript.express.security.audit.res-render-injection.res-render-injection + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $RES.render($SINK, ...) + - focus-metavariable: $SINK +- id: javascript.express.security.audit.xss.direct-response-write.direct-response-write + message: Detected directly writing to a Response object from user-defined input. + This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting + (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. + metadata: + interfile: true + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + category: security + technology: + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write + shortlink: https://sg.run/vzGl + semgrep.dev: + rule: + rule_id: 3qUPA1 + version_id: WrTbQ1 + url: https://semgrep.dev/playground/r/WrTbQ1/javascript.express.security.audit.xss.direct-response-write.direct-response-write + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options) + - pattern-not-inside: | + function ... ($REQ, $RES) { + ... + $RES.$SET('Content-Type', '$TYPE') + } + - pattern-not-inside: | + $APP.$METHOD(..., function $FUNC($REQ, $RES) { + ... + $RES.$SET('Content-Type', '$TYPE') + }) + - pattern-not-inside: | + function ... ($REQ, $RES, $NEXT) { + ... + $RES.$SET('Content-Type', '$TYPE') + } + - pattern-not-inside: | + function ... ($REQ, $RES) { + ... + $RES.set('$TYPE') + } + - pattern-not-inside: | + $APP.$METHOD(..., function $FUNC($REQ, $RES) { + ... + $RES.set('$TYPE') + }) + - pattern-not-inside: | + function ... ($REQ, $RES, $NEXT) { + ... + $RES.set('$TYPE') + } + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - pattern-not-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + { + ... + $RES.$SET('Content-Type', '$TYPE') + } + - pattern-not-inside: | + ({ $REQ }: Request,$RES: Response) => { + ... + $RES.$SET('Content-Type', '$TYPE') + } + - pattern-not-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + { + ... + $RES.set('$TYPE') + } + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: body + pattern-sinks: + - patterns: + - pattern-inside: function ... (..., $RES,...) {...} + - pattern-either: + - pattern: $RES.write($ARG) + - pattern: $RES.send($ARG) + - pattern-not: $RES. ... .set('...'). ... .send($ARG) + - pattern-not: $RES. ... .type('...'). ... .send($ARG) + - focus-metavariable: $ARG + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + import * as $S from "underscore.string" + ... + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + $S = require("underscore.string") + ... + - pattern-either: + - pattern: $S.escapeHTML(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "dompurify" + ... + - pattern-inside: | + import { ..., $S,... } from "dompurify" + ... + - pattern-inside: | + import * as $S from "dompurify" + ... + - pattern-inside: | + $S = require("dompurify") + ... + - pattern-inside: | + import $S from "isomorphic-dompurify" + ... + - pattern-inside: | + import * as $S from "isomorphic-dompurify" + ... + - pattern-inside: | + $S = require("isomorphic-dompurify") + ... + - pattern-either: + - patterns: + - pattern-inside: | + $VALUE = $S(...) + ... + - pattern: $VALUE.sanitize(...) + - patterns: + - pattern-inside: | + $VALUE = $S.sanitize + ... + - pattern: $S(...) + - pattern: $S.sanitize(...) + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'xss'; + ... + - pattern-inside: | + import * as $S from 'xss'; + ... + - pattern-inside: | + $S = require("xss") + ... + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'sanitize-html'; + ... + - pattern-inside: | + import * as $S from "sanitize-html"; + ... + - pattern-inside: | + $S = require("sanitize-html") + ... + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + $S = new Remarkable() + ... + - pattern: $S.render(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'express-xss-sanitizer'; + ... + - pattern-inside: | + import * as $S from "express-xss-sanitizer"; + ... + - pattern-inside: | + const { ..., $S, ... } = require('express-xss-sanitizer'); + ... + - pattern-inside: | + var { ..., $S, ... } = require('express-xss-sanitizer'); + ... + - pattern-inside: | + let { ...,$S,... } = require('express-xss-sanitizer'); + ... + - pattern-inside: | + $S = require("express-xss-sanitizer") + ... + - pattern: $S(...) + - patterns: + - pattern: $RES. ... .type('$F'). ... .send(...) + - metavariable-regex: + metavariable: $F + regex: (?!.*text/html) + - patterns: + - pattern-inside: | + $X = [...]; + ... + - pattern: | + if(<... !$X.includes($SOURCE)...>) { + ... + return ... + } + ... + - pattern: $SOURCE +- id: javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape + message: Detected an explicit unescape in an EJS template, using '<%- ... %>' If + external data can reach these locations, your application is exposed to a cross-site + scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need + escaping, ensure no external data can reach this location. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/ + category: security + technology: + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape + shortlink: https://sg.run/dKXQ + semgrep.dev: + rule: + rule_id: 4bUkPO + version_id: 0bTvlA + url: https://semgrep.dev/playground/r/0bTvlA/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape + origin: community + languages: + - regex + severity: WARNING + paths: + include: + - '*.ejs' + - '*.html' + pattern-regex: <%-((?!include).)*?%> + fix-regex: + regex: <%-(.*?)%> + replacement: <%=\1%> +- id: javascript.express.security.audit.xss.ejs.var-in-href.var-in-href + message: 'Detected a template variable used in an anchor tag with the ''href'' attribute. + This allows a malicious actor to input the ''javascript:'' URI and is subject + to cross- site scripting (XSS) attacks. If using a relative URL, start with a + literal forward slash and concatenate the URL, like this: href=''/<%= link %>''. + You may also consider setting the Content Security Policy (CSP) header.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI + - https://github.com/pugjs/pug/issues/2952 + category: security + technology: + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-href.var-in-href + shortlink: https://sg.run/Zv0p + semgrep.dev: + rule: + rule_id: PeUZrg + version_id: K3Tljp + url: https://semgrep.dev/playground/r/K3Tljp/javascript.express.security.audit.xss.ejs.var-in-href.var-in-href + origin: community + languages: + - regex + severity: WARNING + paths: + include: + - '*.ejs' + - '*.html' + pattern-regex: ]*?[^\/&=]<%.*?%>.*?> +- id: javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src + message: Detected a template variable used as the 'src' in a script tag. Although + template variables are HTML escaped, HTML escaping does not always prevent malicious + URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. + Prefer not to dynamically generate the 'src' attribute and use static URLs instead. + If you must do this, carefully check URLs against an allowlist and be sure to + URL-encode the result. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough + - https://github.com/ESAPI/owasp-esapi-js + category: security + technology: + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src + shortlink: https://sg.run/ndxZ + semgrep.dev: + rule: + rule_id: JDUyrJ + version_id: qkTNxN + url: https://semgrep.dev/playground/r/qkTNxN/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src + origin: community + languages: + - generic + severity: WARNING + patterns: + - pattern-inside: + - pattern-not-inside: + - pattern: '{{ ... }}' + - pattern-not-inside: nonce = '...' + - pattern-not-inside: nonce = "..." + paths: + include: + - '*.html' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A + - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough + - https://github.com/ESAPI/owasp-esapi-js + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag + shortlink: https://sg.run/Ge7q + semgrep.dev: + rule: + rule_id: qNUjk3 + version_id: ExTnXv + url: https://semgrep.dev/playground/r/ExTnXv/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag + origin: community +- id: python.django.security.injection.mass-assignment.mass-assignment + languages: + - python + severity: WARNING + message: Mass assignment detected. This can result in assignment to model fields + that are unintended and can be exploited by an attacker. Instead of using '**request.$W', + assign each field you want to edit individually to prevent mass assignment. You + can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html. + metadata: + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + owasp: + - A08:2021 - Software and Data Integrity Failures + owaspapi: 'API6: Mass Assignment' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + category: security + technology: + - django + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment + shortlink: https://sg.run/Ro0q + semgrep.dev: + rule: + rule_id: lBU97n + version_id: RGTbr7 + url: https://semgrep.dev/playground/r/RGTbr7/python.django.security.injection.mass-assignment.mass-assignment + origin: community + pattern-either: + - pattern: $MODEL.objects.create(**request.$W) + - pattern: | + $OBJ.update(**request.$W) + ... + $OBJ.save() +- id: python.django.security.injection.open-redirect.open-redirect + message: Data from request ($DATA) is passed to redirect(). This is an open redirect + and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). + See https://cwe.mitre.org/data/definitions/601.html for more information. + metadata: + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + owasp: + - A01:2021 - Broken Access Control + references: + - https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/ + - https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231 + category: security + technology: + - django + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect + shortlink: https://sg.run/Ave2 + semgrep.dev: + rule: + rule_id: PeUZgr + version_id: A8TRLD + url: https://semgrep.dev/playground/r/A8TRLD/python.django.security.injection.open-redirect.open-redirect + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-not-inside: | + def $FUNC(...): + ... + django.utils.http.is_safe_url(...) + ... + - pattern-not-inside: | + def $FUNC(...): + ... + if <... django.utils.http.is_safe_url(...) ...>: + ... + - pattern-not-inside: | + def $FUNC(...): + ... + django.utils.http.url_has_allowed_host_and_scheme(...) + ... + - pattern-not-inside: | + def $FUNC(...): + ... + if <... django.utils.http.url_has_allowed_host_and_scheme(...) ...>: + ... + - pattern-either: + - pattern: django.shortcuts.redirect(..., request.$W.get(...), ...) + - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: django.shortcuts.redirect(..., $S % request.$W.get(...), ...) + - pattern: django.shortcuts.redirect(..., f"...{request.$W.get(...)}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.shortcuts.redirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.shortcuts.redirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.shortcuts.redirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.shortcuts.redirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: $A = django.shortcuts.redirect(..., request.$W.get(...), ...) + - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: $A = django.shortcuts.redirect(..., $S % request.$W.get(...), ...) + - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W.get(...)}...", + ...) + - pattern: return django.shortcuts.redirect(..., request.$W.get(...), ...) + - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: return django.shortcuts.redirect(..., $S % request.$W.get(...), ...) + - pattern: return django.shortcuts.redirect(..., f"...{request.$W.get(...)}...", + ...) + - pattern: django.shortcuts.redirect(..., request.$W(...), ...) + - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...), + ...) + - pattern: django.shortcuts.redirect(..., $S % request.$W(...), ...) + - pattern: django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + django.shortcuts.redirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.shortcuts.redirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.shortcuts.redirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.shortcuts.redirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: $A = django.shortcuts.redirect(..., request.$W(...), ...) + - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W(...), + ...), ...) + - pattern: $A = django.shortcuts.redirect(..., $S % request.$W(...), ...) + - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...) + - pattern: return django.shortcuts.redirect(..., request.$W(...), ...) + - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W(...), + ...), ...) + - pattern: return django.shortcuts.redirect(..., $S % request.$W(...), ...) + - pattern: return django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...) + - pattern: django.shortcuts.redirect(..., request.$W[...], ...) + - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...), + ...) + - pattern: django.shortcuts.redirect(..., $S % request.$W[...], ...) + - pattern: django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + django.shortcuts.redirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.shortcuts.redirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.shortcuts.redirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.shortcuts.redirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: $A = django.shortcuts.redirect(..., request.$W[...], ...) + - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W[...], + ...), ...) + - pattern: $A = django.shortcuts.redirect(..., $S % request.$W[...], ...) + - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...) + - pattern: return django.shortcuts.redirect(..., request.$W[...], ...) + - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W[...], + ...), ...) + - pattern: return django.shortcuts.redirect(..., $S % request.$W[...], ...) + - pattern: return django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...) + - pattern: django.shortcuts.redirect(..., request.$W, ...) + - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...) + - pattern: django.shortcuts.redirect(..., $S % request.$W, ...) + - pattern: django.shortcuts.redirect(..., f"...{request.$W}...", ...) + - pattern: | + $DATA = request.$W + ... + django.shortcuts.redirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.shortcuts.redirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.shortcuts.redirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.shortcuts.redirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + django.shortcuts.redirect(..., $INTERM, ...) + - pattern: $A = django.shortcuts.redirect(..., request.$W, ...) + - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W, ...), + ...) + - pattern: $A = django.shortcuts.redirect(..., $S % request.$W, ...) + - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W}...", ...) + - pattern: return django.shortcuts.redirect(..., request.$W, ...) + - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W, ...), + ...) + - pattern: return django.shortcuts.redirect(..., $S % request.$W, ...) + - pattern: return django.shortcuts.redirect(..., f"...{request.$W}...", ...) + - pattern: django.http.HttpResponseRedirect(..., request.$W.get(...), ...) + - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...) + - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...", + ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseRedirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseRedirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseRedirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseRedirect(..., request.$W.get(...), ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W.get(...), + ...) + - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...", + ...) + - pattern: return django.http.HttpResponseRedirect(..., request.$W.get(...), ...) + - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W.get(...), + ...) + - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...", + ...) + - pattern: django.http.HttpResponseRedirect(..., request.$W(...), ...) + - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), + ...), ...) + - pattern: django.http.HttpResponseRedirect(..., $S % request.$W(...), ...) + - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseRedirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseRedirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseRedirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseRedirect(..., request.$W(...), ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), + ...), ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W(...), ...) + - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...", + ...) + - pattern: return django.http.HttpResponseRedirect(..., request.$W(...), ...) + - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), + ...), ...) + - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W(...), + ...) + - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...", + ...) + - pattern: django.http.HttpResponseRedirect(..., request.$W[...], ...) + - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], + ...), ...) + - pattern: django.http.HttpResponseRedirect(..., $S % request.$W[...], ...) + - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseRedirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseRedirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseRedirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseRedirect(..., request.$W[...], ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], + ...), ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W[...], ...) + - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...", + ...) + - pattern: return django.http.HttpResponseRedirect(..., request.$W[...], ...) + - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], + ...), ...) + - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W[...], + ...) + - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...", + ...) + - pattern: django.http.HttpResponseRedirect(..., request.$W, ...) + - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...), + ...) + - pattern: django.http.HttpResponseRedirect(..., $S % request.$W, ...) + - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W}...", ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseRedirect(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseRedirect(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseRedirect(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseRedirect(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseRedirect(..., request.$W, ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W, + ...), ...) + - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W, ...) + - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W}...", ...) + - pattern: return django.http.HttpResponseRedirect(..., request.$W, ...) + - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W, + ...), ...) + - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W, ...) + - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W}...", + ...) + - metavariable-regex: + metavariable: $W + regex: (?!get_full_path) +- id: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse + message: Found user-controlled request data passed into HttpResponse. This could + be vulnerable to XSS, leading to attackers gaining access to user cookies and + protected information. Ensure that the request data is properly escaped or sanitzed. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse + shortlink: https://sg.run/BkvA + semgrep.dev: + rule: + rule_id: JDUydR + version_id: K3TlQL + url: https://semgrep.dev/playground/r/K3TlQL/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: django.http.HttpResponse(..., $S.format(..., request.$W.get(...), ...), + ...) + - pattern: django.http.HttpResponse(..., $S % request.$W.get(...), ...) + - pattern: django.http.HttpResponse(..., f"...{request.$W.get(...)}...", ...) + - pattern: django.http.HttpResponse(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponse(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponse(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponse(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponse(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponse(..., request.$W.get(...), ...) + - pattern: return django.http.HttpResponse(..., request.$W.get(...), ...) + - pattern: django.http.HttpResponse(..., $S.format(..., request.$W(...), ...), + ...) + - pattern: django.http.HttpResponse(..., $S % request.$W(...), ...) + - pattern: django.http.HttpResponse(..., f"...{request.$W(...)}...", ...) + - pattern: django.http.HttpResponse(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponse(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponse(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponse(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponse(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponse(..., request.$W(...), ...) + - pattern: return django.http.HttpResponse(..., request.$W(...), ...) + - pattern: django.http.HttpResponse(..., $S.format(..., request.$W[...], ...), + ...) + - pattern: django.http.HttpResponse(..., $S % request.$W[...], ...) + - pattern: django.http.HttpResponse(..., f"...{request.$W[...]}...", ...) + - pattern: django.http.HttpResponse(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponse(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponse(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponse(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponse(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponse(..., request.$W[...], ...) + - pattern: return django.http.HttpResponse(..., request.$W[...], ...) + - pattern: django.http.HttpResponse(..., $S.format(..., request.$W, ...), ...) + - pattern: django.http.HttpResponse(..., $S % request.$W, ...) + - pattern: django.http.HttpResponse(..., f"...{request.$W}...", ...) + - pattern: django.http.HttpResponse(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponse(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponse(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponse(..., f"...{$DATA}...", ...) + - pattern: $A = django.http.HttpResponse(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + $A = django.http.HttpResponse(..., $INTERM, ...) + - pattern: return django.http.HttpResponse(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponse(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponse(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponse(..., $INTERM, ...) +- id: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest + message: Found user-controlled request data passed into a HttpResponseBadRequest. + This could be vulnerable to XSS, leading to attackers gaining access to user cookies + and protected information. Ensure that the request data is properly escaped or + sanitzed. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest + shortlink: https://sg.run/DoZP + semgrep.dev: + rule: + rule_id: 5rUOX1 + version_id: qkTNe7 + url: https://semgrep.dev/playground/r/qkTNe7/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W.get(...), ...) + - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W.get(...)}...", + ...) + - pattern: django.http.HttpResponseBadRequest(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseBadRequest(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W.get(...), ...) + - pattern: return django.http.HttpResponseBadRequest(..., request.$W.get(...), + ...) + - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W(...), + ...), ...) + - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W(...), ...) + - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W(...)}...", + ...) + - pattern: django.http.HttpResponseBadRequest(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseBadRequest(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W(...), ...) + - pattern: return django.http.HttpResponseBadRequest(..., request.$W(...), ...) + - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W[...], + ...), ...) + - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W[...], ...) + - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W[...]}...", + ...) + - pattern: django.http.HttpResponseBadRequest(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseBadRequest(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W[...], ...) + - pattern: return django.http.HttpResponseBadRequest(..., request.$W[...], ...) + - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W, + ...), ...) + - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W, ...) + - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W}...", ...) + - pattern: django.http.HttpResponseBadRequest(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseBadRequest(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + django.http.HttpResponseBadRequest(..., $INTERM, ...) + - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W, ...) + - pattern: return django.http.HttpResponseBadRequest(..., request.$W, ...) +- id: python.django.security.injection.request-data-fileresponse.request-data-fileresponse + message: Found user-controlled request data being passed into a file open, which + is them passed as an argument into the FileResponse. This is dangerous because + an attacker could specify an arbitrary file to read, which could result in leaking + important data. Be sure to validate or sanitize the user-inputted filename in + the request data before using it in FileResponse. + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + references: + - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse + shortlink: https://sg.run/W862 + semgrep.dev: + rule: + rule_id: GdU7QR + version_id: l4T520 + url: https://semgrep.dev/playground/r/l4T520/python.django.security.injection.request-data-fileresponse.request-data-fileresponse + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: django.http.FileResponse(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.http.FileResponse(..., open($DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = open($DATA, ...) + ... + django.http.FileResponse(..., $INTERM, ...) + - pattern: $A = django.http.FileResponse(..., request.$W.get(...), ...) + - pattern: return django.http.FileResponse(..., request.$W.get(...), ...) + - pattern: django.http.FileResponse(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + django.http.FileResponse(..., open($DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = open($DATA, ...) + ... + django.http.FileResponse(..., $INTERM, ...) + - pattern: $A = django.http.FileResponse(..., request.$W(...), ...) + - pattern: return django.http.FileResponse(..., request.$W(...), ...) + - pattern: django.http.FileResponse(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + django.http.FileResponse(..., open($DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = open($DATA, ...) + ... + django.http.FileResponse(..., $INTERM, ...) + - pattern: $A = django.http.FileResponse(..., request.$W[...], ...) + - pattern: return django.http.FileResponse(..., request.$W[...], ...) + - pattern: django.http.FileResponse(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + django.http.FileResponse(..., open($DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = open($DATA, ...) + ... + django.http.FileResponse(..., $INTERM, ...) + - pattern: $A = django.http.FileResponse(..., request.$W, ...) + - pattern: return django.http.FileResponse(..., request.$W, ...) +- id: python.django.security.injection.request-data-write.request-data-write + message: Found user-controlled request data passed into '.write(...)'. This could + be dangerous if a malicious actor is able to control data into sensitive files. + For example, a malicious actor could force rolling of critical log files, or cause + a denial-of-service by using up available disk space. Instead, ensure that request + data is properly escaped or sanitized. + metadata: + cwe: + - 'CWE-93: Improper Neutralization of CRLF Sequences (''CRLF Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - django + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write + shortlink: https://sg.run/0Q6j + semgrep.dev: + rule: + rule_id: ReUg5z + version_id: YDToOy + url: https://semgrep.dev/playground/r/YDToOy/python.django.security.injection.request-data-write.request-data-write + origin: community + languages: + - python + severity: WARNING + pattern-either: + - pattern: $F.write(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $F.write(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $F.write(..., $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $F.write(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $F.write(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + $F.write(..., $INTERM, ...) + - pattern: $A = $F.write(..., request.$W.get(...), ...) + - pattern: return $F.write(..., request.$W.get(...), ...) + - pattern: $F.write(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $F.write(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $F.write(..., $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $F.write(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $F.write(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + $F.write(..., $INTERM, ...) + - pattern: $A = $F.write(..., request.$W(...), ...) + - pattern: return $F.write(..., request.$W(...), ...) + - pattern: $F.write(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $F.write(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $F.write(..., $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $F.write(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $F.write(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + $F.write(..., $INTERM, ...) + - pattern: $A = $F.write(..., request.$W[...], ...) + - pattern: return $F.write(..., request.$W[...], ...) + - pattern: $F.write(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + $F.write(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $F.write(..., $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $F.write(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + $F.write(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $F.write(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + $F.write(..., $INTERM, ...) + - pattern: $A = $F.write(..., request.$W, ...) + - pattern: return $F.write(..., request.$W, ...) +- id: python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution + message: Found request data as an index to 'globals()'. This is extremely dangerous + because it allows an attacker to execute arbitrary code on the system. Refactor + your code not to use 'globals()'. + metadata: + cwe: + - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static + Code Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186 + category: security + technology: + - django + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution + shortlink: https://sg.run/Kl55 + semgrep.dev: + rule: + rule_id: AbUzAA + version_id: LjT0ll + url: https://semgrep.dev/playground/r/LjT0ll/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals().get($DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals().get("..." % $DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals().get(f"...{$DATA}...", ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals().get("...".format(..., $DATA, ...), ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals()[$DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals()["..." % $DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals()[f"...{$DATA}..."] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = globals()["...".format(..., $DATA, ...)] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals().get($DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals().get("..." % $DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals().get(f"...{$DATA}...", ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals().get("...".format(..., $DATA, ...), ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals()[$DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals()["..." % $DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals()[f"...{$DATA}..."] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = globals()["...".format(..., $DATA, ...)] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals().get($DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals().get("..." % $DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals().get(f"...{$DATA}...", ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals().get("...".format(..., $DATA, ...), ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals()[$DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals()["..." % $DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals()[f"...{$DATA}..."] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = globals()["...".format(..., $DATA, ...)] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals().get($DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals().get("..." % $DATA, ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals().get(f"...{$DATA}...", ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals().get("...".format(..., $DATA, ...), ...) + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals()[$DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals()["..." % $DATA] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals()[f"...{$DATA}..."] + ... + $INTERM(...) + - pattern: | + $DATA = request.$W + ... + $INTERM = globals()["...".format(..., $DATA, ...)] + ... + $INTERM(...) +- id: python.django.security.injection.code.user-eval-format-string.user-eval-format-string + message: Found user data in a call to 'eval'. This is extremely dangerous because + it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection + for more information. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html + category: security + technology: + - django + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string + shortlink: https://sg.run/4x2z + semgrep.dev: + rule: + rule_id: BYUNw9 + version_id: 8KTbBL + url: https://semgrep.dev/playground/r/8KTbBL/python.django.security.injection.code.user-eval-format-string.user-eval-format-string + origin: community + patterns: + - pattern-inside: | + def $F(...): + ... + - pattern-either: + - pattern: eval(..., $STR % request.$W.get(...), ...) + - pattern: | + $V = request.$W.get(...) + ... + eval(..., $STR % $V, ...) + - pattern: | + $V = request.$W.get(...) + ... + $S = $STR % $V + ... + eval(..., $S, ...) + - pattern: eval(..., "..." % request.$W(...), ...) + - pattern: | + $V = request.$W(...) + ... + eval(..., $STR % $V, ...) + - pattern: | + $V = request.$W(...) + ... + $S = $STR % $V + ... + eval(..., $S, ...) + - pattern: eval(..., $STR % request.$W[...], ...) + - pattern: | + $V = request.$W[...] + ... + eval(..., $STR % $V, ...) + - pattern: | + $V = request.$W[...] + ... + $S = $STR % $V + ... + eval(..., $S, ...) + - pattern: eval(..., $STR.format(..., request.$W.get(...), ...), ...) + - pattern: | + $V = request.$W.get(...) + ... + eval(..., $STR.format(..., $V, ...), ...) + - pattern: | + $V = request.$W.get(...) + ... + $S = $STR.format(..., $V, ...) + ... + eval(..., $S, ...) + - pattern: eval(..., $STR.format(..., request.$W(...), ...), ...) + - pattern: | + $V = request.$W(...) + ... + eval(..., $STR.format(..., $V, ...), ...) + - pattern: | + $V = request.$W(...) + ... + $S = $STR.format(..., $V, ...) + ... + eval(..., $S, ...) + - pattern: eval(..., $STR.format(..., request.$W[...], ...), ...) + - pattern: | + $V = request.$W[...] + ... + eval(..., $STR.format(..., $V, ...), ...) + - pattern: | + $V = request.$W[...] + ... + $S = $STR.format(..., $V, ...) + ... + eval(..., $S, ...) + - pattern: | + $V = request.$W.get(...) + ... + eval(..., f"...{$V}...", ...) + - pattern: | + $V = request.$W.get(...) + ... + $S = f"...{$V}..." + ... + eval(..., $S, ...) + - pattern: | + $V = request.$W(...) + ... + eval(..., f"...{$V}...", ...) + - pattern: | + $V = request.$W(...) + ... + $S = f"...{$V}..." + ... + eval(..., $S, ...) + - pattern: | + $V = request.$W[...] + ... + eval(..., f"...{$V}...", ...) + - pattern: | + $V = request.$W[...] + ... + $S = f"...{$V}..." + ... + eval(..., $S, ...) + languages: + - python + severity: WARNING +- id: python.django.security.injection.code.user-eval.user-eval + message: Found user data in a call to 'eval'. This is extremely dangerous because + it can enable an attacker to execute arbitrary remote code on the system. Instead, + refactor your code to not use 'eval' and instead use a safe library for the specific + functionality you need. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html + - https://owasp.org/www-community/attacks/Code_Injection + category: security + technology: + - django + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval + shortlink: https://sg.run/PJDW + semgrep.dev: + rule: + rule_id: DbUpDQ + version_id: gETqnL + url: https://semgrep.dev/playground/r/gETqnL/python.django.security.injection.code.user-eval.user-eval + origin: community + patterns: + - pattern-inside: | + def $F(...): + ... + - pattern-either: + - pattern: eval(..., request.$W.get(...), ...) + - pattern: | + $V = request.$W.get(...) + ... + eval(..., $V, ...) + - pattern: eval(..., request.$W(...), ...) + - pattern: | + $V = request.$W(...) + ... + eval(..., $V, ...) + - pattern: eval(..., request.$W[...], ...) + - pattern: | + $V = request.$W[...] + ... + eval(..., $V, ...) + languages: + - python + severity: WARNING +- id: python.django.security.injection.code.user-exec-format-string.user-exec-format-string + message: Found user data in a call to 'exec'. This is extremely dangerous because + it can enable an attacker to execute arbitrary remote code on the system. Instead, + refactor your code to not use 'eval' and instead use a safe library for the specific + functionality you need. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - django + references: + - https://owasp.org/www-community/attacks/Code_Injection + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string + shortlink: https://sg.run/J9JW + semgrep.dev: + rule: + rule_id: WAUovx + version_id: QkTJgL + url: https://semgrep.dev/playground/r/QkTJgL/python.django.security.injection.code.user-exec-format-string.user-exec-format-string + origin: community + patterns: + - pattern-inside: | + def $F(...): + ... + - pattern-either: + - pattern: exec(..., $STR % request.$W.get(...), ...) + - pattern: | + $V = request.$W.get(...) + ... + exec(..., $STR % $V, ...) + - pattern: | + $V = request.$W.get(...) + ... + $S = $STR % $V + ... + exec(..., $S, ...) + - pattern: exec(..., "..." % request.$W(...), ...) + - pattern: | + $V = request.$W(...) + ... + exec(..., $STR % $V, ...) + - pattern: | + $V = request.$W(...) + ... + $S = $STR % $V + ... + exec(..., $S, ...) + - pattern: exec(..., $STR % request.$W[...], ...) + - pattern: | + $V = request.$W[...] + ... + exec(..., $STR % $V, ...) + - pattern: | + $V = request.$W[...] + ... + $S = $STR % $V + ... + exec(..., $S, ...) + - pattern: exec(..., $STR.format(..., request.$W.get(...), ...), ...) + - pattern: | + $V = request.$W.get(...) + ... + exec(..., $STR.format(..., $V, ...), ...) + - pattern: | + $V = request.$W.get(...) + ... + $S = $STR.format(..., $V, ...) + ... + exec(..., $S, ...) + - pattern: exec(..., $STR.format(..., request.$W(...), ...), ...) + - pattern: | + $V = request.$W(...) + ... + exec(..., $STR.format(..., $V, ...), ...) + - pattern: | + $V = request.$W(...) + ... + $S = $STR.format(..., $V, ...) + ... + exec(..., $S, ...) + - pattern: exec(..., $STR.format(..., request.$W[...], ...), ...) + - pattern: | + $V = request.$W[...] + ... + exec(..., $STR.format(..., $V, ...), ...) + - pattern: | + $V = request.$W[...] + ... + $S = $STR.format(..., $V, ...) + ... + exec(..., $S, ...) + - pattern: | + $V = request.$W.get(...) + ... + exec(..., f"...{$V}...", ...) + - pattern: | + $V = request.$W.get(...) + ... + $S = f"...{$V}..." + ... + exec(..., $S, ...) + - pattern: | + $V = request.$W(...) + ... + exec(..., f"...{$V}...", ...) + - pattern: | + $V = request.$W(...) + ... + $S = f"...{$V}..." + ... + exec(..., $S, ...) + - pattern: | + $V = request.$W[...] + ... + exec(..., f"...{$V}...", ...) + - pattern: | + $V = request.$W[...] + ... + $S = f"...{$V}..." + ... + exec(..., $S, ...) + - pattern: exec(..., base64.decodestring($S.format(..., request.$W.get(...), ...), + ...), ...) + - pattern: exec(..., base64.decodestring($S % request.$W.get(...), ...), ...) + - pattern: exec(..., base64.decodestring(f"...{request.$W.get(...)}...", ...), + ...) + - pattern: exec(..., base64.decodestring(request.$W.get(...), ...), ...) + - pattern: exec(..., base64.decodestring(bytes($S.format(..., request.$W.get(...), + ...), ...), ...), ...) + - pattern: exec(..., base64.decodestring(bytes($S % request.$W.get(...), ...), + ...), ...) + - pattern: exec(..., base64.decodestring(bytes(f"...{request.$W.get(...)}...", + ...), ...), ...) + - pattern: exec(..., base64.decodestring(bytes(request.$W.get(...), ...), ...), + ...) + - pattern: | + $DATA = request.$W.get(...) + ... + exec(..., base64.decodestring($DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = base64.decodestring($DATA, ...) + ... + exec(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = base64.decodestring(bytes($DATA, ...), ...) + ... + exec(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + exec(..., base64.decodestring($DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = base64.decodestring($DATA, ...) + ... + exec(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = base64.decodestring(bytes($DATA, ...), ...) + ... + exec(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + exec(..., base64.decodestring($DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = base64.decodestring($DATA, ...) + ... + exec(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = base64.decodestring(bytes($DATA, ...), ...) + ... + exec(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + exec(..., base64.decodestring($DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = base64.decodestring($DATA, ...) + ... + exec(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = base64.decodestring(bytes($DATA, ...), ...) + ... + exec(..., $INTERM, ...) + languages: + - python + severity: WARNING +- id: python.django.security.injection.code.user-exec.user-exec + message: Found user data in a call to 'exec'. This is extremely dangerous because + it can enable an attacker to execute arbitrary remote code on the system. Instead, + refactor your code to not use 'eval' and instead use a safe library for the specific + functionality you need. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - django + references: + - https://owasp.org/www-community/attacks/Code_Injection + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec + shortlink: https://sg.run/5Q3X + semgrep.dev: + rule: + rule_id: 0oU5AW + version_id: 3ZTde5 + url: https://semgrep.dev/playground/r/3ZTde5/python.django.security.injection.code.user-exec.user-exec + origin: community + patterns: + - pattern-inside: | + def $F(...): + ... + - pattern-either: + - pattern: exec(..., request.$W.get(...), ...) + - pattern: | + $V = request.$W.get(...) + ... + exec(..., $V, ...) + - pattern: exec(..., request.$W(...), ...) + - pattern: | + $V = request.$W(...) + ... + exec(..., $V, ...) + - pattern: exec(..., request.$W[...], ...) + - pattern: | + $V = request.$W[...] + ... + exec(..., $V, ...) + - pattern: | + loop = asyncio.get_running_loop() + ... + await loop.run_in_executor(None, exec, request.$W[...]) + - pattern: | + $V = request.$W[...] + ... + loop = asyncio.get_running_loop() + ... + await loop.run_in_executor(None, exec, $V) + - pattern: | + loop = asyncio.get_running_loop() + ... + await loop.run_in_executor(None, exec, request.$W.get(...)) + - pattern: | + $V = request.$W.get(...) + ... + loop = asyncio.get_running_loop() + ... + await loop.run_in_executor(None, exec, $V) + languages: + - python + severity: WARNING +- id: python.django.security.injection.command.command-injection-os-system.command-injection-os-system + message: Request data detected in os.system. This could be vulnerable to a command + injection and should be avoided. If this must be done, use the 'subprocess' module + instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection + for more information. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/www-community/attacks/Command_Injection + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system + shortlink: https://sg.run/Gen2 + semgrep.dev: + rule: + rule_id: KxUbp2 + version_id: 44ToGN + url: https://semgrep.dev/playground/r/44ToGN/python.django.security.injection.command.command-injection-os-system.command-injection-os-system + origin: community + languages: + - python + severity: ERROR + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: os.system(..., request.$W.get(...), ...) + - pattern: os.system(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: os.system(..., $S % request.$W.get(...), ...) + - pattern: os.system(..., f"...{request.$W.get(...)}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + os.system(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + os.system(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + os.system(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + os.system(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + os.system(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + os.system(..., $INTERM, ...) + - pattern: $A = os.system(..., request.$W.get(...), ...) + - pattern: $A = os.system(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: $A = os.system(..., $S % request.$W.get(...), ...) + - pattern: $A = os.system(..., f"...{request.$W.get(...)}...", ...) + - pattern: return os.system(..., request.$W.get(...), ...) + - pattern: return os.system(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: return os.system(..., $S % request.$W.get(...), ...) + - pattern: return os.system(..., f"...{request.$W.get(...)}...", ...) + - pattern: os.system(..., request.$W(...), ...) + - pattern: os.system(..., $S.format(..., request.$W(...), ...), ...) + - pattern: os.system(..., $S % request.$W(...), ...) + - pattern: os.system(..., f"...{request.$W(...)}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + os.system(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + os.system(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + os.system(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + os.system(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + os.system(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + os.system(..., $INTERM, ...) + - pattern: $A = os.system(..., request.$W(...), ...) + - pattern: $A = os.system(..., $S.format(..., request.$W(...), ...), ...) + - pattern: $A = os.system(..., $S % request.$W(...), ...) + - pattern: $A = os.system(..., f"...{request.$W(...)}...", ...) + - pattern: return os.system(..., request.$W(...), ...) + - pattern: return os.system(..., $S.format(..., request.$W(...), ...), ...) + - pattern: return os.system(..., $S % request.$W(...), ...) + - pattern: return os.system(..., f"...{request.$W(...)}...", ...) + - pattern: os.system(..., request.$W[...], ...) + - pattern: os.system(..., $S.format(..., request.$W[...], ...), ...) + - pattern: os.system(..., $S % request.$W[...], ...) + - pattern: os.system(..., f"...{request.$W[...]}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + os.system(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + os.system(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + os.system(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + os.system(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + os.system(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + os.system(..., $INTERM, ...) + - pattern: $A = os.system(..., request.$W[...], ...) + - pattern: $A = os.system(..., $S.format(..., request.$W[...], ...), ...) + - pattern: $A = os.system(..., $S % request.$W[...], ...) + - pattern: $A = os.system(..., f"...{request.$W[...]}...", ...) + - pattern: return os.system(..., request.$W[...], ...) + - pattern: return os.system(..., $S.format(..., request.$W[...], ...), ...) + - pattern: return os.system(..., $S % request.$W[...], ...) + - pattern: return os.system(..., f"...{request.$W[...]}...", ...) + - pattern: os.system(..., request.$W, ...) + - pattern: os.system(..., $S.format(..., request.$W, ...), ...) + - pattern: os.system(..., $S % request.$W, ...) + - pattern: os.system(..., f"...{request.$W}...", ...) + - pattern: | + $DATA = request.$W + ... + os.system(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + os.system(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + os.system(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + os.system(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + os.system(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + os.system(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + os.system(..., $INTERM, ...) + - pattern: $A = os.system(..., request.$W, ...) + - pattern: $A = os.system(..., $S.format(..., request.$W, ...), ...) + - pattern: $A = os.system(..., $S % request.$W, ...) + - pattern: $A = os.system(..., f"...{request.$W}...", ...) + - pattern: return os.system(..., request.$W, ...) + - pattern: return os.system(..., $S.format(..., request.$W, ...), ...) + - pattern: return os.system(..., $S % request.$W, ...) + - pattern: return os.system(..., f"...{request.$W}...", ...) +- id: python.django.security.injection.email.xss-html-email-body.xss-html-email-body + message: Found request data in an EmailMessage that is set to use HTML. This is + dangerous because HTML emails are susceptible to XSS. An attacker could inject + data into this HTML email, causing XSS. + metadata: + cwe: + - 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream + Component (''Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://www.damonkohler.com/2008/12/email-injection.html + category: security + technology: + - django + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body + shortlink: https://sg.run/RoBe + semgrep.dev: + rule: + rule_id: qNUj02 + version_id: 5PT63R + url: https://semgrep.dev/playground/r/5PT63R/python.django.security.injection.email.xss-html-email-body.xss-html-email-body + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + $EMAIL.content_subtype = "html" + ... + - pattern-either: + - pattern: django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.EmailMessage($SUBJ, $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...) + - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...) + - pattern: django.core.mail.EmailMessage($SUBJ, request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.EmailMessage($SUBJ, $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W(...), ...) + - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W(...), ...) + - pattern: django.core.mail.EmailMessage($SUBJ, request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.EmailMessage($SUBJ, $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W[...], ...) + - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W[...], ...) + - pattern: django.core.mail.EmailMessage($SUBJ, request.$W, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.EmailMessage($SUBJ, $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $B.$C(..., $DATA, ...) + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.EmailMessage($SUBJ, $INTERM, ...) + - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W, ...) + - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W, ...) +- id: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message + message: Found request data in 'send_mail(...)' that uses 'html_message'. This is + dangerous because HTML emails are susceptible to XSS. An attacker could inject + data into this HTML email, causing XSS. + metadata: + cwe: + - 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream + Component (''Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://www.damonkohler.com/2008/12/email-injection.html + category: security + technology: + - django + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message + shortlink: https://sg.run/Avx8 + semgrep.dev: + rule: + rule_id: lBU9Ll + version_id: GxT2J3 + url: https://semgrep.dev/playground/r/GxT2J3/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: django.core.mail.send_mail(..., html_message=request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.send_mail(..., html_message=$DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W.get(...), + ...) + - pattern: return django.core.mail.send_mail(..., html_message=request.$W.get(...), + ...) + - pattern: django.core.mail.send_mail(..., html_message=request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.send_mail(..., html_message=$DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W(...), + ...) + - pattern: return django.core.mail.send_mail(..., html_message=request.$W(...), + ...) + - pattern: django.core.mail.send_mail(..., html_message=request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.send_mail(..., html_message=$DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W[...], + ...) + - pattern: return django.core.mail.send_mail(..., html_message=request.$W[...], + ...) + - pattern: django.core.mail.send_mail(..., html_message=request.$W, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.send_mail(..., html_message=$DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + django.core.mail.send_mail(..., html_message=$INTERM, ...) + - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W, ...) + - pattern: return django.core.mail.send_mail(..., html_message=request.$W, ...) +- id: python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name + message: Data from request is passed to a file name `$FILE`. This is a path traversal + vulnerability, which can lead to sensitive data being leaked. To mitigate, consider + using os.path.abspath or os.path.realpath or the pathlib library. + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + references: + - https://owasp.org/www-community/attacks/Path_Traversal + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name + shortlink: https://sg.run/BkO2 + semgrep.dev: + rule: + rule_id: YGUR36 + version_id: BjTE8R + url: https://semgrep.dev/playground/r/BjTE8R/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name + origin: community + patterns: + - pattern-inside: | + def $F(...): + ... + - pattern-not-inside: | + def $F(...): + ... + os.path.realpath(...) + ... + - pattern-not-inside: | + def $F(...): + ... + os.path.abspath(...) + ... + - pattern-either: + - pattern: | + $V = request.$W.get($X) + ... + $FILE % ($V) + - pattern: | + $V = request.$W[$X] + ... + $FILE % ($V) + - pattern: | + $V = request.$W($X) + ... + $FILE % ($V) + - pattern: | + $V = request.$W + ... + $FILE % ($V) + # match format use cases + - pattern: | + $V = request.$W.get($X) + ... + $FILE.format(..., $V, ...) + - pattern: | + $V = request.$W[$X] + ... + $FILE.format(..., $V, ...) + - pattern: | + $V = request.$W($X) + ... + $FILE.format(..., $V, ...) + - pattern: | + $V = request.$W + ... + $FILE.format(..., $V, ...) + - metavariable-regex: + metavariable: $FILE + regex: .*\.(log|zip|txt|csv|xml|html).* + languages: + - python + severity: WARNING +- id: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join + message: Data from request is passed to os.path.join() and to open(). This is a + path traversal vulnerability, which can lead to sensitive data being leaked. To + mitigate, consider using os.path.abspath or os.path.realpath or Path library. + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + references: + - https://owasp.org/www-community/attacks/Path_Traversal + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join + shortlink: https://sg.run/Dovo + semgrep.dev: + rule: + rule_id: 6JUjLj + version_id: DkTQvA + url: https://semgrep.dev/playground/r/DkTQvA/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join + origin: community + patterns: + - pattern-inside: | + def $F(...): + ... + - pattern-not-inside: | + def $F(...): + ... + os.path.abspath(...) + ... + - pattern-not-inside: | + def $F(...): + ... + os.path.realpath(...) + ... + - pattern-either: + - pattern: open(os.path.join(..., request.$W.get(...), ...), ...) + - pattern: open(os.path.join(..., request.$W(...), ...), ...) + - pattern: open(os.path.join(..., request.$W, ...), ...) + - pattern: open(os.path.join(..., request.$W[...], ...), ...) + - pattern: | + $P = os.path.join(..., request.$W.get(...), ...) + ... + open($P, ...) + - pattern: | + $P = os.path.join(..., request.$W(...), ...) + ... + open($P, ...) + - pattern: | + $P = os.path.join(..., request.$W, ...) + ... + open($P, ...) + - pattern: | + $P = os.path.join(..., request.$W[...], ...) + ... + open($P, ...) + - pattern: | + $V = request.$W.get($X) + ... + $P = os.path.join(..., $V, ...) + ... + open($P, ...) + - pattern: | + $V = request.$W($X) + ... + $P = os.path.join(..., $V, ...) + ... + open($P, ...) + - pattern: | + $V = request.$W[$X] + ... + $P = os.path.join(..., $V, ...) + ... + open($P, ...) + - pattern: | + $V = request.$W + ... + $P = os.path.join(..., $V, ...) + ... + open($P, ...) + - pattern: | + $P = request.$W.get(...) + ... + open(os.path.join(..., $P, ...), ...) + - pattern: | + $P = request.$W(...) + ... + open(os.path.join(..., $P, ...), ...) + - pattern: | + $P = request.$W + ... + open(os.path.join(..., $P, ...), ...) + - pattern: | + $P = request.$W[...] + ... + open(os.path.join(..., $P, ...), ...) + languages: + - python + severity: WARNING +- id: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open + message: Found request data in a call to 'open'. Ensure the request data is validated + or sanitized, otherwise it could result in path traversal attacks and therefore + sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath + or the pathlib library. + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + references: + - https://owasp.org/www-community/attacks/Path_Traversal + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open + shortlink: https://sg.run/W8qg + semgrep.dev: + rule: + rule_id: oqUe7z + version_id: WrTbj4 + url: https://semgrep.dev/playground/r/WrTbj4/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: open(..., request.$W.get(...), ...) + - pattern: open(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: open(..., $S % request.$W.get(...), ...) + - pattern: open(..., f"...{request.$W.get(...)}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + open(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W.get(...) + ... + open(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W.get(...) + ... + open(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W.get(...) + ... + open(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W.get(...) + ... + open(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: $A = open(..., request.$W.get(...), ...) + - pattern: $A = open(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: $A = open(..., $S % request.$W.get(...), ...) + - pattern: $A = open(..., f"...{request.$W.get(...)}...", ...) + - pattern: return open(..., request.$W.get(...), ...) + - pattern: return open(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: return open(..., $S % request.$W.get(...), ...) + - pattern: return open(..., f"...{request.$W.get(...)}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + with open(..., $DATA, ...) as $FD: + ... + - pattern: open(..., request.$W(...), ...) + - pattern: open(..., $S.format(..., request.$W(...), ...), ...) + - pattern: open(..., $S % request.$W(...), ...) + - pattern: open(..., f"...{request.$W(...)}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + open(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W(...) + ... + open(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W(...) + ... + open(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W(...) + ... + open(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W(...) + ... + open(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: $A = open(..., request.$W(...), ...) + - pattern: $A = open(..., $S.format(..., request.$W(...), ...), ...) + - pattern: $A = open(..., $S % request.$W(...), ...) + - pattern: $A = open(..., f"...{request.$W(...)}...", ...) + - pattern: return open(..., request.$W(...), ...) + - pattern: return open(..., $S.format(..., request.$W(...), ...), ...) + - pattern: return open(..., $S % request.$W(...), ...) + - pattern: return open(..., f"...{request.$W(...)}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + with open(..., $DATA, ...) as $FD: + ... + - pattern: open(..., request.$W[...], ...) + - pattern: open(..., $S.format(..., request.$W[...], ...), ...) + - pattern: open(..., $S % request.$W[...], ...) + - pattern: open(..., f"...{request.$W[...]}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + open(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W[...] + ... + open(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W[...] + ... + open(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W[...] + ... + open(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W[...] + ... + open(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: $A = open(..., request.$W[...], ...) + - pattern: $A = open(..., $S.format(..., request.$W[...], ...), ...) + - pattern: $A = open(..., $S % request.$W[...], ...) + - pattern: $A = open(..., f"...{request.$W[...]}...", ...) + - pattern: return open(..., request.$W[...], ...) + - pattern: return open(..., $S.format(..., request.$W[...], ...), ...) + - pattern: return open(..., $S % request.$W[...], ...) + - pattern: return open(..., f"...{request.$W[...]}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + with open(..., $DATA, ...) as $FD: + ... + - pattern: open(..., request.$W, ...) + - pattern: open(..., $S.format(..., request.$W, ...), ...) + - pattern: open(..., $S % request.$W, ...) + - pattern: open(..., f"...{request.$W}...", ...) + - pattern: | + $DATA = request.$W + ... + open(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W + ... + open(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W + ... + open(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W + ... + open(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: | + $DATA = request.$W + ... + open(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + open(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + with open(..., $INTERM, ...) as $FD: + ... + - pattern: $A = open(..., request.$W, ...) + - pattern: $A = open(..., $S.format(..., request.$W, ...), ...) + - pattern: $A = open(..., $S % request.$W, ...) + - pattern: $A = open(..., f"...{request.$W}...", ...) + - pattern: return open(..., request.$W, ...) + - pattern: return open(..., $S.format(..., request.$W, ...), ...) + - pattern: return open(..., $S % request.$W, ...) + - pattern: return open(..., f"...{request.$W}...", ...) + - pattern: | + $DATA = request.$W + ... + with open(..., $DATA, ...) as $FD: + ... +- id: python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where + message: User-controlled data from a request is passed to 'extra()'. This could + lead to a SQL injection and therefore protected information could be leaked. Instead, + use parameterized queries or escape the user-controlled data by using `params` + and not using quote placeholders in the SQL string. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where + shortlink: https://sg.run/0Ql5 + semgrep.dev: + rule: + rule_id: zdUkx1 + version_id: 6xTezd + url: https://semgrep.dev/playground/r/6xTezd/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W.get(...), + ...), ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W.get(...), ...], + ...) + - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W.get(...)}...", + ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], + ...) + - pattern: return $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], + ...) + - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W(...), + ...), ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W(...), ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W(...)}...", ...], + ...) + - pattern: $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...) + - pattern: return $MODEL.objects.extra(..., where=[..., request.$W(...), ...], + ...) + - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W[...], + ...), ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W[...], ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W[...]}...", ...], + ...) + - pattern: $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...) + - pattern: return $MODEL.objects.extra(..., where=[..., request.$W[...], ...], + ...) + - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W, ...), + ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W, ...], ...) + - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W}...", ...], + ...) + - pattern: $MODEL.objects.extra(..., where=[..., request.$W, ...], ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W, ...], ...) + - pattern: return $MODEL.objects.extra(..., where=[..., request.$W, ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) +- id: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql + message: User-controlled data from request is passed to 'RawSQL()'. This could lead + to a SQL injection and therefore protected information could be leaked. Instead, + use parameterized queries or escape the user-controlled data by using `params` + and not using quote placeholders in the SQL string. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql + shortlink: https://sg.run/Kl4X + semgrep.dev: + rule: + rule_id: pKUOBp + version_id: o5TnR7 + url: https://semgrep.dev/playground/r/o5TnR7/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W.get(...), + ...), ...) + - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W.get(...), + ...) + - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W.get(...)}...", + ...) + - pattern: django.db.models.expressions.RawSQL(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.db.models.expressions.RawSQL(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W.get(...), + ...) + - pattern: return django.db.models.expressions.RawSQL(..., request.$W.get(...), + ...) + - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W(...), + ...), ...) + - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W(...), ...) + - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W(...)}...", + ...) + - pattern: django.db.models.expressions.RawSQL(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + django.db.models.expressions.RawSQL(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W(...), ...) + - pattern: return django.db.models.expressions.RawSQL(..., request.$W(...), ...) + - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W[...], + ...), ...) + - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W[...], ...) + - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W[...]}...", + ...) + - pattern: django.db.models.expressions.RawSQL(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + django.db.models.expressions.RawSQL(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W[...], ...) + - pattern: return django.db.models.expressions.RawSQL(..., request.$W[...], ...) + - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W, + ...), ...) + - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W, ...) + - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W}...", ...) + - pattern: django.db.models.expressions.RawSQL(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + django.db.models.expressions.RawSQL(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + django.db.models.expressions.RawSQL(..., $INTERM, ...) + - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W, ...) + - pattern: return django.db.models.expressions.RawSQL(..., request.$W, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + django.db.models.expressions.RawSQL($INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + django.db.models.expressions.RawSQL($INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % (..., $DATA, ...) + ... + django.db.models.expressions.RawSQL($INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % (..., $DATA, ...) + ... + django.db.models.expressions.RawSQL($INTERM, ...) +- id: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute + message: User-controlled data from a request is passed to 'execute()'. This could + lead to a SQL injection and therefore protected information could be leaked. Instead, + use django's QuerySets, which are built with query parameterization and therefore + not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute + shortlink: https://sg.run/qx7y + semgrep.dev: + rule: + rule_id: 2ZUbDL + version_id: zyT5Q5 + url: https://semgrep.dev/playground/r/zyT5Q5/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: $CURSOR.execute(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: $CURSOR.execute(..., $S % request.$W.get(...), ...) + - pattern: $CURSOR.execute(..., f"...{request.$W.get(...)}...", ...) + - pattern: $CURSOR.execute(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $CURSOR.execute(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $CURSOR.execute(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $CURSOR.execute(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $CURSOR.execute(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: $A = $CURSOR.execute(..., request.$W.get(...), ...) + - pattern: return $CURSOR.execute(..., request.$W.get(...), ...) + - pattern: $CURSOR.execute(..., $S.format(..., request.$W(...), ...), ...) + - pattern: $CURSOR.execute(..., $S % request.$W(...), ...) + - pattern: $CURSOR.execute(..., f"...{request.$W(...)}...", ...) + - pattern: $CURSOR.execute(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $CURSOR.execute(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $CURSOR.execute(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $CURSOR.execute(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $CURSOR.execute(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: $A = $CURSOR.execute(..., request.$W(...), ...) + - pattern: return $CURSOR.execute(..., request.$W(...), ...) + - pattern: $CURSOR.execute(..., $S.format(..., request.$W[...], ...), ...) + - pattern: $CURSOR.execute(..., $S % request.$W[...], ...) + - pattern: $CURSOR.execute(..., f"...{request.$W[...]}...", ...) + - pattern: $CURSOR.execute(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $CURSOR.execute(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $CURSOR.execute(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $CURSOR.execute(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $CURSOR.execute(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: $A = $CURSOR.execute(..., request.$W[...], ...) + - pattern: return $CURSOR.execute(..., request.$W[...], ...) + - pattern: $CURSOR.execute(..., $S.format(..., request.$W, ...), ...) + - pattern: $CURSOR.execute(..., $S % request.$W, ...) + - pattern: $CURSOR.execute(..., f"...{request.$W}...", ...) + - pattern: $CURSOR.execute(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + $CURSOR.execute(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $CURSOR.execute(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $CURSOR.execute(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $CURSOR.execute(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + $CURSOR.execute(..., $INTERM, ...) + - pattern: $A = $CURSOR.execute(..., request.$W, ...) + - pattern: return $CURSOR.execute(..., request.$W, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $CURSOR.execute($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $CURSOR.execute($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $CURSOR.execute($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $CURSOR.execute($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $CURSOR.execute($INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $CURSOR.execute($INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $CURSOR.execute($INTERM, ...) + - pattern: |- + $DATA = request.$W + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $CURSOR.execute($INTERM, ...) +- id: python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw + message: Data that is possible user-controlled from a python request is passed to + `raw()`. This could lead to SQL injection and attackers gaining access to protected + information. Instead, use django's QuerySets, which are built with query parameterization + and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw + shortlink: https://sg.run/l2v9 + semgrep.dev: + rule: + rule_id: X5U8v5 + version_id: pZTrxl + url: https://semgrep.dev/playground/r/pZTrxl/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: $MODEL.objects.raw(..., $S % request.$W.get(...), ...) + - pattern: $MODEL.objects.raw(..., f"...{request.$W.get(...)}...", ...) + - pattern: $MODEL.objects.raw(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.raw(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.raw(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.raw(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.raw(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: $A = $MODEL.objects.raw(..., request.$W.get(...), ...) + - pattern: return $MODEL.objects.raw(..., request.$W.get(...), ...) + - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W(...), ...), ...) + - pattern: $MODEL.objects.raw(..., $S % request.$W(...), ...) + - pattern: $MODEL.objects.raw(..., f"...{request.$W(...)}...", ...) + - pattern: $MODEL.objects.raw(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.raw(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.raw(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.raw(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.raw(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: $A = $MODEL.objects.raw(..., request.$W(...), ...) + - pattern: return $MODEL.objects.raw(..., request.$W(...), ...) + - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W[...], ...), ...) + - pattern: $MODEL.objects.raw(..., $S % request.$W[...], ...) + - pattern: $MODEL.objects.raw(..., f"...{request.$W[...]}...", ...) + - pattern: $MODEL.objects.raw(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.raw(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.raw(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.raw(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.raw(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: $A = $MODEL.objects.raw(..., request.$W[...], ...) + - pattern: return $MODEL.objects.raw(..., request.$W[...], ...) + - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W, ...), ...) + - pattern: $MODEL.objects.raw(..., $S % request.$W, ...) + - pattern: $MODEL.objects.raw(..., f"...{request.$W}...", ...) + - pattern: $MODEL.objects.raw(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.raw(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.raw(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.raw(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.raw(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + $MODEL.objects.raw(..., $INTERM, ...) + - pattern: $A = $MODEL.objects.raw(..., request.$W, ...) + - pattern: return $MODEL.objects.raw(..., request.$W, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $MODEL.objects.raw($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $MODEL.objects.raw($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $MODEL.objects.raw($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $MODEL.objects.raw($STR % (..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.raw($INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.raw($INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.raw($INTERM, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % (..., $DATA, ...) + ... + $MODEL.objects.raw($INTERM, ...) +- id: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests + message: Data from request object is passed to a new server-side request. This could + lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes + and hosts are validated against an allowlist, do not forward the response to the + user, and ensure proper authentication and transport-layer security in the proxied + request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery + to learn more about SSRF vulnerabilities. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests + shortlink: https://sg.run/YvY4 + semgrep.dev: + rule: + rule_id: j2UvEw + version_id: 2KT1wW + url: https://semgrep.dev/playground/r/2KT1wW/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests + origin: community + languages: + - python + severity: ERROR + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: requests.$METHOD(..., $S.format(..., request.$W.get(...), ...), ...) + - pattern: requests.$METHOD(..., $S % request.$W.get(...), ...) + - pattern: requests.$METHOD(..., f"...{request.$W.get(...)}...", ...) + - pattern: requests.$METHOD(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + requests.$METHOD(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + requests.$METHOD(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + requests.$METHOD(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + requests.$METHOD(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: $A = requests.$METHOD(..., request.$W.get(...), ...) + - pattern: return requests.$METHOD(..., request.$W.get(...), ...) + - pattern: requests.$METHOD(..., $S.format(..., request.$W(...), ...), ...) + - pattern: requests.$METHOD(..., $S % request.$W(...), ...) + - pattern: requests.$METHOD(..., f"...{request.$W(...)}...", ...) + - pattern: requests.$METHOD(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + requests.$METHOD(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + requests.$METHOD(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + requests.$METHOD(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + requests.$METHOD(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: $A = requests.$METHOD(..., request.$W(...), ...) + - pattern: return requests.$METHOD(..., request.$W(...), ...) + - pattern: requests.$METHOD(..., $S.format(..., request.$W[...], ...), ...) + - pattern: requests.$METHOD(..., $S % request.$W[...], ...) + - pattern: requests.$METHOD(..., f"...{request.$W[...]}...", ...) + - pattern: requests.$METHOD(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + requests.$METHOD(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + requests.$METHOD(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + requests.$METHOD(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + requests.$METHOD(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: $A = requests.$METHOD(..., request.$W[...], ...) + - pattern: return requests.$METHOD(..., request.$W[...], ...) + - pattern: requests.$METHOD(..., $S.format(..., request.$W, ...), ...) + - pattern: requests.$METHOD(..., $S % request.$W, ...) + - pattern: requests.$METHOD(..., f"...{request.$W}...", ...) + - pattern: requests.$METHOD(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + requests.$METHOD(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + requests.$METHOD(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + requests.$METHOD(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + requests.$METHOD(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + requests.$METHOD(..., $INTERM, ...) + - pattern: $A = requests.$METHOD(..., request.$W, ...) + - pattern: return requests.$METHOD(..., request.$W, ...) +- id: python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib + message: Data from request object is passed to a new server-side request. This could + lead to a server-side request forgery (SSRF), which could result in attackers + gaining access to private organization data. To mitigate, ensure that schemes + and hosts are validated against an allowlist, do not forward the response to the + user, and ensure proper authentication and transport-layer security in the proxied + request. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery + category: security + technology: + - django + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib + shortlink: https://sg.run/6n2B + semgrep.dev: + rule: + rule_id: 10UKDo + version_id: X0TPJW + url: https://semgrep.dev/playground/r/X0TPJW/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib + origin: community + languages: + - python + severity: ERROR + patterns: + - pattern-inside: | + def $FUNC(...): + ... + - pattern-either: + - pattern: urllib.request.urlopen(..., $S.format(..., request.$W.get(...), ...), + ...) + - pattern: urllib.request.urlopen(..., $S % request.$W.get(...), ...) + - pattern: urllib.request.urlopen(..., f"...{request.$W.get(...)}...", ...) + - pattern: urllib.request.urlopen(..., request.$W.get(...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + urllib.request.urlopen(..., $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + urllib.request.urlopen(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR % $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + urllib.request.urlopen(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = f"...{$DATA}..." + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + urllib.request.urlopen(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W.get(...) + ... + $INTERM = $STR + $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: $A = urllib.request.urlopen(..., request.$W.get(...), ...) + - pattern: return urllib.request.urlopen(..., request.$W.get(...), ...) + - pattern: urllib.request.urlopen(..., $S.format(..., request.$W(...), ...), ...) + - pattern: urllib.request.urlopen(..., $S % request.$W(...), ...) + - pattern: urllib.request.urlopen(..., f"...{request.$W(...)}...", ...) + - pattern: urllib.request.urlopen(..., request.$W(...), ...) + - pattern: | + $DATA = request.$W(...) + ... + urllib.request.urlopen(..., $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + urllib.request.urlopen(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR % $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + urllib.request.urlopen(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = f"...{$DATA}..." + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W(...) + ... + urllib.request.urlopen(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W(...) + ... + $INTERM = $STR + $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: $A = urllib.request.urlopen(..., request.$W(...), ...) + - pattern: return urllib.request.urlopen(..., request.$W(...), ...) + - pattern: urllib.request.urlopen(..., $S.format(..., request.$W[...], ...), ...) + - pattern: urllib.request.urlopen(..., $S % request.$W[...], ...) + - pattern: urllib.request.urlopen(..., f"...{request.$W[...]}...", ...) + - pattern: urllib.request.urlopen(..., request.$W[...], ...) + - pattern: | + $DATA = request.$W[...] + ... + urllib.request.urlopen(..., $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + urllib.request.urlopen(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR % $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + urllib.request.urlopen(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = f"...{$DATA}..." + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W[...] + ... + urllib.request.urlopen(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W[...] + ... + $INTERM = $STR + $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: $A = urllib.request.urlopen(..., request.$W[...], ...) + - pattern: return urllib.request.urlopen(..., request.$W[...], ...) + - pattern: urllib.request.urlopen(..., $S.format(..., request.$W, ...), ...) + - pattern: urllib.request.urlopen(..., $S % request.$W, ...) + - pattern: urllib.request.urlopen(..., f"...{request.$W}...", ...) + - pattern: urllib.request.urlopen(..., request.$W, ...) + - pattern: | + $DATA = request.$W + ... + urllib.request.urlopen(..., $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR.format(..., $DATA, ...) + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + urllib.request.urlopen(..., $STR % $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR % $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + urllib.request.urlopen(..., f"...{$DATA}...", ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = f"...{$DATA}..." + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: | + $DATA = request.$W + ... + urllib.request.urlopen(..., $STR + $DATA, ...) + - pattern: | + $DATA = request.$W + ... + $INTERM = $STR + $DATA + ... + urllib.request.urlopen(..., $INTERM, ...) + - pattern: $A = urllib.request.urlopen(..., request.$W, ...) + - pattern: return urllib.request.urlopen(..., request.$W, ...) +- id: python.django.security.passwords.password-empty-string.password-empty-string + message: '''$VAR'' is the empty string and is being used to set the password on + ''$MODEL''. If you meant to set an unusable password, set the password to None + or call ''set_unusable_password()''.' + metadata: + cwe: + - 'CWE-521: Weak Password Requirements' + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password + category: security + technology: + - django + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string + shortlink: https://sg.run/oxnR + semgrep.dev: + rule: + rule_id: 9AU1jW + version_id: rxTx8k + url: https://semgrep.dev/playground/r/rxTx8k/python.django.security.passwords.password-empty-string.password-empty-string + origin: community + patterns: + - pattern-either: + - pattern: | + $MODEL.set_password($EMPTY) + ... + $MODEL.save() + - pattern: | + $VAR = $EMPTY + ... + $MODEL.set_password($VAR) + ... + $MODEL.save() + - metavariable-regex: + metavariable: $EMPTY + regex: (\'\'|\"\") + languages: + - python + severity: ERROR +- id: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default + message: '''$VAR'' is using the empty string as its default and is being used to + set the password on ''$MODEL''. If you meant to set an unusable password, set + the default value to ''None'' or call ''set_unusable_password()''.' + metadata: + cwe: + - 'CWE-521: Weak Password Requirements' + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password + category: security + technology: + - django + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default + shortlink: https://sg.run/zvBW + semgrep.dev: + rule: + rule_id: yyUn6Z + version_id: bZTG4N + url: https://semgrep.dev/playground/r/bZTG4N/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default + origin: community + languages: + - python + severity: ERROR + patterns: + - pattern-either: + - pattern: | + $VAR = request.$W.get($X, $EMPTY) + ... + $MODEL.set_password($VAR) + ... + $MODEL.save(...) + - pattern: | + def $F(..., $VAR=$EMPTY, ...): + ... + $MODEL.set_password($VAR) + - focus-metavariable: $EMPTY + fix: | + None +- id: python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run + patterns: + - pattern-either: + - pattern-inside: | + $CLIENT = docker.from_env() + ... + - pattern-inside: | + $CLIENT = docker.DockerClient(...) + ... + - pattern-either: + - pattern: | + $CLIENT.containers.run(...) + - pattern: | + $CLIENT.containers.create(...) + - pattern-not: | + $CLIENT.containers.run("...",...) + - pattern-not: | + $CLIENT.containers.create("...",...) + message: If unverified user data can reach the `run` or `create` method it can result + in running arbitrary container. + languages: + - python + severity: WARNING + metadata: + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + category: security + technology: + - docker + references: + - https://cwe.mitre.org/data/definitions/250.html + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run + shortlink: https://sg.run/pxEL + semgrep.dev: + rule: + rule_id: r6Ur5A + version_id: NdT1QN + url: https://semgrep.dev/playground/r/NdT1QN/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run + origin: community +- id: python.flask.caching.query-string.flask-cache-query-string + patterns: + - pattern-either: + - pattern: | + @app.route("...") + @cache.cached(...) + def $HANDLER(...): + ... + request.args.get(...) + - pattern: | + @app.route("...", methods=[..., "POST", ...]) + @cache.cached(...) + def $HANDLER(...): + ... + - pattern: | + @app.route("...", methods=[..., "PUT", ...]) + @cache.cached(...) + def $HANDLER(...): + ... + - pattern: | + @app.route("...", methods=[..., "DELETE", ...]) + @cache.cached(...) + def $HANDLER(...): + ... + - pattern: | + @app.route("...", methods=[..., "PATCH", ...]) + @cache.cached(...) + def $HANDLER(...): + ... + - pattern-not: | + @app.route("...") + @cache.cached(..., query_string=True) + def $HANDLER(...): + ... + request.args.get(...) + message: Flask-caching doesn't cache query strings by default. You have to use `query_string=True`. + Also you shouldn't cache verbs that can mutate state. + severity: WARNING + languages: + - python + metadata: + category: caching + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string + shortlink: https://sg.run/jROJ + semgrep.dev: + rule: + rule_id: kxUko3 + version_id: 44TePj + url: https://semgrep.dev/playground/r/44TePj/python.flask.caching.query-string.flask-cache-query-string + origin: community +- id: python.flask.security.dangerous-template-string.dangerous-template-string + message: Found a template created with string formatting. This is susceptible to + server-side template injection and cross-site scripting attacks. + metadata: + cwe: + - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static + Code Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html + - https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti + category: security + technology: + - flask + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string + shortlink: https://sg.run/b79E + semgrep.dev: + rule: + rule_id: v8UnZJ + version_id: gETq5L + url: https://semgrep.dev/playground/r/gETq5L/python.flask.security.dangerous-template-string.dangerous-template-string + origin: community + languages: + - python + severity: ERROR + pattern-either: + - pattern: | + $V = "...".format(...) + ... + flask.render_template_string($V, ...) + - pattern: | + $V = "...".format(...) + ... + return flask.render_template_string($V, ...), $MORE + - pattern: | + $V = "..." % $S + ... + flask.render_template_string($V, ...) + - pattern: | + $V = "..." % $S + ... + return flask.render_template_string($V, ...), $MORE + - pattern: | + $V = "..." + ... + $V += $O + ... + flask.render_template_string($V, ...) + - pattern: | + $V = "..." + ... + $V += $O + ... + return flask.render_template_string($V, ...), $MORE + - pattern: | + $V = f"...{$X}..." + ... + flask.render_template_string($V, ...) + - pattern: | + $V = f"...{$X}..." + ... + return flask.render_template_string($V, ...), $CODE +- id: python.flask.security.insecure-deserialization.insecure-deserialization + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://docs.python.org/3/library/pickle.html + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization + shortlink: https://sg.run/N45z + semgrep.dev: + rule: + rule_id: d8UjBO + version_id: 0bTv6b + url: https://semgrep.dev/playground/r/0bTv6b/python.flask.security.insecure-deserialization.insecure-deserialization + origin: community + message: Detected the use of an insecure deserialization library in a Flask route. + These libraries are prone to code execution vulnerabilities. Ensure user data + does not enter this function. To fix this, try to avoid serializing whole objects. + Consider instead using a serializer such as JSON. + languages: + - python + severity: ERROR + patterns: + - pattern-inside: | + @app.route(...) + def $X(...): + ... + - pattern-not: $MODULE.$FUNC("...") + - pattern-not: $MODULE.$FUNC(open("...", ...)) + - pattern-either: + - pattern: pickle.$FUNC(...) + - pattern: _pickle.$FUNC(...) + - pattern: cPickle.$FUNC(...) + - pattern: dill.$FUNC(...) + - pattern: shelve.$FUNC(...) + - pattern: yaml.load(...) +- id: python.flask.security.open-redirect.open-redirect + patterns: + - pattern-inside: | + @$APP.route(...) + def $X(...): + ... + - pattern-not-inside: | + @$APP.route(...) + def $X(...): + ... + if <... werkzeug.urls.url_parse($V) ...>: + ... + - pattern-either: + - pattern: flask.redirect(<... flask.request.$W.get(...) ...>, ...) + - pattern: flask.redirect(<... flask.request.$W[...] ...>, ...) + - pattern: flask.redirect(<... flask.request.$W(...) ...>, ...) + - pattern: flask.redirect(<... flask.request.$W ...>, ...) + - pattern: | + $V = flask.request.$W.get(...) + ... + flask.redirect(<... $V ...>, ...) + - pattern: | + $V = flask.request.$W[...] + ... + flask.redirect(<... $V ...>, ...) + - pattern: | + $V = flask.request.$W(...) + ... + flask.redirect(<... $V ...>, ...) + - pattern: | + $V = flask.request.$W + ... + flask.redirect(<... $V ...>, ...) + - pattern-not: flask.redirect(flask.request.path) + - pattern-not: flask.redirect(flask.request.path + ...) + - pattern-not: flask.redirect(f"{flask.request.path}...") + message: Data from request is passed to redirect(). This is an open redirect and + could be exploited. Consider using 'url_for()' to generate links to known locations. + If you must use a URL to unknown pages, consider using 'urlparse()' or similar + and checking if the 'netloc' property is the same as your site's host name. See + the references for more information. + metadata: + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + owasp: + - A01:2021 - Broken Access Control + references: + - https://flask-login.readthedocs.io/en/latest/#login-example + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1 + - https://docs.python.org/3/library/urllib.parse.html#url-parsing + category: security + technology: + - flask + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect + shortlink: https://sg.run/kXe2 + semgrep.dev: + rule: + rule_id: ZqU5LR + version_id: K3TlOL + url: https://semgrep.dev/playground/r/K3TlOL/python.flask.security.open-redirect.open-redirect + origin: community + languages: + - python + severity: ERROR +- id: python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization + patterns: + - pattern-inside: | + @app.route(...) + def $X(filename): + ... + - pattern: flask.send_file(filename, ...) + message: Detected a user-controlled `filename` that could flow to `flask.send_file()` + function. This could lead to an attacker reading arbitrary file from the system, + leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory` + metadata: + cwe: + - 'CWE-73: External Control of File Name or Path' + owasp: + - A04:2021 - Insecure Design + category: security + technology: + - flask + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization + shortlink: https://sg.run/weGP + semgrep.dev: + rule: + rule_id: nJUz6A + version_id: qkTNK7 + url: https://semgrep.dev/playground/r/qkTNK7/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization + origin: community + languages: + - python + severity: WARNING +- id: python.flask.security.unescaped-template-extension.unescaped-template-extension + message: Flask does not automatically escape Jinja templates unless they have .html, + .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, + .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup + for more information. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + source-rule-url: https://pypi.org/project/flake8-flask/ + references: + - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup + - https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/ + - https://bento.dev/checks/flask/unescaped-file-extension/ + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension + shortlink: https://sg.run/x1Rg + semgrep.dev: + rule: + rule_id: EwU293 + version_id: l4T5N0 + url: https://semgrep.dev/playground/r/l4T5N0/python.flask.security.unescaped-template-extension.unescaped-template-extension + origin: community + patterns: + - pattern-not: flask.render_template("=~/.+\.html$/", ...) + - pattern-not: flask.render_template("=~/.+\.xml$/", ...) + - pattern-not: flask.render_template("=~/.+\.htm$/", ...) + - pattern-not: flask.render_template("=~/.+\.xhtml$/", ...) + - pattern-not: flask.render_template($X + "=~/\.html$/", ...) + - pattern-not: flask.render_template($X + "=~/\.xml$/", ...) + - pattern-not: flask.render_template($X + "=~/\.htm$/", ...) + - pattern-not: flask.render_template($X + "=~/\.xhtml$/", ...) + - pattern-not: flask.render_template("=~/.+\.html$/" % $X, ...) + - pattern-not: flask.render_template("=~/.+\.xml$/" % $X, ...) + - pattern-not: flask.render_template("=~/.+\.htm$/" % $X, ...) + - pattern-not: flask.render_template("=~/.+\.xhtml$/" % $X, ...) + - pattern-not: flask.render_template("=~/.+\.html$/".format(...), ...) + - pattern-not: flask.render_template("=~/.+\.xml$/".format(...), ...) + - pattern-not: flask.render_template("=~/.+\.htm$/".format(...), ...) + - pattern-not: flask.render_template("=~/.+\.xhtml$/".format(...), ...) + - pattern-not: flask.render_template($TEMPLATE) + - pattern-either: + - pattern: flask.render_template("...", ...) + - pattern: flask.render_template($X + "...", ...) + - pattern: flask.render_template("..." % $Y, ...) + - pattern: flask.render_template("...".format(...), ...) + languages: + - python + severity: WARNING +- id: python.flask.security.unsanitized-input.response-contains-unsanitized-input + message: Flask response reflects unsanitized user input. This could lead to a cross-site + scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which + an attacker causes arbitrary code to be executed in the user's browser. To prevent, + please sanitize the user input, e.g. by rendering the response in a Jinja2 template + (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/). + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://flask.palletsprojects.com/en/1.0.x/security/ + - https://owasp.org/www-community/attacks/xss/ + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input + shortlink: https://sg.run/OPGn + semgrep.dev: + rule: + rule_id: 7KUQLl + version_id: YDTo8y + url: https://semgrep.dev/playground/r/YDTo8y/python.flask.security.unsanitized-input.response-contains-unsanitized-input + origin: community + languages: + - python + severity: WARNING + pattern-either: + - pattern: | + $X = flask.request.args.get(...) + ... + flask.make_response("...".format($X)) + - pattern: | + $X = flask.request.args.get(...) + ... + flask.make_response(f"...{$X}...") + - pattern: | + $X = flask.request.args.get(...) + ... + flask.make_response(f"...{$X}") + - pattern: | + $X = flask.request.args.get(...) + ... + flask.make_response(f"{$X}...") +- id: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host + message: Running flask app with host 0.0.0.0 could expose the server publicly. + metadata: + cwe: + - 'CWE-668: Exposure of Resource to Wrong Sphere' + owasp: + - A01:2021 - Broken Access Control + category: security + technology: + - flask + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host + shortlink: https://sg.run/eLby + semgrep.dev: + rule: + rule_id: L1Uy1n + version_id: kbT7Z6 + url: https://semgrep.dev/playground/r/kbT7Z6/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host + origin: community + languages: + - python + severity: WARNING + pattern-either: + - pattern: app.run(..., host="0.0.0.0", ...) + - pattern: app.run(..., "0.0.0.0", ...) +- id: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly + patterns: + - pattern-not-inside: | + if __name__ == '__main__': + ... + - pattern-not-inside: | + def $X(...): + ... + - pattern: app.run(...) + message: top-level app.run(...) is ignored by flask. Consider putting app.run(...) + behind a guard, like inside a function + metadata: + cwe: + - 'CWE-668: Exposure of Resource to Wrong Sphere' + owasp: + - A01:2021 - Broken Access Control + category: security + technology: + - flask + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly + shortlink: https://sg.run/vz5b + semgrep.dev: + rule: + rule_id: 8GUjdX + version_id: w8T30A + url: https://semgrep.dev/playground/r/w8T30A/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly + origin: community + languages: + - python + severity: WARNING +- id: python.flask.security.audit.debug-enabled.debug-enabled + patterns: + - pattern-inside: | + import flask + ... + - pattern: $APP.run(..., debug=True, ...) + message: Detected Flask app with debug=True. Do not deploy to production with this + flag enabled as it will leak sensitive information. Instead, consider using Flask + configuration variables or setting 'debug' using system environment variables. + metadata: + cwe: + - 'CWE-489: Active Debug Code' + owasp: A06:2017 - Security Misconfiguration + references: + - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ + category: security + technology: + - flask + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled + shortlink: https://sg.run/dKrd + semgrep.dev: + rule: + rule_id: gxU1bd + version_id: xyT43d + url: https://semgrep.dev/playground/r/xyT43d/python.flask.security.audit.debug-enabled.debug-enabled + origin: community + severity: WARNING + languages: + - python +- id: python.flask.security.audit.directly-returned-format-string.directly-returned-format-string + message: Detected Flask route directly returning a formatted string. This is subject + to cross-site scripting if user input can reach the string. Consider using the + template engine instead and rendering pages with 'render_template()'. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - flask + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string + shortlink: https://sg.run/Zv6o + semgrep.dev: + rule: + rule_id: QrUz49 + version_id: O9TyZX + url: https://semgrep.dev/playground/r/O9TyZX/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string + origin: community + languages: + - python + severity: WARNING + mode: taint + pattern-sources: + - pattern-either: + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $PARAM, ...): + ... + - pattern: $PARAM + - pattern: | + request.$FUNC.get(...) + - pattern: | + request.$FUNC(...) + - pattern: request.$FUNC[...] + pattern-sinks: + - patterns: + - pattern-not-inside: return "..." + - pattern-either: + - pattern: return "...".format(...) + - pattern: return "..." % ... + - pattern: return "..." + ... + - pattern: return ... + "..." + - pattern: return f"...{...}..." + - patterns: + - pattern: return $X + - pattern-either: + - pattern-inside: | + $X = "...".format(...) + ... + - pattern-inside: | + $X = "..." % ... + ... + - pattern-inside: | + $X = "..." + ... + ... + - pattern-inside: | + $X = ... + "..." + ... + - pattern-inside: | + $X = f"...{...}..." + ... + - pattern-not-inside: | + $X = "..." + ... +- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING + message: Hardcoded variable `TESTING` detected. Use environment variables or config + files instead + severity: WARNING + metadata: + likelihood: LOW + impact: LOW + confidence: LOW + category: security + cwe: + - 'CWE-489: Active Debug Code' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://bento.dev/checks/flask/avoid-hardcoded-config/ + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features + subcategory: + - audit + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING + shortlink: https://sg.run/ndZ2 + semgrep.dev: + rule: + rule_id: 3qUPoy + version_id: e1TxA1 + url: https://semgrep.dev/playground/r/e1TxA1/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING + origin: community + languages: + - python + pattern-either: + - pattern: $M.config['TESTING'] = True + - pattern: $M.config['TESTING'] = False + - pattern: $M.update(TESTING=True, ...) + - pattern: $M.update(TESTING=False, ...) +- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY + message: Hardcoded variable `SECRET_KEY` detected. Use environment variables or + config files instead + severity: ERROR + metadata: + likelihood: LOW + impact: LOW + confidence: LOW + category: security + cwe: + - 'CWE-489: Active Debug Code' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://bento.dev/checks/flask/avoid-hardcoded-config/ + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features + subcategory: + - audit + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY + shortlink: https://sg.run/Ekde + semgrep.dev: + rule: + rule_id: 4bUkX0 + version_id: vdT238 + url: https://semgrep.dev/playground/r/vdT238/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY + origin: community + languages: + - python + pattern-either: + - pattern: $M.update(SECRET_KEY="=~/.*/") + - pattern: $M.config['SECRET_KEY'] = "=~/.*/" +- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV + message: Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment + variable + severity: WARNING + metadata: + likelihood: LOW + impact: LOW + confidence: LOW + category: security + cwe: + - 'CWE-489: Active Debug Code' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://bento.dev/checks/flask/avoid-hardcoded-config/ + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features + subcategory: + - audit + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV + shortlink: https://sg.run/7oXW + semgrep.dev: + rule: + rule_id: PeUZpr + version_id: d6TDby + url: https://semgrep.dev/playground/r/d6TDby/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV + origin: community + languages: + - python + pattern-either: + - pattern: $M.update(ENV="=~/^development|production$/") + - pattern: $M.config['ENV'] = "=~/^development|production$/" +- id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG + message: Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment + variable + severity: WARNING + metadata: + likelihood: LOW + impact: LOW + confidence: LOW + category: security + cwe: + - 'CWE-489: Active Debug Code' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://bento.dev/checks/flask/avoid-hardcoded-config/ + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values + - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features + subcategory: + - audit + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG + shortlink: https://sg.run/LwPo + semgrep.dev: + rule: + rule_id: JDUyJR + version_id: ZRTwy2 + url: https://semgrep.dev/playground/r/ZRTwy2/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG + origin: community + languages: + - python + pattern-either: + - pattern: $M.update(DEBUG=True) + - pattern: $M.update(DEBUG=False) + - pattern: $M.config['DEBUG'] = True + - pattern: $M.config['DEBUG'] = False +- id: python.flask.security.audit.render-template-string.render-template-string + pattern: flask.render_template_string(...) + metadata: + cwe: + - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static + Code Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html + category: security + technology: + - flask + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string + shortlink: https://sg.run/8yjE + semgrep.dev: + rule: + rule_id: 5rUOv1 + version_id: ExTnYv + url: https://semgrep.dev/playground/r/ExTnYv/python.flask.security.audit.render-template-string.render-template-string + origin: community + message: Found a template created with string formatting. This is susceptible to + server-side template injection and cross-site scripting attacks. + languages: + - python + severity: WARNING +- id: python.flask.security.audit.secure-set-cookie.secure-set-cookie + patterns: + - pattern-either: + - pattern-inside: | + $RESP = flask.make_response(...) + ... + - pattern-inside: | + $RESP = flask.Response(...) + ... + - pattern-not: $RESPONSE.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...) + - pattern-not: $RESPONSE.set_cookie(..., **$A) + - pattern: $RESPONSE.set_cookie(...) + message: Found a Flask cookie without secure, httponly, or samesite correctly set. + Flask cookies should be handled securely by setting secure=True, httponly=True, + and samesite='Lax' in response.set_cookie(...). If these parameters are not properly + set, your cookies are not properly protected and are at risk of being stolen by + an attacker. Include the 'secure=True', 'httponly=True', samesite='Lax' arguments + or set these to be true in the Flask configuration. + metadata: + cwe: + - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/ + - https://bento.dev/checks/flask/secure-set-cookie/ + - https://flask.palletsprojects.com/en/1.1.x/security/#set-cookie-options + category: security + technology: + - flask + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie + shortlink: https://sg.run/gLkZ + semgrep.dev: + rule: + rule_id: GdU7GR + version_id: 7ZTOYP + url: https://semgrep.dev/playground/r/7ZTOYP/python.flask.security.audit.secure-set-cookie.secure-set-cookie + origin: community + languages: + - python + severity: WARNING +- id: python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled + message: Setting 'WTF_CSRF_ENABLED' to 'False' explicitly disables CSRF protection. + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + references: + - https://flask-wtf.readthedocs.io/en/stable/csrf.html + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled + shortlink: https://sg.run/Q5AQ + semgrep.dev: + rule: + rule_id: ReUgXz + version_id: LjT0pl + url: https://semgrep.dev/playground/r/LjT0pl/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled + origin: community + severity: WARNING + languages: + - python + pattern: $APP.config['WTF_CSRF_ENABLED'] = False +- id: python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content + patterns: + - pattern: flask.make_response(...) + - pattern-not-inside: flask.make_response() + - pattern-not-inside: flask.make_response("...", ...) + - pattern-not-inside: 'flask.make_response({"...": "..."}, ...)' + - pattern-not-inside: flask.make_response(flask.redirect(...), ...) + - pattern-not-inside: flask.make_response(flask.render_template(...), ...) + - pattern-not-inside: flask.make_response(flask.jsonify(...), ...) + - pattern-not-inside: flask.make_response(json.dumps(...), ...) + - pattern-not-inside: | + $X = flask.render_template(...) + ... + flask.make_response($X, ...) + - pattern-not-inside: | + $X = flask.jsonify(...) + ... + flask.make_response($X, ...) + - pattern-not-inside: | + $X = json.dumps(...) + ... + flask.make_response($X, ...) + message: Be careful with `flask.make_response()`. If this response is rendered onto + a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` + will not autoescape HTML. If you are rendering HTML, write your HTML in a template + file and use `flask.render_template()` which will take care of escaping. If you + are returning data from an API, consider using `flask.jsonify()`. + severity: WARNING + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11 + - https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response + - https://flask.palletsprojects.com/en/1.1.x/api/#response-objects + category: security + technology: + - flask + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content + shortlink: https://sg.run/3x3p + semgrep.dev: + rule: + rule_id: AbUz6A + version_id: 8KTbLL + url: https://semgrep.dev/playground/r/8KTbLL/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content + origin: community + languages: + - python +- id: python.flask.security.injection.os-system-injection.os-system-injection + languages: + - python + severity: ERROR + message: User data detected in os.system. This could be vulnerable to a command + injection and should be avoided. If this must be done, use the 'subprocess' module + instead and pass the arguments as a list. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/www-community/attacks/Command_Injection + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection + shortlink: https://sg.run/4xzz + semgrep.dev: + rule: + rule_id: BYUN99 + version_id: PkTYnq + url: https://semgrep.dev/playground/r/PkTYnq/python.flask.security.injection.os-system-injection.os-system-injection + origin: community + pattern-either: + - patterns: + - pattern: os.system(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + os.system(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + os.system(..., <... $INTERM ...>, ...) + - pattern: os.system(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: os.system(..., <... flask.request.$W[...] ...>, ...) + - pattern: os.system(..., <... flask.request.$W(...) ...>, ...) + - pattern: os.system(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) +- id: python.flask.security.injection.path-traversal-open.path-traversal-open + languages: + - python + severity: ERROR + message: Found request data in a call to 'open'. Ensure the request data is validated + or sanitized, otherwise it could result in path traversal attacks. + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + references: + - https://owasp.org/www-community/attacks/Path_Traversal + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open + shortlink: https://sg.run/PJRW + semgrep.dev: + rule: + rule_id: DbUpOQ + version_id: JdTqZY + url: https://semgrep.dev/playground/r/JdTqZY/python.flask.security.injection.path-traversal-open.path-traversal-open + origin: community + pattern-either: + - patterns: + - pattern: open(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + open(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + with open(..., <... $ROUTEVAR ...>, ...) as $FD: + ... + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + open(..., <... $INTERM ...>, ...) + - pattern: open(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: open(..., <... flask.request.$W[...] ...>, ...) + - pattern: open(..., <... flask.request.$W(...) ...>, ...) + - pattern: open(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) +- id: python.flask.security.injection.ssrf-requests.ssrf-requests + languages: + - python + severity: ERROR + message: Data from request object is passed to a new server-side request. This could + lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes + and hosts are validated against an allowlist, do not forward the response to the + user, and ensure proper authentication and transport-layer security in the proxied + request. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests + shortlink: https://sg.run/J9LW + semgrep.dev: + rule: + rule_id: WAUoRx + version_id: GxT2W3 + url: https://semgrep.dev/playground/r/GxT2W3/python.flask.security.injection.ssrf-requests.ssrf-requests + origin: community + pattern-either: + - patterns: + - pattern: requests.$FUNC(...) + - pattern-either: + - pattern-inside: | + @$APP.$ROUTE_METHOD($ROUTE, ...) + def $ROUTE_FUNC(..., $ROUTEVAR, ...): + ... + requests.$FUNC(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.$ROUTE_METHOD($ROUTE, ...) + def $ROUTE_FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + requests.$FUNC(..., <... $INTERM ...>, ...) + - pattern: requests.$FUNC(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: requests.$FUNC(..., <... flask.request.$W[...] ...>, ...) + - pattern: requests.$FUNC(..., <... flask.request.$W(...) ...>, ...) + - pattern: requests.$FUNC(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) +- id: python.flask.security.injection.user-eval.eval-injection + languages: + - python + severity: ERROR + message: Detected user data flowing into eval. This is code injection and should + be avoided. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html + category: security + technology: + - flask + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection + shortlink: https://sg.run/5QpX + semgrep.dev: + rule: + rule_id: 0oU54W + version_id: DkTQeA + url: https://semgrep.dev/playground/r/DkTQeA/python.flask.security.injection.user-eval.eval-injection + origin: community + pattern-either: + - patterns: + - pattern: eval(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + eval(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: eval(..., <... flask.request.$W[...] ...>, ...) + - pattern: eval(..., <... flask.request.$W(...) ...>, ...) + - pattern: eval(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) +- id: python.flask.security.injection.user-exec.exec-injection + languages: + - python + severity: ERROR + message: Detected user data flowing into exec. This is code injection and should + be avoided. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html + category: security + technology: + - flask + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection + shortlink: https://sg.run/Ge42 + semgrep.dev: + rule: + rule_id: KxUbl2 + version_id: WrTb64 + url: https://semgrep.dev/playground/r/WrTb64/python.flask.security.injection.user-exec.exec-injection + origin: community + pattern-either: + - patterns: + - pattern: exec(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + exec(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: exec(..., <... flask.request.$W[...] ...>, ...) + - pattern: exec(..., <... flask.request.$W(...) ...>, ...) + - pattern: exec(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) +- id: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 + message: Detected direct use of jinja2. If not done properly, this may bypass HTML + escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. + Prefer using the Flask method 'render_template()' and templates with a '.html' + extension in order to prevent XSS. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://jinja.palletsprojects.com/en/2.11.x/api/#basics + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 + shortlink: https://sg.run/RoKe + semgrep.dev: + rule: + rule_id: qNUjN2 + version_id: JdTqZd + url: https://semgrep.dev/playground/r/JdTqZd/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 + origin: community + languages: + - python + severity: WARNING + pattern-either: + - pattern: jinja2.Environment(...) + - pattern: jinja2.Template.render(...) + - patterns: + - pattern-inside: | + $TEMPLATE = $ENV.get_template(...) + ... + - pattern: $TEMPLATE.render(...) + - patterns: + - pattern-inside: | + $TEMPLATE = jinja2.Template(...) + ... + - pattern: $TEMPLATE.render(...) +- id: python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup + message: Detected explicitly unescaped content using 'Markup()'. This permits the + unescaped data to include unescaped HTML which could result in cross-site scripting. + Ensure this data is not externally controlled, or consider rewriting to not use + 'Markup()'. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://tedboy.github.io/flask/generated/generated/flask.Markup.html + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup + shortlink: https://sg.run/AvZ8 + semgrep.dev: + rule: + rule_id: lBU95l + version_id: 5PT6Yv + url: https://semgrep.dev/playground/r/5PT6Yv/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup + origin: community + languages: + - python + severity: WARNING + pattern-either: + - pattern: flask.Markup(...) + - pattern: flask.Markup.unescape(...) + - pattern: markupsafe.Markup(...) + - pattern: $MARKUPOBJ.unescape() +- id: python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off + message: Detected a segment of a Flask template where autoescaping is explicitly + disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this + segment. Ensure no user data is rendered here, otherwise this is a cross-site + scripting (XSS) vulnerability, or turn autoescape on. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping + - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off + shortlink: https://sg.run/Bkn2 + semgrep.dev: + rule: + rule_id: YGURo6 + version_id: GxT2W2 + url: https://semgrep.dev/playground/r/GxT2W2/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off + origin: community + languages: + - regex + paths: + include: + - '*.html' + severity: WARNING + pattern-regex: '{%\s*autoescape\s+false\s*%}' +- id: python.flask.security.xss.audit.template-href-var.template-href-var + message: Detected a template variable used in an anchor tag with the 'href' attribute. + This allows a malicious actor to input the 'javascript:' URI and is subject to + cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL. + You may also consider setting the Content Security Policy (CSP) header. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss + - https://content-security-policy.com/ + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var + shortlink: https://sg.run/Do7o + semgrep.dev: + rule: + rule_id: 6JUjej + version_id: RGTbwv + url: https://semgrep.dev/playground/r/RGTbwv/python.flask.security.xss.audit.template-href-var.template-href-var + origin: community + languages: + - generic + paths: + include: + - '*.html' + severity: WARNING + patterns: + - pattern-inside: + - pattern-either: + - pattern: href = {{ ... }} + - pattern: href = "{{ ... }}" + - pattern: href = '{{ ... }}' + - pattern-not-inside: href = {{ url_for(...) ... }} + - pattern-not-inside: href = "{{ url_for(...) ... }}" + - pattern-not-inside: href = '{{ url_for(...) ... }}' +- id: python.jinja2.security.audit.autoescape-disabled.autoescape-disabled + patterns: + - pattern-not: jinja2.Environment(..., autoescape=True, ...) + - pattern-not: jinja2.Environment(..., autoescape=jinja2.select_autoescape(...), + ...) + - pattern: jinja2.Environment(...) + fix-regex: + regex: (.*)\) + replacement: \1, autoescape=True) + message: Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape + by default. This is dangerous if you are rendering to a browser because this allows + for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping + by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' + to only enable automatic escaping for certain file extensions. + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html + cwe: 'CWE-116: Improper Encoding or Escaping of Output' + owasp: 'A6: Security Misconfiguration' + references: + - https://jinja.palletsprojects.com/en/2.11.x/api/#basics + category: security + technology: + - jinja2 + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled.autoescape-disabled + shortlink: https://sg.run/KlGX + semgrep.dev: + rule: + rule_id: pKUOrp + version_id: yeTDg8 + url: https://semgrep.dev/playground/r/yeTDg8/python.jinja2.security.audit.autoescape-disabled.autoescape-disabled + origin: community + languages: + - python + severity: WARNING +- id: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials + languages: + - python + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + references: + - https://cwe.mitre.org/data/definitions/522.html + category: security + technology: + - jwt + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials + shortlink: https://sg.run/qxPy + semgrep.dev: + rule: + rule_id: 2ZUb1L + version_id: K3TlPb + url: https://semgrep.dev/playground/r/K3TlPb/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials + origin: community + message: Password is exposed through JWT token payload. This is not encrypted and + the password could be compromised. Do not store passwords in JWT tokens. + pattern-either: + - pattern: | + jwt.encode({...,"password":$P,...},...) + - pattern: | + $PAYLOAD = {...,"password":$P,...} + ... + jwt.encode($PAYLOAD,...) + severity: ERROR +- id: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret + message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently + Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html + Consider using an appropriate security mechanism to protect the credentials (e.g. + keeping secrets in environment variables)' + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + references: + - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret + shortlink: https://sg.run/l2E9 + semgrep.dev: + rule: + rule_id: X5U8P5 + version_id: qkTN9o + url: https://semgrep.dev/playground/r/qkTN9o/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret + origin: community + patterns: + - pattern: | + jwt.encode($X, $SECRET, ...) + - focus-metavariable: $SECRET + - pattern: | + "..." + languages: + - python + severity: ERROR +- id: python.jwt.security.jwt-none-alg.jwt-python-none-alg + message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm + assumes the integrity of the token has already been verified. This would allow + a malicious actor to forge a JWT token that will automatically be verified. Do + not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg + shortlink: https://sg.run/Yvp4 + semgrep.dev: + rule: + rule_id: j2UvKw + version_id: l4T5ez + url: https://semgrep.dev/playground/r/l4T5ez/python.jwt.security.jwt-none-alg.jwt-python-none-alg + origin: community + languages: + - python + severity: ERROR + pattern-either: + - pattern: | + jwt.encode(...,algorithm="none",...) + - pattern: jwt.decode(...,algorithms=[...,"none",...],...) +- id: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode + pattern: | + jwt.decode(..., verify=False, ...) + message: Detected JWT token decoded with 'verify=False'. This bypasses any integrity + checks for the token which means the token could be tampered with by malicious + actors. Ensure that the JWT token is verified. + metadata: + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-287: Improper Authentication' + references: + - https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96 + category: security + technology: + - jwt + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode + shortlink: https://sg.run/6nyB + semgrep.dev: + rule: + rule_id: 10UKjo + version_id: YDTozD + url: https://semgrep.dev/playground/r/YDTozD/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode + origin: community + fix-regex: + regex: (verify\s*=\s*)False + replacement: \1True + severity: ERROR + languages: + - python +- id: python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data + message: The object is passed strictly to jwt.encode(...) Make sure that sensitive + information is not exposed through JWT token payload. + severity: WARNING + metadata: + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data + shortlink: https://sg.run/ox8R + semgrep.dev: + rule: + rule_id: 9AU1zW + version_id: 0bTvQ7 + url: https://semgrep.dev/playground/r/0bTvQ7/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data + origin: community + languages: + - python + patterns: + - pattern-inside: | + def $FUNC(...,$INPUT,...): + ... + - pattern: jwt.encode($INPUT,...) +- id: python.lang.compatibility.python36.python36-compatibility-ssl + pattern: ssl.get_ciphers() + message: this function is only available on Python 3.6+ + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl + shortlink: https://sg.run/kXn2 + semgrep.dev: + rule: + rule_id: ZqU5wR + version_id: 3ZTLXP + url: https://semgrep.dev/playground/r/3ZTLXP/python.lang.compatibility.python36.python36-compatibility-ssl + origin: community +- id: python.lang.compatibility.python36.python36-compatibility-Popen1 + pattern: subprocess.Popen(errors=$X, ...) + message: the `errors` argument to Popen is only available on Python 3.6+ + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1 + shortlink: https://sg.run/weBP + semgrep.dev: + rule: + rule_id: nJUz7A + version_id: 44Tejz + url: https://semgrep.dev/playground/r/44Tejz/python.lang.compatibility.python36.python36-compatibility-Popen1 + origin: community +- id: python.lang.compatibility.python36.python36-compatibility-Popen2 + pattern: subprocess.Popen(encoding=$X, ...) + message: the `encoding` argument to Popen is only available on Python 3.6+ + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2 + shortlink: https://sg.run/x1Dg + semgrep.dev: + rule: + rule_id: EwU2n3 + version_id: PkTj3B + url: https://semgrep.dev/playground/r/PkTj3B/python.lang.compatibility.python36.python36-compatibility-Popen2 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-importlib + pattern: importlib.source_hash() + message: source_hash' is only available on Python 3.7+. This does not work in lower + versions, and therefore is not backwards compatible. Instead, use another hash + function. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib + shortlink: https://sg.run/OPDn + semgrep.dev: + rule: + rule_id: 7KUQOl + version_id: JdToxL + url: https://semgrep.dev/playground/r/JdToxL/python.lang.compatibility.python37.python37-compatibility-importlib + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-importlib2 + pattern: import importlib.resources + message: Found 'importlib.resources', which is a module only available on Python + 3.7+. This does not work in lower versions, and therefore is not backwards compatible. + Use importlib_resources instead for older Python versions. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2 + shortlink: https://sg.run/eL3y + semgrep.dev: + rule: + rule_id: L1Uy0n + version_id: 5PTN1p + url: https://semgrep.dev/playground/r/5PTN1p/python.lang.compatibility.python37.python37-compatibility-importlib2 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-httpconn + pattern: http.client.HTTPConnection(blocksize=$X,...) + message: Found usage of the 'blocksize' argument in a HTTPConnection call. This + is only available on Python 3.7+ and is therefore not backwards compatible. Remove + this in order for this code to work in Python 3.6 and below. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn + shortlink: https://sg.run/vzAb + semgrep.dev: + rule: + rule_id: 8GUjbX + version_id: GxToeD + url: https://semgrep.dev/playground/r/GxToeD/python.lang.compatibility.python37.python37-compatibility-httpconn + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-httpsconn + pattern: http.client.HTTPSConnection(blocksize=$X,...) + message: Found usage of the 'blocksize' argument in a HTTPSConnection call. This + is only available on Python 3.7+ and is therefore not backwards compatible. Remove + this in order for this code to work in Python 3.6 and below. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn + shortlink: https://sg.run/dKwd + semgrep.dev: + rule: + rule_id: gxU1qd + version_id: RGT2L2 + url: https://semgrep.dev/playground/r/RGT2L2/python.lang.compatibility.python37.python37-compatibility-httpsconn + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-importlib3 + pattern: import importlib.abc.ResourceReader + message: Found usage of 'importlib.abc.ResourceReader'. This module is only available + on Python 3.7+ and is therefore not backwards compatible. Instead, use another + loader. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3 + shortlink: https://sg.run/Zv2o + semgrep.dev: + rule: + rule_id: QrUzJ9 + version_id: A8TNdJ + url: https://semgrep.dev/playground/r/A8TNdJ/python.lang.compatibility.python37.python37-compatibility-importlib3 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-textiowrapper + pattern: TextIOWrapper.reconfigure(...) + message: Found usage of 'importlib.abc.ResourceReader'. This module is only available + on Python 3.7+ and is therefore not backwards compatible. Instead, use another + loader. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper + shortlink: https://sg.run/ndL2 + semgrep.dev: + rule: + rule_id: 3qUPdy + version_id: BjTKZr + url: https://semgrep.dev/playground/r/BjTKZr/python.lang.compatibility.python37.python37-compatibility-textiowrapper + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-ipv6network1 + pattern: ipaddress.IPv6Network.subnet_of($X) + message: IPv6Network.subnet_of is only available on Python 3.7+ and is therefore + not backwards compatible. Instead, check if the subnet is in 'subnets'. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1 + shortlink: https://sg.run/EkLe + semgrep.dev: + rule: + rule_id: 4bUko0 + version_id: DkT2bY + url: https://semgrep.dev/playground/r/DkT2bY/python.lang.compatibility.python37.python37-compatibility-ipv6network1 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-ipv6network2 + pattern: ipaddress.IPv6Network.supernet_of($X) + message: IPv6Network.supernet_of is only available on Python 3.7+ and is therefore + not backwards compatible. Instead, check if the supernet is in 'supernet'. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2 + shortlink: https://sg.run/7orW + semgrep.dev: + rule: + rule_id: PeUZYr + version_id: WrTYKq + url: https://semgrep.dev/playground/r/WrTYKq/python.lang.compatibility.python37.python37-compatibility-ipv6network2 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-ipv4network1 + pattern: ipaddress.IPv4Network.subnet_of($X) + message: IPv4Network.subnet_of is only available on Python 3.7+ and is therefore + not backwards compatible. Instead, check if the subnet is in 'subnets'. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1 + shortlink: https://sg.run/LwRo + semgrep.dev: + rule: + rule_id: JDUyqR + version_id: 0bTpzo + url: https://semgrep.dev/playground/r/0bTpzo/python.lang.compatibility.python37.python37-compatibility-ipv4network1 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-ipv4network2 + pattern: ipaddress.IPv4Network.supernet_of($X) + message: IPv4Network.supernet_of is only available on Python 3.7+ and is therefore + not backwards compatible. Instead, check if the supernet is in 'supernet'. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2 + shortlink: https://sg.run/8y3E + semgrep.dev: + rule: + rule_id: 5rUO61 + version_id: K3Twkg + url: https://semgrep.dev/playground/r/K3Twkg/python.lang.compatibility.python37.python37-compatibility-ipv4network2 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-locale1 + pattern: locale.format_string(monetary=$X, ...) + message: Found usage of the 'monetary' argument in a function call of 'locale.format_string'. + This is only available on Python 3.7+ and is therefore not backwards compatible. + Instead, remove the 'monetary' argument. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1 + shortlink: https://sg.run/gLeZ + semgrep.dev: + rule: + rule_id: GdU72R + version_id: qkTp7L + url: https://semgrep.dev/playground/r/qkTp7L/python.lang.compatibility.python37.python37-compatibility-locale1 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-math1 + pattern: math.remainder($X, $Y) + message: math.remainder is only available on Python 3.7+ and is therefore not backwards + compatible. Instead, use math.fmod() or calculate $X - n* $Y. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1 + shortlink: https://sg.run/Q50Q + semgrep.dev: + rule: + rule_id: ReUgbz + version_id: l4TXR1 + url: https://semgrep.dev/playground/r/l4TXR1/python.lang.compatibility.python37.python37-compatibility-math1 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-multiprocess1 + pattern: multiprocessing.Process.close() + message: multiprocessing.Process.close() is only available on Python 3.7+ and is + therefore not backwards compatible. Instead, use join(). + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1 + shortlink: https://sg.run/3xjp + semgrep.dev: + rule: + rule_id: AbUzRA + version_id: YDTYeO + url: https://semgrep.dev/playground/r/YDTYeO/python.lang.compatibility.python37.python37-compatibility-multiprocess1 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-multiprocess2 + pattern: multiprocessing.Process.kill() + message: multiprocessing.Process.kill() is only available on Python 3.7+ and is + therefore not backwards compatible. Instead, use terminate(). + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2 + shortlink: https://sg.run/4x1z + semgrep.dev: + rule: + rule_id: BYUNE9 + version_id: 6xTy90 + url: https://semgrep.dev/playground/r/6xTy90/python.lang.compatibility.python37.python37-compatibility-multiprocess2 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-os1 + pattern: os.preadv(...) + message: os.preadv() is only available on Python 3.7+ and is therefore not backwards + compatible. Instead, use a combination of os.readv() and os.pread(). + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1 + shortlink: https://sg.run/PJWW + semgrep.dev: + rule: + rule_id: DbUpQQ + version_id: o5TKDW + url: https://semgrep.dev/playground/r/o5TKDW/python.lang.compatibility.python37.python37-compatibility-os1 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-os2-ok2 + patterns: + - pattern-not-inside: | + if hasattr(os, 'pwritev'): + ... + - pattern: os.pwritev(...) + message: os.pwritev() is only available on Python 3.3+ and is therefore not backwards + compatible. Instead, use a combination of pwrite() and writev(). + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2 + shortlink: https://sg.run/5Q9X + semgrep.dev: + rule: + rule_id: 0oU5vW + version_id: zyTG29 + url: https://semgrep.dev/playground/r/zyTG29/python.lang.compatibility.python37.python37-compatibility-os2-ok2 + origin: community +- id: python.lang.compatibility.python37.python37-compatibility-pdb + pattern: pdb.set_trace(header=$X, ...) + message: pdb.set_trace() with the header argument is only available on Python 3.7+ + and is therefore not backwards compatible. Instead, use set_trace() without the + header argument. + languages: + - python + severity: ERROR + metadata: + category: compatibility + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb + shortlink: https://sg.run/GeA2 + semgrep.dev: + rule: + rule_id: KxUby2 + version_id: pZTb3R + url: https://semgrep.dev/playground/r/pZTb3R/python.lang.compatibility.python37.python37-compatibility-pdb + origin: community +- id: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-md5 + pattern: hashlib.md5(...) + fix-regex: + regex: md5 + replacement: sha256 + message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use SHA256 + or SHA3 instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 + cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: 'A3: Sensitive Data Exposure' + bandit-code: B303 + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.2 Insecure Custom Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://tools.ietf.org/html/rfc6151 + - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-md5 + shortlink: https://sg.run/9odY + semgrep.dev: + rule: + rule_id: wdUJ2Y + version_id: nWTPy6 + url: https://semgrep.dev/playground/r/nWTPy6/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-md5 + origin: community + severity: WARNING + languages: + - python +- id: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 + pattern: hashlib.sha1(...) + fix-regex: + regex: sha1 + replacement: sha256 + message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic signature. + Use SHA256 or SHA3 instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B303 + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.2 Insecure Custom Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html + - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability + - http://2012.sharcs.org/slides/stevens.pdf + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - python + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 + shortlink: https://sg.run/ydYx + semgrep.dev: + rule: + rule_id: x8UnBk + version_id: l4T53z + url: https://semgrep.dev/playground/r/l4T53z/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 + origin: community + severity: WARNING + languages: + - python +- id: python.lang.security.insecure-hash-function.insecure-hash-function + message: Detected use of an insecure MD4 or MD5 hash function. These functions have + known vulnerabilities and are considered deprecated. Consider using 'SHA256' or + a similar function instead. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/hashlib_new_insecure_functions.py + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.2 Insecure Custom Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://tools.ietf.org/html/rfc6151 + - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function + shortlink: https://sg.run/rdBn + semgrep.dev: + rule: + rule_id: OrU30g + version_id: YDTogD + url: https://semgrep.dev/playground/r/YDTogD/python.lang.security.insecure-hash-function.insecure-hash-function + origin: community + languages: + - python + severity: WARNING + pattern-either: + - pattern: hashlib.new("=~/[M|m][D|d][4|5]/", ...) + - pattern: hashlib.new(..., name="=~/[M|m][D|d][4|5]/", ...) +- id: python.lang.security.unquoted-csv-writer.unquoted-csv-writer + patterns: + - pattern: a() + - pattern: b() + message: This rule is deprecated. + metadata: + cwe: + - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File' + owasp: A01:2017 - Injection + references: + - https://github.com/returntocorp/semgrep-rules/issues/2351 + category: security + technology: + - python + deprecated: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/python.lang.security.unquoted-csv-writer.unquoted-csv-writer + shortlink: https://sg.run/b7vp + semgrep.dev: + rule: + rule_id: eqU8dk + version_id: JdTqO6 + url: https://semgrep.dev/playground/r/JdTqO6/python.lang.security.unquoted-csv-writer.unquoted-csv-writer + origin: community + fix-regex: + regex: (.*)\) + replacement: \1, quoting=csv.QUOTE_ALL) + languages: + - python + severity: ERROR +- id: python.lang.security.unverified-ssl-context.unverified-ssl-context + patterns: + - pattern-either: + - pattern: ssl._create_unverified_context(...) + - pattern: ssl._create_default_https_context = ssl._create_unverified_context + fix-regex: + regex: _create_unverified_context + replacement: create_default_context + message: Unverified SSL context detected. This will permit insecure connections + without verifying SSL certificates. Use 'ssl.create_default_context' instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-295: Improper Certificate Validation' + references: + - https://docs.python.org/3/library/ssl.html#ssl-security + - https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context + shortlink: https://sg.run/N4lp + semgrep.dev: + rule: + rule_id: v8UnkQ + version_id: 5PT6Ky + url: https://semgrep.dev/playground/r/5PT6Ky/python.lang.security.unverified-ssl-context.unverified-ssl-context + origin: community + severity: ERROR + languages: + - python +- id: python.lang.security.use-defused-xml.use-defused-xml + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + references: + - https://docs.python.org/3/library/xml.html + - https://github.com/tiran/defusedxml + - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/python.lang.security.use-defused-xml.use-defused-xml + shortlink: https://sg.run/kX47 + semgrep.dev: + rule: + rule_id: d8UjRx + version_id: GxT2bo + url: https://semgrep.dev/playground/r/GxT2bo/python.lang.security.use-defused-xml.use-defused-xml + origin: community + message: The Python documentation recommends using `defusedxml` instead of `xml` + because the native Python `xml` library is vulnerable to XML External Entity (XXE) + attacks. These attacks can leak confidential data and "XML bombs" can cause denial + of service. + languages: + - python + severity: ERROR + pattern: import xml +- id: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc + pattern-either: + - pattern: import xmlrpclib + - pattern: import SimpleXMLRPCServer + - pattern: import xmlrpc + message: Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. + Use defusedxml.xmlrpc instead. + metadata: + cwe: + - 'CWE-776: Improper Restriction of Recursive Entity References in DTDs (''XML + Entity Expansion'')' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + source-rule-url: https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160 + references: + - https://pypi.org/project/defusedxml/ + - https://docs.python.org/3/library/xml.html#xml-vulnerabilities + category: security + technology: + - python + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc + shortlink: https://sg.run/weqY + semgrep.dev: + rule: + rule_id: ZqU5EZ + version_id: RGTbNA + url: https://semgrep.dev/playground/r/RGTbNA/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc + origin: community + severity: ERROR + languages: + - python +- id: python.lang.security.audit.conn_recv.multiprocessing-recv + languages: + - python + message: 'The Connection.recv() method automatically unpickles the data it receives, + which can be a security risk unless you can trust the process which sent the message. + Therefore, unless the connection object was produced using Pipe() you should only + use the recv() and send() methods after performing some sort of authentication. + See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection' + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv + shortlink: https://sg.run/x1lz + semgrep.dev: + rule: + rule_id: nJUzeK + version_id: 6xTeAE + url: https://semgrep.dev/playground/r/6xTeAE/python.lang.security.audit.conn_recv.multiprocessing-recv + origin: community + pattern-either: + - pattern: multiprocessing.connection.Connection.recv(...) + - pattern: multiprocessing.connection.Client.recv(...) + - pattern: | + $C = multiprocessing.connection.Client(...) + ... + $C.recv(...) + severity: WARNING +- id: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected + patterns: + - pattern-not: urllib.$W("...") + - pattern-not: urllib.request.$W("...") + - pattern-not: $OPENER.$W("...") + - pattern-either: + - pattern: urllib.urlopen(...) + - pattern: urllib.request.urlopen(...) + - pattern: urllib.urlretrieve(...) + - pattern: urllib.request.urlretrieve(...) + - patterns: + - pattern-either: + - pattern-inside: | + $OPENER = urllib.URLopener(...) + ... + - pattern-inside: | + $OPENER = urllib.request.URLopener(...) + ... + - pattern-inside: | + $OPENER = urllib.FancyURLopener(...) + ... + - pattern-inside: | + $OPENER = urllib.request.FancyURLopener(...) + ... + - pattern-either: + - pattern: $OPENER.open(...) + - pattern: $OPENER.retrieve(...) + message: Detected a dynamic value being used with urllib. urllib supports 'file://' + schemes, so a dynamic value controlled by a malicious actor may allow them to + read arbitrary files. Audit uses of urllib calls to ensure user data cannot control + the URLs, or consider using the 'requests' library instead. + metadata: + cwe: + - 'CWE-939: Improper Authorization in Handler for Custom URL Scheme' + owasp: A01:2017 - Injection + source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/blacklists/calls.py#L163 + bandit-code: B310 + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.2.4 Dynamic Code Execution Features + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements + version: '4' + category: security + technology: + - python + references: + - https://cwe.mitre.org/data/definitions/939.html + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected + shortlink: https://sg.run/dKZZ + semgrep.dev: + rule: + rule_id: 8GUj22 + version_id: 7ZTO58 + url: https://semgrep.dev/playground/r/7ZTO58/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected + origin: community + languages: + - python + severity: WARNING +- id: python.lang.security.audit.eval-detected.eval-detected + patterns: + - pattern-not: eval(f"") + - pattern-not: eval("...") + - pattern: eval(...) + message: Detected the use of eval(). eval() can be dangerous if used to evaluate + dynamic content. If this content can be input from outside the program, this may + be a code injection vulnerability. Ensure evaluated content is not definable by + external sources. + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b307-eval + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.2.4 Dyanmic Code Execution Features + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements + version: '4' + category: security + technology: + - python + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected + shortlink: https://sg.run/ZvrD + semgrep.dev: + rule: + rule_id: gxU149 + version_id: X0T3nj + url: https://semgrep.dev/playground/r/X0T3nj/python.lang.security.audit.eval-detected.eval-detected + origin: community + languages: + - python + severity: WARNING +- id: python.lang.security.audit.exec-detected.exec-detected + patterns: + - pattern-not: exec("...") + - pattern: exec(...) + message: Detected the use of exec(). exec() can be dangerous if used to evaluate + dynamic content. If this content can be input from outside the program, this may + be a code injection vulnerability. Ensure evaluated content is not definable by + external sources. + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b102_exec_used.html + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.2.4 Dyanmic Code Execution Features + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements + version: '4' + category: security + technology: + - python + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected + shortlink: https://sg.run/ndRX + semgrep.dev: + rule: + rule_id: QrUzKv + version_id: 8KTbW8 + url: https://semgrep.dev/playground/r/8KTbW8/python.lang.security.audit.exec-detected.exec-detected + origin: community + languages: + - python + severity: WARNING +- id: python.lang.security.audit.formatted-sql-query.formatted-sql-query + message: Detected possible formatted SQL query. Use parameterized queries instead. + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + references: + - https://stackoverflow.com/questions/775296/mysql-parameterized-queries + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query + shortlink: https://sg.run/EkWw + semgrep.dev: + rule: + rule_id: 3qUP9k + version_id: gETqL2 + url: https://semgrep.dev/playground/r/gETqL2/python.lang.security.audit.formatted-sql-query.formatted-sql-query + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: $DB.execute("..." % ...) + - pattern: $DB.execute("...".format(...)) + - pattern: $DB.execute(f"...") + - patterns: + - pattern-either: + - pattern-inside: | + $SQL = "..." % ... + ... + - pattern-inside: | + $SQL = "...".format(...) + ... + - pattern-inside: | + $SQL = f"...{$X}..." + ... + - pattern: $DB.execute($SQL) +- id: python.lang.security.audit.ftplib.ftplib + pattern: ftplib.$ANYTHING(...) + message: FTP does not encrypt communications by default. This can lead to sensitive + data being exposed. Ensure use of FTP here does not expose sensitive data. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L265 + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B321 + references: + - https://docs.python.org/3/library/telnetlib.html + category: security + technology: + - ftplib + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.ftplib.ftplib + shortlink: https://sg.run/7oyZ + semgrep.dev: + rule: + rule_id: 4bUkv7 + version_id: QkTJBN + url: https://semgrep.dev/playground/r/QkTJBN/python.lang.security.audit.ftplib.ftplib + origin: community + severity: WARNING + languages: + - python +- id: python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument + message: Hardcoded password is used as a default argument to '$FUNC'. This could + be dangerous if a real password is not supplied. + languages: + - python + severity: WARNING + patterns: + - pattern: | + def $FUNC(..., password="...", ...): + ... + - pattern-not: | + def $FUNC(..., password="", ...): + ... + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - python + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument + shortlink: https://sg.run/Lw9r + semgrep.dev: + rule: + rule_id: PeUZAW + version_id: 3ZTd7X + url: https://semgrep.dev/playground/r/3ZTd7X/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument + origin: community +- id: python.lang.security.audit.httpsconnection-detected.httpsconnection-detected + message: The HTTPSConnection API has changed frequently with minor releases of Python. + Ensure you are using the API for your version of Python securely. For example, + Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. + See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection + for more information. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-295: Improper Certificate Validation' + references: + - https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected + shortlink: https://sg.run/8yby + semgrep.dev: + rule: + rule_id: JDUy7y + version_id: 44Toxd + url: https://semgrep.dev/playground/r/44Toxd/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: httplib.HTTPSConnection(...) + - pattern: http.client.HTTPSConnection(...) + - pattern: six.moves.http_client.HTTPSConnection(...) +- id: python.lang.security.audit.mako-templates-detected.mako-templates-detected + pattern: mako.template.Template(...) + message: Mako templates do not provide a global HTML escaping mechanism. This means + you must escape all sensitive data in your templates using '| u' for URL escaping + or '| h' for HTML escaping. If you are using Mako to serve web content, consider + using a system such as Jinja2 which enables global escaping. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/mako_templates.py + references: + - https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping + - https://jinja.palletsprojects.com/en/2.11.x/intro/# + category: security + technology: + - mako + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected + shortlink: https://sg.run/Q5v4 + semgrep.dev: + rule: + rule_id: GdU79Z + version_id: jQTKpn + url: https://semgrep.dev/playground/r/jQTKpn/python.lang.security.audit.mako-templates-detected.mako-templates-detected + origin: community + languages: + - python + severity: INFO +- id: python.lang.security.audit.marshal.marshal-usage + languages: + - python + message: 'The marshal module is not intended to be secure against erroneous or maliciously + constructed data. Never unmarshal data received from an untrusted or unauthenticated + source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security' + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.python.org/3/library/marshal.html?highlight=security + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage + shortlink: https://sg.run/3xor + semgrep.dev: + rule: + rule_id: ReUg13 + version_id: 1QTjn2 + url: https://semgrep.dev/playground/r/1QTjn2/python.lang.security.audit.marshal.marshal-usage + origin: community + pattern-either: + - pattern: marshal.dump(...) + - pattern: marshal.dumps(...) + - pattern: marshal.load(...) + - pattern: marshal.loads(...) + severity: WARNING +- id: python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key + patterns: + - pattern-inside: | + $CLIENT = paramiko.client.SSHClient(...) + ... + $CLIENT.set_missing_host_key_policy(...) + - pattern-either: + - pattern: paramiko.client.AutoAddPolicy + - pattern: paramiko.client.WarningPolicy + message: Detected a paramiko host key policy that implicitly trusts a server's host + key. Host keys should be verified to ensure the connection is not to a malicious + server. Use RejectPolicy or a custom subclass instead. + metadata: + cwe: + - 'CWE-322: Key Exchange without Entity Authentication' + owasp: + - A02:2021 - Cryptographic Failures + source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/ssh_no_host_key_verification.py + references: + - http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy + category: security + technology: + - paramiko + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key + shortlink: https://sg.run/4xpl + semgrep.dev: + rule: + rule_id: AbUzbe + version_id: w8T3vv + url: https://semgrep.dev/playground/r/w8T3vv/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key + origin: community + languages: + - python + severity: WARNING +- id: python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated + pattern: ssl.wrap_socket(...) + message: '''ssl.wrap_socket()'' is deprecated. This function creates an insecure + socket without server name indication or hostname matching. Instead, create an + SSL context using ''ssl.SSLContext()'' and use that to wrap a socket.' + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://docs.python.org/3/library/ssl.html#ssl.wrap_socket + - https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket + category: security + technology: + - python + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated + shortlink: https://sg.run/PJOY + semgrep.dev: + rule: + rule_id: BYUN2e + version_id: nWT7lj + url: https://semgrep.dev/playground/r/nWT7lj/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated + origin: community + languages: + - python + severity: WARNING +- id: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true + patterns: + - pattern: subprocess.$FUNC(..., shell=True, ...) + - pattern-not: subprocess.$FUNC("...", shell=True, ...) + message: Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous + because this call will spawn the command using a shell process. Doing so propagates + current shell settings and variables, which makes it much easier for a malicious + actor to execute commands. Use 'shell=False' instead. + fix-regex: + regex: (shell\s*=\s*)True + replacement: \1False + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + references: + - https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess + - https://docs.python.org/3/library/subprocess.html + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true + shortlink: https://sg.run/J92w + semgrep.dev: + rule: + rule_id: DbUpz2 + version_id: ExTnb7 + url: https://semgrep.dev/playground/r/ExTnb7/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true + origin: community + languages: + - python + severity: ERROR +- id: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected + patterns: + - pattern-either: + - pattern-inside: os.system("...") + - pattern-inside: os.popen("...") + - pattern-inside: os.popen2("...") + - pattern-inside: os.popen3("...") + - pattern-inside: os.popen4("...") + - pattern-inside: subprocess.$W(..., shell=True, ...) + - pattern-regex: (tar|chmod|chown|rsync)(.*?)\* + message: Detected use of the wildcard character in a system call that spawns a shell. + This subjects the wildcard to normal shell expansion, which can have unintended + consequences if there exist any non-standard file names. Consider a file named + '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt + for more information. + metadata: + cwe: + - 'CWE-155: Improper Neutralization of Wildcards or Matching Symbols' + owasp: A01:2017 - Injection + source-url-open: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/injection_wildcard.py + references: + - https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected + shortlink: https://sg.run/5QXA + semgrep.dev: + rule: + rule_id: WAUorE + version_id: 7ZTOw8 + url: https://semgrep.dev/playground/r/7ZTOw8/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected + origin: community + languages: + - python + severity: WARNING +- id: python.lang.security.audit.telnetlib.telnetlib + pattern: telnetlib.$ANYTHING(...) + message: Telnet does not encrypt communications. Use SSH instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L208 + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B312 + references: + - https://docs.python.org/3/library/telnetlib.html + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.telnetlib.telnetlib + shortlink: https://sg.run/Gelp + semgrep.dev: + rule: + rule_id: 0oU5Wl + version_id: LjT0Jv + url: https://semgrep.dev/playground/r/LjT0Jv/python.lang.security.audit.telnetlib.telnetlib + origin: community + severity: WARNING + languages: + - python +- id: python.lang.security.audit.weak-ssl-version.weak-ssl-version + message: An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL + versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' + or higher. + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/insecure_ssl_tls.py#L30 + asvs: + section: V9 Communications Verification Requirements + control_id: 9.1.3 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements + version: '4' + references: + - https://tools.ietf.org/html/rfc7568 + - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html + - https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1_2 + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.audit.weak-ssl-version.weak-ssl-version + shortlink: https://sg.run/RoZO + semgrep.dev: + rule: + rule_id: KxUbNG + version_id: 8KTb08 + url: https://semgrep.dev/playground/r/8KTb08/python.lang.security.audit.weak-ssl-version.weak-ssl-version + origin: community + languages: + - python + severity: WARNING + pattern-either: + - pattern: ssl.PROTOCOL_SSLv2 + - pattern: ssl.PROTOCOL_SSLv3 + - pattern: ssl.PROTOCOL_TLSv1 + - pattern: ssl.PROTOCOL_TLSv1_1 + - pattern: pyOpenSSL.SSL.SSLv2_METHOD + - pattern: pyOpenSSL.SSL.SSLv23_METHOD + - pattern: pyOpenSSL.SSL.SSLv3_METHOD + - pattern: pyOpenSSL.SSL.TLSv1_METHOD + - pattern: pyOpenSSL.SSL.TLSv1_1_METHOD +- id: python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls + pattern: ftplib.FTP(...) + fix-regex: + regex: FTP(.*)\) + replacement: FTP_TLS\1, context=ssl.create_default_context()) + message: The 'FTP' class sends information unencrypted. Consider using the 'FTP_TLS' + class instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS + category: security + technology: + - ftplib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls + shortlink: https://sg.run/AvPp + semgrep.dev: + rule: + rule_id: qNUjlR + version_id: JdTq2d + url: https://semgrep.dev/playground/r/JdTq2d/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls + origin: community + severity: WARNING + languages: + - python +- id: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context + options: + symbolic_propagation: true + mode: taint + pattern-sources: + - patterns: + - pattern: | + "$URL" + - metavariable-pattern: + metavariable: $URL + language: regex + patterns: + - pattern-regex: http:// + - pattern-not-regex: .*://localhost + - pattern-not-regex: .*://127\.0\.0\.1 + pattern-sinks: + - patterns: + - pattern-inside: | + with requests.Session(...) as $SESSION: + ... + - pattern-either: + - pattern: $SESSION.$W($SINK, ...) + - pattern: $SESSION.request($METHOD, $SINK, ...) + - focus-metavariable: $SINK + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + message: Detected a request using 'http://'. This request will be unencrypted. Use + 'https://' instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + asvs: + section: V9 Communications Verification Requirements + control_id: 9.2.1 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements + version: '4' + category: security + technology: + - requests + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context + shortlink: https://sg.run/Bk5W + semgrep.dev: + rule: + rule_id: lBU9BZ + version_id: 5PT6Bv + url: https://semgrep.dev/playground/r/5PT6Bv/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context + origin: community + languages: + - python + severity: INFO +- id: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http + options: + symbolic_propagation: true + mode: taint + pattern-sources: + - patterns: + - pattern: | + "$URL" + - metavariable-pattern: + metavariable: $URL + language: regex + patterns: + - pattern-regex: http:// + - pattern-not-regex: .*://localhost + - pattern-not-regex: .*://127\.0\.0\.1 + pattern-sinks: + - patterns: + - pattern-either: + - pattern: requests.Session(...).$W($SINK, ...) + - pattern: requests.Session(...).request($METHOD, $SINK, ...) + - focus-metavariable: $SINK + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + message: Detected a request using 'http://'. This request will be unencrypted. Use + 'https://' instead. + languages: + - python + severity: INFO + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + asvs: + section: V9 Communications Verification Requirements + control_id: 9.1.1 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements + version: '4' + category: security + technology: + - requests + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http + shortlink: https://sg.run/DoBY + semgrep.dev: + rule: + rule_id: YGURXw + version_id: GxT242 + url: https://semgrep.dev/playground/r/GxT242/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http + origin: community +- id: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + message: Detected a request using 'http://'. This request will be unencrypted, and + attackers could listen into traffic on the network and be able to obtain sensitive + information. Use 'https://' instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + asvs: + section: V9 Communications Verification Requirements + control_id: 9.1.1 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements + version: '4' + category: security + technology: + - requests + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http + shortlink: https://sg.run/W8J4 + semgrep.dev: + rule: + rule_id: 6JUjpG + version_id: RGTbBv + url: https://semgrep.dev/playground/r/RGTbBv/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http + origin: community + languages: + - python + severity: INFO + options: + symbolic_propagation: true + mode: taint + pattern-sources: + - patterns: + - pattern: | + "$URL" + - metavariable-pattern: + metavariable: $URL + language: regex + patterns: + - pattern-regex: http:// + - pattern-not-regex: .*://localhost + - pattern-not-regex: .*://127\.0\.0\.1 + pattern-sinks: + - patterns: + - pattern-either: + - pattern: requests.$W($SINK, ...) + - pattern: requests.request($METHOD, $SINK, ...) + - pattern: requests.Request($METHOD, $SINK, ...) + - focus-metavariable: $SINK +- id: python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers + pattern: $CONTEXT.set_ciphers(...) + message: The 'ssl' module disables insecure cipher suites by default. Therefore, + use of 'set_ciphers()' should only be used when you have very specialized requirements. + Otherwise, you risk lowering the security of the SSL channel. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + asvs: + section: V9 Communications Verification Requirements + control_id: 9.1.3 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements + version: '4' + references: + - https://docs.python.org/3/library/ssl.html#cipher-selection + - https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers + category: security + technology: + - ssl + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers + shortlink: https://sg.run/0Q0v + semgrep.dev: + rule: + rule_id: oqUeYJ + version_id: A8TRyb + url: https://semgrep.dev/playground/r/A8TRyb/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers + origin: community + languages: + - python + severity: WARNING +- id: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp + message: Detected an unsecured transmission channel. 'OpenerDirector.open(...)' + is being used with 'ftp://'. Information sent over this connection will be unencrypted. + Consider using SFTP instead. urllib does not support SFTP, so consider a library + which supports SFTP. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp + shortlink: https://sg.run/Klj7 + semgrep.dev: + rule: + rule_id: zdUkPQ + version_id: BjTEoW + url: https://semgrep.dev/playground/r/BjTEoW/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: urllib.request.OpenerDirector(...).open("=~/^[Ff][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.OpenerDirector(...) + ... + - pattern: $OPENERDIRECTOR.open("=~/^[Ff][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.OpenerDirector(...) + ... + - pattern: | + $URL = "=~/^[Ff][Tt][Pp]://.*/" + ... + $OPENERDIRECTOR.open($URL, ...) + - pattern: | + $URL = "=~/^[Ff][Tt][Pp]://.*/" + ... + urllib.request.OpenerDirector(...).open($URL, ...) + - patterns: + - pattern-inside: | + def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...): + ... + - pattern-either: + - pattern: urllib.request.OpenerDirector(...).open($URL, ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.OpenerDirector(...) + ... + - pattern: $OPENERDIRECTOR.open($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open + message: Detected an unsecured transmission channel. 'OpenerDirector.open(...)' + is being used with 'http://'. Use 'https://' instead to secure the channel. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open + shortlink: https://sg.run/qxKz + semgrep.dev: + rule: + rule_id: pKUO9Q + version_id: DkTQL6 + url: https://semgrep.dev/playground/r/DkTQL6/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open + origin: community + severity: WARNING + languages: + - python + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + pattern-either: + - pattern: urllib.request.OpenerDirector(...).open("=~/[Hh][Tt][Tt][Pp]://.*/", + ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.OpenerDirector(...) + ... + - pattern: $OPENERDIRECTOR.open("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.OpenerDirector(...) + ... + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + $OPENERDIRECTOR.open($URL, ...) + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + urllib.request.OpenerDirector(...).open($URL, ...) + - patterns: + - pattern-inside: | + def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...): + ... + - pattern-either: + - pattern: urllib.request.OpenerDirector(...).open($URL, ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.OpenerDirector(...) + ... + - pattern: $OPENERDIRECTOR.open($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp + message: Detected a 'urllib.request.Request()' object using an insecure transport + protocol, 'ftp://'. This connection will not be encrypted. Consider using SFTP + instead. urllib does not support SFTP natively, so consider using a library which + supports SFTP. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.Request + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp + shortlink: https://sg.run/l2Py + semgrep.dev: + rule: + rule_id: 2ZUbWA + version_id: WrTbgO + url: https://semgrep.dev/playground/r/WrTbgO/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: urllib.request.Request("=~/^[Ff][Tt][Pp]://.*/", ...) + - pattern: | + $URL = "=~/^[Ff][Tt][Pp]://.*/" + ... + urllib.request.Request($URL, ...) + - pattern: |- + def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...): + ... + urllib.request.Request($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object + message: Detected a 'urllib.request.Request()' object using an insecure transport + protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.Request + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object + shortlink: https://sg.run/YvAe + semgrep.dev: + rule: + rule_id: X5U8Bp + version_id: 0bTvZ7 + url: https://semgrep.dev/playground/r/0bTvZ7/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object + origin: community + severity: WARNING + languages: + - python + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + pattern-either: + - pattern: urllib.request.Request("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + urllib.request.Request($URL, ...) + - pattern: | + def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...): + ... + urllib.request.Request($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp + message: Detected 'urllib.urlopen()' using 'ftp://'. This request will not be encrypted. + Consider using SFTP instead. urllib does not support SFTP, so consider switching + to a library which supports SFTP. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp + shortlink: https://sg.run/6n1o + semgrep.dev: + rule: + rule_id: j2UvOG + version_id: K3TlRb + url: https://semgrep.dev/playground/r/K3TlRb/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: urllib.request.urlopen("=~/^[Ff][Tt][Pp]://.*/", ...) + - pattern: | + $URL = "=~/^[Ff][Tt][Pp]://.*/" + ... + urllib.request.urlopen($URL, ...) + - pattern: |- + def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...): + ... + urllib.request.urlopen($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen + message: Detected 'urllib.urlopen()' using 'http://'. This request will not be encrypted. + Use 'https://' instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen + shortlink: https://sg.run/oxB9 + semgrep.dev: + rule: + rule_id: 10UKgW + version_id: qkTNro + url: https://semgrep.dev/playground/r/qkTNro/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen + origin: community + severity: WARNING + languages: + - python + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + pattern-either: + - pattern: urllib.request.urlopen("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + urllib.request.urlopen($URL, ...) + - pattern: | + def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...): + ... + urllib.request.urlopen($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp + message: Detected an insecure transmission channel. 'URLopener.open(...)' is being + used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider + using a library which supports SFTP. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp + shortlink: https://sg.run/zvwG + semgrep.dev: + rule: + rule_id: 9AU1DY + version_id: l4T5Yz + url: https://semgrep.dev/playground/r/l4T5Yz/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: urllib.request.URLopener(...).open("=~/[Ff][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.open("=~/[Ff][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: | + $URL = "=~/[Ff][Tt][Pp]://.*/" + ... + $OPENERDIRECTOR.open($URL, ...) + - pattern: | + $URL = "=~/[Ff][Tt][Pp]://.*/" + ... + urllib.request.URLopener(...).open($URL, ...) + - patterns: + - pattern-inside: | + def $FUNC(..., $URL = "=~/[Ff][Tt][Pp]://.*/", ...): + ... + - pattern-either: + - pattern: urllib.request.URLopener(...).open($URL, ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.open($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open + message: Detected an unsecured transmission channel. 'URLopener.open(...)' is being + used with 'http://'. Use 'https://' instead to secure the channel. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open + shortlink: https://sg.run/pxWg + semgrep.dev: + rule: + rule_id: yyUnwW + version_id: YDToxD + url: https://semgrep.dev/playground/r/YDToxD/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open + origin: community + severity: WARNING + languages: + - python + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + pattern-either: + - pattern: urllib.request.URLopener(...).open("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.open("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + $OPENERDIRECTOR.open($URL, ...) + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + urllib.request.URLopener(...).open($URL, ...) + - patterns: + - pattern-inside: | + def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...): + ... + - pattern-either: + - pattern: urllib.request.URLopener(...).open($URL, ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.open($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp + message: Detected an insecure transmission channel. 'URLopener.retrieve(...)' is + being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider + using a library which supports SFTP. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp + shortlink: https://sg.run/2xY0 + semgrep.dev: + rule: + rule_id: r6UrPp + version_id: 6xTekE + url: https://semgrep.dev/playground/r/6xTekE/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: urllib.request.URLopener(...).retrieve("=~/[Ff][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.retrieve("=~/[Ff][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: | + $URL = "=~/[Ff][Tt][Pp]://.*/" + ... + $OPENERDIRECTOR.retrieve($URL, ...) + - pattern: | + $URL = "=~/[Ff][Tt][Pp]://.*/" + ... + urllib.request.URLopener(...).retrieve($URL, ...) + - patterns: + - pattern-inside: | + def $FUNC(..., $URL = "=~/[Ff][Tt][Pp]://.*/", ...): + ... + - pattern-either: + - pattern: urllib.request.URLopener(...).retrieve($URL, ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.retrieve($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve + message: Detected an unsecured transmission channel. 'URLopener.retrieve(...)' is + being used with 'http://'. Use 'https://' instead to secure the channel. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve + shortlink: https://sg.run/XBGK + semgrep.dev: + rule: + rule_id: bwUw0n + version_id: o5TnPB + url: https://semgrep.dev/playground/r/o5TnPB/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve + origin: community + severity: WARNING + languages: + - python + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + pattern-either: + - pattern: urllib.request.URLopener(...).retrieve("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.retrieve("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + $OPENERDIRECTOR.retrieve($URL, ...) + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + urllib.request.URLopener(...).retrieve($URL, ...) + - patterns: + - pattern-inside: | + def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...): + ... + - pattern-either: + - pattern: urllib.request.URLopener(...).retrieve($URL, ...) + - patterns: + - pattern-inside: | + $OPENERDIRECTOR = urllib.request.URLopener(...) + ... + - pattern: $OPENERDIRECTOR.retrieve($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp + message: Detected 'urllib.urlretrieve()' using 'ftp://'. This request will not be + encrypted. Use SFTP instead. urllib does not support SFTP, so consider switching + to a library which supports SFTP. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp + shortlink: https://sg.run/jR8Y + semgrep.dev: + rule: + rule_id: NbUknL + version_id: zyT59G + url: https://semgrep.dev/playground/r/zyT59G/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: urllib.request.urlretrieve("=~/^[Ff][Tt][Pp]://.*/", ...) + - pattern: | + $URL = "=~/^[Ff][Tt][Pp]://.*/" + ... + urllib.request.urlretrieve($URL, ...) + - pattern: |- + def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...): + ... + urllib.request.urlretrieve($URL, ...) +- id: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve + message: Detected 'urllib.urlretrieve()' using 'http://'. This request will not + be encrypted. Use 'https://' instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve + category: security + technology: + - urllib + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve + shortlink: https://sg.run/1Zqw + semgrep.dev: + rule: + rule_id: kxUk4N + version_id: pZTrJN + url: https://semgrep.dev/playground/r/pZTrJN/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve + origin: community + severity: WARNING + languages: + - python + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + pattern-either: + - pattern: urllib.request.urlretrieve("=~/[Hh][Tt][Tt][Pp]://.*/", ...) + - pattern: | + $URL = "=~/[Hh][Tt][Tt][Pp]://.*/" + ... + urllib.request.urlretrieve($URL, ...) + - pattern: | + def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...): + ... + urllib.request.urlretrieve($URL, ...) +- id: python.lang.security.audit.logging.listeneval.listen-eval + languages: + - python + message: Because portions of the logging configuration are passed through eval(), + use of this function may open its users to a security risk. While the function + only binds to a socket on localhost, and so does not accept connections from remote + machines, there are scenarios where untrusted code could be run under the account + of the process which calls listen(). To avoid this happening, use the `verify()` + argument to `listen()` to prevent unrecognized configurations. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval + shortlink: https://sg.run/9okY + semgrep.dev: + rule: + rule_id: wdUJQY + version_id: 2KT1Xr + url: https://semgrep.dev/playground/r/2KT1Xr/python.lang.security.audit.logging.listeneval.listen-eval + origin: community + severity: WARNING + pattern: logging.config.listen(...) +- id: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure + patterns: + - pattern: | + $LOGGER_OBJ.$LOGGER_CALL($FORMAT_STRING,...) + - metavariable-regex: + metavariable: $LOGGER_OBJ + regex: (?i)(_logger|logger|self.logger|log) + - metavariable-regex: + metavariable: $LOGGER_CALL + regex: (debug|info|warn|warning|error|exception|critical) + - metavariable-regex: + metavariable: $FORMAT_STRING + regex: (?i).*(api.key|secret|credential|token|password).*\%s.* + message: Detected a python logger call with a potential hardcoded secret $FORMAT_STRING + being logged. This may lead to secret credentials being exposed. Make sure that + the logger is not logging sensitive information. + severity: WARNING + languages: + - python + metadata: + cwe: + - 'CWE-532: Insertion of Sensitive Information into Log File' + category: security + technology: + - python + owasp: + - A09:2021 - Security Logging and Monitoring Failures + references: + - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure + shortlink: https://sg.run/ydNx + semgrep.dev: + rule: + rule_id: x8UnJk + version_id: X0TPp2 + url: https://semgrep.dev/playground/r/X0TPp2/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure + origin: community +- id: python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces + message: Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly expose + the server publicly as it binds to all available interfaces. Consider instead + getting correct address from an environment variable or configuration file. + metadata: + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + owasp: + - A01:2021 - Broken Access Control + category: security + technology: + - python + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces + shortlink: https://sg.run/rdln + semgrep.dev: + rule: + rule_id: OrU3og + version_id: yeTXzG + url: https://semgrep.dev/playground/r/yeTXzG/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces + origin: community + languages: + - python + severity: INFO + pattern-either: + - pattern: | + $S = socket.socket(...) + ... + $S.bind(("0.0.0.0", ...)) + - pattern: | + $S = socket.socket(...) + ... + $S.bind(("::", ...)) + - pattern: | + $S = socket.socket(...) + ... + $S.bind(("", ...)) +- id: python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation + patterns: + - pattern-either: + - pattern: urllib3.PoolManager(..., cert_reqs=$REQS, ...) + - pattern: urllib3.ProxyManager(..., cert_reqs=$REQS, ...) + - pattern: urllib3.HTTPSConnectionPool(..., cert_reqs=$REQS, ...) + - pattern: urllib3.connectionpool.HTTPSConnectionPool(..., cert_reqs=$REQS, ...) + - pattern: urllib3.connection_from_url(..., cert_reqs=$REQS, ...) + - pattern: urllib3.proxy_from_url(..., cert_reqs=$REQS, ...) + - pattern: $CONTEXT.wrap_socket(..., cert_reqs=$REQS, ...) + - pattern: ssl.wrap_socket(..., cert_reqs=$REQS, ...) + - metavariable-regex: + metavariable: $REQS + regex: (NONE|CERT_NONE|CERT_OPTIONAL|ssl\.CERT_NONE|ssl\.CERT_OPTIONAL|\'NONE\'|\"NONE\"|\'OPTIONAL\'|\"OPTIONAL\") + message: certificate verification explicitly disabled, insecure connections possible + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + category: security + technology: + - python + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation + shortlink: https://sg.run/b7yp + semgrep.dev: + rule: + rule_id: eqU87k + version_id: rxTxXN + url: https://semgrep.dev/playground/r/rxTxXN/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation + origin: community + languages: + - python + severity: ERROR +- id: python.lang.security.audit.network.http-not-https-connection.http-not-https-connection + message: Detected HTTPConnectionPool. This will transmit data in cleartext. It is + recommended to use HTTPSConnectionPool instead for to encrypt communications. + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool + category: security + technology: + - python + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection + shortlink: https://sg.run/N4Np + semgrep.dev: + rule: + rule_id: v8UnWQ + version_id: bZTGJ6 + url: https://semgrep.dev/playground/r/bZTGJ6/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection + origin: community + languages: + - python + severity: ERROR + pattern-either: + - pattern: urllib3.HTTPConnectionPool(...) + - pattern: urllib3.connectionpool.HTTPConnectionPool(...) +- id: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command + patterns: + - pattern-inside: | + $CLIENT = paramiko.client.SSHClient(...) + ... + - pattern: $CLIENT.exec_command(...) + - pattern-not: $CLIENT.exec_command("...", ...) + message: Unverified SSL context detected. This will permit insecure connections + without verifying SSL certificates. Use 'ssl.create_default_context()' instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + references: + - http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command + - https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py + category: security + technology: + - paramiko + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command + shortlink: https://sg.run/kXQ7 + semgrep.dev: + rule: + rule_id: d8Uj9x + version_id: kbT79r + url: https://semgrep.dev/playground/r/kbT79r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command + origin: community + severity: ERROR + languages: + - python +- id: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation + - https://nvd.nist.gov/vuln/detail/CVE-2017-18342 + category: security + technology: + - pyyaml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load + shortlink: https://sg.run/we9Y + semgrep.dev: + rule: + rule_id: ZqU5jZ + version_id: A8TRxb + url: https://semgrep.dev/playground/r/A8TRxb/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load + origin: community + languages: + - python + message: Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, + `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe + methods of deserializing YAML. An attacker with control over the YAML input could + create special YAML input that allows the attacker to run arbitrary Python code. + This would allow the attacker to steal files, download and install malware, or + otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead. + fix-regex: + regex: unsafe_load + replacement: safe_load + count: 1 + severity: ERROR + patterns: + - pattern-inside: | + import yaml + ... + - pattern-not-inside: | + $YAML = ruamel.yaml.YAML(...) + ... + - pattern-either: + - pattern: yaml.unsafe_load(...) + - pattern: yaml.load(..., Loader=yaml.Loader, ...) + - pattern: yaml.load(..., Loader=yaml.UnsafeLoader, ...) + - pattern: yaml.load(..., Loader=yaml.CLoader, ...) + - pattern: yaml.load_all(..., Loader=yaml.Loader, ...) + - pattern: yaml.load_all(..., Loader=yaml.UnsafeLoader, ...) + - pattern: yaml.load_all(..., Loader=yaml.CLoader, ...) +- id: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ + category: security + technology: + - ruamel.yaml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel + shortlink: https://sg.run/x1rz + semgrep.dev: + rule: + rule_id: nJUzqK + version_id: BjTE4W + url: https://semgrep.dev/playground/r/BjTE4W/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel + origin: community + languages: + - python + message: Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create + arbitrary Python objects. A malicious actor could exploit this to run arbitrary + code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead. + severity: ERROR + pattern-either: + - pattern: ruamel.yaml.YAML(..., typ='unsafe', ...) + - pattern: ruamel.yaml.YAML(..., typ='base', ...) +- id: python.lang.security.deserialization.pickle.avoid-pickle + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://docs.python.org/3/library/pickle.html + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle + shortlink: https://sg.run/OPwB + semgrep.dev: + rule: + rule_id: EwU2BJ + version_id: DkTQB6 + url: https://semgrep.dev/playground/r/DkTQB6/python.lang.security.deserialization.pickle.avoid-pickle + origin: community + languages: + - python + message: Avoid using `pickle`, which is known to lead to code execution vulnerabilities. + When unpickling, the serialized data could be manipulated to run arbitrary code. + Instead, consider serializing the relevant data as JSON or a similar text-based + serialization format. + severity: WARNING + patterns: + - pattern-either: + - pattern: pickle.$FUNC(...) + - pattern: _pickle.$FUNC(...) + - pattern-not: pickle.$FUNC("...") + - pattern-not: _pickle.$FUNC("...") +- id: python.lang.security.deserialization.pickle.avoid-cPickle + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://docs.python.org/3/library/pickle.html + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle + shortlink: https://sg.run/eLxb + semgrep.dev: + rule: + rule_id: 7KUQNL + version_id: WrTbeO + url: https://semgrep.dev/playground/r/WrTbeO/python.lang.security.deserialization.pickle.avoid-cPickle + origin: community + languages: + - python + message: Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. + When unpickling, the serialized data could be manipulated to run arbitrary code. + Instead, consider serializing the relevant data as JSON or a similar text-based + serialization format. + severity: WARNING + patterns: + - pattern: cPickle.$FUNC(...) + - pattern-not: cPickle.$FUNC("...") +- id: python.lang.security.deserialization.pickle.avoid-dill + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://docs.python.org/3/library/pickle.html + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill + shortlink: https://sg.run/vzjA + semgrep.dev: + rule: + rule_id: L1Uy60 + version_id: 0bTv07 + url: https://semgrep.dev/playground/r/0bTv07/python.lang.security.deserialization.pickle.avoid-dill + origin: community + languages: + - python + message: Avoid using `dill`, which uses `pickle`, which is known to lead to code + execution vulnerabilities. When unpickling, the serialized data could be manipulated + to run arbitrary code. Instead, consider serializing the relevant data as JSON + or a similar text-based serialization format. + severity: WARNING + patterns: + - pattern: dill.$FUNC(...) + - pattern-not: dill.$FUNC("...") +- id: python.lang.security.deserialization.pickle.avoid-shelve + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://docs.python.org/3/library/pickle.html + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve + shortlink: https://sg.run/dKkZ + semgrep.dev: + rule: + rule_id: 8GUje2 + version_id: K3TlAb + url: https://semgrep.dev/playground/r/K3TlAb/python.lang.security.deserialization.pickle.avoid-shelve + origin: community + languages: + - python + message: Avoid using `shelve`, which uses `pickle`, which is known to lead to code + execution vulnerabilities. When unpickling, the serialized data could be manipulated + to run arbitrary code. Instead, consider serializing the relevant data as JSON + or a similar text-based serialization format. + severity: WARNING + pattern: shelve.$FUNC(...) +- id: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor + message: Detected XOR cipher algorithm which is considered insecure. This algorithm + is not cryptographically secure and can be reversed easily. Use AES instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B304 + references: + - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor + shortlink: https://sg.run/L0yr + semgrep.dev: + rule: + rule_id: PeUk5W + version_id: K3TlA8 + url: https://semgrep.dev/playground/r/K3TlA8/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Cryptodome.Cipher.XOR.new(...) + - pattern: Crypto.Cipher.XOR.new(...) +- id: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1 + message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic signature. + Use SHA256 or SHA3 instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html + - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability + - http://2012.sharcs.org/slides/stevens.pdf + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1 + shortlink: https://sg.run/3ALr + semgrep.dev: + rule: + rule_id: ReUPO3 + version_id: 6xTe4A + url: https://semgrep.dev/playground/r/6xTe4A/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1 + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Crypto.Hash.SHA.new(...) + - pattern: Cryptodome.Hash.SHA.new (...) +- id: python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size + patterns: + - pattern-either: + - pattern: Crypto.PublicKey.DSA.generate(..., bits=$SIZE, ...) + - pattern: Crypto.PublicKey.DSA.generate($SIZE, ...) + - pattern: Cryptodome.PublicKey.DSA.generate(..., bits=$SIZE, ...) + - pattern: Cryptodome.PublicKey.DSA.generate($SIZE, ...) + - metavariable-comparison: + metavariable: $SIZE + comparison: $SIZE < 2048 + message: Detected an insufficient key size for DSA. NIST recommends a key size of + 2048 or higher. + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size + shortlink: https://sg.run/4y8l + semgrep.dev: + rule: + rule_id: AbUWje + version_id: o5TnGP + url: https://semgrep.dev/playground/r/o5TnGP/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size + origin: community + languages: + - python + severity: WARNING +- id: python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size + patterns: + - pattern-either: + - pattern: Crypto.PublicKey.RSA.generate(..., bits=$SIZE, ...) + - pattern: Crypto.PublicKey.RSA.generate($SIZE, ...) + - pattern: Cryptodome.PublicKey.RSA.generate(..., bits=$SIZE, ...) + - pattern: Cryptodome.PublicKey.RSA.generate($SIZE, ...) + - metavariable-comparison: + metavariable: $SIZE + comparison: $SIZE < 2048 + message: Detected an insufficient key size for RSA. NIST recommends a key size of + 2048 or higher. + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size + shortlink: https://sg.run/PprY + semgrep.dev: + rule: + rule_id: BYUBWe + version_id: zyT566 + url: https://semgrep.dev/playground/r/zyT566/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size + origin: community + languages: + - python + severity: WARNING +- id: python.requests.security.disabled-cert-validation.disabled-cert-validation + message: Certificate verification has been explicitly disabled. This permits insecure + connections to insecure servers. Re-enable certification validation. + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + references: + - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib + category: security + technology: + - requests + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation + shortlink: https://sg.run/AlYp + semgrep.dev: + rule: + rule_id: qNUoYR + version_id: ExTnyB + url: https://semgrep.dev/playground/r/ExTnyB/python.requests.security.disabled-cert-validation.disabled-cert-validation + origin: community + languages: + - python + severity: ERROR + pattern-either: + - pattern: requests.put(..., verify=False, ...) + - pattern: requests.patch(..., verify=False, ...) + - pattern: requests.delete(..., verify=False, ...) + - pattern: requests.head(..., verify=False, ...) + - pattern: requests.options(..., verify=False, ...) + - pattern: requests.request(..., verify=False, ...) + - pattern: requests.get(..., verify=False, ...) + - pattern: requests.post(..., verify=False, ...) + fix-regex: + regex: verify(\s)*=(\s)*False + replacement: verify=True +- id: python.requests.security.no-auth-over-http.no-auth-over-http + fix-regex: + regex: http:\/\/ + replacement: https:// + count: 1 + message: Authentication detected over HTTP. HTTP does not provide any encryption + or protection for these authentication credentials. This may expose these credentials + to unauthorized parties. Use 'https://' instead. + metadata: + cwe: + - 'CWE-523: Unprotected Transport of Credentials' + owasp: + - A02:2017 - Broken Authentication + - A02:2021 - Cryptographic Failures + source-rule-url: https://pypi.org/project/flake8-flask/ + references: + - https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/ + - https://bento.dev/checks/requests/no-auth-over-http/ + category: security + technology: + - requests + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http + shortlink: https://sg.run/B4NW + semgrep.dev: + rule: + rule_id: lBUdQZ + version_id: 7ZTO6z + url: https://semgrep.dev/playground/r/7ZTO6z/python.requests.security.no-auth-over-http.no-auth-over-http + origin: community + languages: + - python + severity: ERROR + pattern-either: + - pattern: requests.$W("=~/http:\/\/.*/", ..., auth=$X, ...) + - pattern: | + $URL = "=~/http:\/\/.../" + ... + requests.$W($URL, ..., auth=$X, ...) +- id: python.sh.security.string-concat.string-concat + languages: + - python + severity: ERROR + message: Detected string concatenation or formatting in a call to a command via + 'sh'. This could be a command injection vulnerability if the data is user-controlled. + Instead, use a list and append the argument. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + category: security + technology: + - sh + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.sh.security.string-concat.string-concat + shortlink: https://sg.run/Wg34 + semgrep.dev: + rule: + rule_id: JDUP1G + version_id: LjT0dq + url: https://semgrep.dev/playground/r/LjT0dq/python.sh.security.string-concat.string-concat + origin: community + pattern-either: + - pattern: sh.$BIN($X + $Y) + - pattern: sh.$BIN($X.format(...)) + - pattern: sh.$BIN(f"...{...}...") +- id: python.sqlalchemy.performance.performance-improvements.len-all-count + pattern: len($X.all()) + message: Using QUERY.count() instead of len(QUERY.all()) sends less data to the + client since the SQLAlchemy method is performed server-side. + languages: + - python + severity: WARNING + metadata: + category: performance + technology: + - sqlalchemy + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count + shortlink: https://sg.run/4y8g + semgrep.dev: + rule: + rule_id: ReUPOw + version_id: PkTjgO + url: https://semgrep.dev/playground/r/PkTjgO/python.sqlalchemy.performance.performance-improvements.len-all-count + origin: community +- id: python.sqlalchemy.performance.performance-improvements.batch-import + pattern: | + for $X in $Y: + db.session.add($Z) + message: Rather than adding one element at a time, consider batch loading to improve + performance. + languages: + - python + severity: WARNING + metadata: + category: performance + technology: + - sqlalchemy + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import + shortlink: https://sg.run/PprN + semgrep.dev: + rule: + rule_id: AbUWjy + version_id: JdTodZ + url: https://semgrep.dev/playground/r/JdTodZ/python.sqlalchemy.performance.performance-improvements.batch-import + origin: community +- id: python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection + patterns: + - pattern-either: + - pattern: | + def $FUNC(...,$VAR,...): + ... + $SESSION.query(...).$SQLFUNC("...".$FORMATFUNC(...,$VAR,...)) + - pattern: | + def $FUNC(...,$VAR,...): + ... + $SESSION.query.join(...).$SQLFUNC("...".$FORMATFUNC(...,$VAR,...)) + - pattern: | + def $FUNC(...,$VAR,...): + ... + $SESSION.query.$SQLFUNC("...".$FORMATFUNC(...,$VAR,...)) + - pattern: | + def $FUNC(...,$VAR,...): + ... + query.$SQLFUNC("...".$FORMATFUNC(...,$VAR,...)) + - metavariable-regex: + metavariable: $SQLFUNC + regex: (group_by|order_by|distinct|having|filter) + - metavariable-regex: + metavariable: $FORMATFUNC + regex: (?!bindparams) + message: Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause + sql injections if the developer inputs raw SQL into the before-mentioned clauses. + This pattern captures relevant cases in which the developer inputs raw SQL into + the distinct, having, group_by, order_by or filter clauses and injects user-input + into the raw SQL with any function besides "bindparams". Use bindParams to securely + bind user-input to SQL statements. + fix-regex: + regex: format + replacement: bindparams + languages: + - python + severity: WARNING + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - sqlalchemy + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection + shortlink: https://sg.run/J3Xo + semgrep.dev: + rule: + rule_id: BYUBWo + version_id: QkTJ3z + url: https://semgrep.dev/playground/r/QkTJ3z/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection + origin: community +- id: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials + languages: + - ruby + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + references: + - https://cwe.mitre.org/data/definitions/522.html + category: security + technology: + - jwt + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials + shortlink: https://sg.run/58Y6 + semgrep.dev: + rule: + rule_id: DbUWdB + version_id: BjTEjp + url: https://semgrep.dev/playground/r/BjTEjp/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials + origin: community + message: Password is exposed through JWT token payload. This is not encrypted and + the password could be compromised. Do not store passwords in JWT tokens. + patterns: + - pattern-inside: | + require 'jwt' + ... + - pattern: | + $PAYLOAD = {...,password:...,...} + ... + JWT.encode($PAYLOAD,...) + severity: ERROR +- id: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret + message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently + Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html + Consider using an appropriate security mechanism to protect the credentials (e.g. + keeping secrets in environment variables)' + metadata: + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret + shortlink: https://sg.run/GW2B + semgrep.dev: + rule: + rule_id: WAUZz5 + version_id: DkTQoR + url: https://semgrep.dev/playground/r/DkTQoR/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret + origin: community + patterns: + - pattern-inside: | + require 'jwt' + ... + - pattern-either: + - pattern: | + JWT.encode($PAYLOAD,"...",...) + - pattern: | + JWT.decode($PAYLOAD,"...",...) + - pattern: | + JWT.encode($PAYLOAD,nil,...) + - pattern: | + JWT.decode($PAYLOAD,nil,...) + - pattern: | + $SECRET = "..." + ... + JWT.encode($PAYLOAD,$SECRET,...) + - pattern: | + $SECRET = "..." + ... + JWT.decode($PAYLOAD,$SECRET,...) + languages: + - ruby + severity: ERROR +- id: ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg + message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm + assumes the integrity of the token has already been verified. This would allow + a malicious actor to forge a JWT token that will automatically be verified. Do + not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg + shortlink: https://sg.run/R8kE + semgrep.dev: + rule: + rule_id: 0oUExR + version_id: WrTb58 + url: https://semgrep.dev/playground/r/WrTb58/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg + origin: community + languages: + - ruby + severity: ERROR + patterns: + - pattern-inside: | + require 'jwt' + ... + - pattern: | + JWT.encode($PAYLOAD, $SECRET, 'none', ...) +- id: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify + message: Detected the decoding of a JWT token without a verify step. JWT tokens + must be verified before use, otherwise the token's integrity is unknown. This + means a malicious actor could forge a JWT token with any claims. + metadata: + cwe: + - 'CWE-345: Insufficient Verification of Data Authenticity' + owasp: + - A08:2021 - Software and Data Integrity Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + references: + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify + shortlink: https://sg.run/AlYg + semgrep.dev: + rule: + rule_id: KxU426 + version_id: RGTbWA + url: https://semgrep.dev/playground/r/RGTbWA/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify + origin: community + languages: + - ruby + severity: WARNING + patterns: + - pattern-inside: | + require 'jwt' + ... + - pattern: JWT.decode($PAYLOAD,$SECRET,false,...) +- id: ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data + message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that + sensitive information is not exposed through JWT token payload. + severity: WARNING + metadata: + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + category: security + technology: + - jwt + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data + shortlink: https://sg.run/B4Nb + semgrep.dev: + rule: + rule_id: qNUoYd + version_id: A8TRP5 + url: https://semgrep.dev/playground/r/A8TRP5/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data + origin: community + languages: + - ruby + patterns: + - pattern-inside: | + require 'jwt' + ... + - pattern-inside: | + def $FUNC(...,$INPUT,...) + ... + end + - pattern: | + JWT.encode($INPUT,...) +- id: ruby.lang.security.bad-deserialization.bad-deserialization + mode: taint + pattern-sources: + - pattern-either: + - pattern: params + - pattern: cookies + pattern-sinks: + - pattern-either: + - pattern: | + CSV.load(...) + - pattern: | + Marshal.load(...) + - pattern: | + Marshal.restore(...) + - pattern: | + Oj.object_load(...) + - pattern: | + Oj.load($X) + message: Checks for unsafe deserialization. Objects in Ruby can be serialized into + strings, then later loaded from strings. However, uses of load and object_load + can cause remote code execution. Loading user input with MARSHAL or CSV can potentially + be dangerous. Use JSON in a secure fashion instead. + metadata: + references: + - https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb + category: security + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + technology: + - ruby + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/ruby.lang.security.bad-deserialization.bad-deserialization + shortlink: https://sg.run/DJj2 + semgrep.dev: + rule: + rule_id: lBUdQg + version_id: qkTNgJ + url: https://semgrep.dev/playground/r/qkTNgJ/ruby.lang.security.bad-deserialization.bad-deserialization + origin: community + languages: + - ruby + severity: ERROR +- id: ruby.lang.security.cookie-serialization.cookie-serialization + message: Checks if code allows cookies to be deserialized using Marshal. If the + attacker can craft a valid cookie, this could lead to remote code execution. The + hybrid check is just to warn users to migrate to :json for best practice. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb + - https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ + category: security + technology: + - ruby + owasp: + - A03:2021 - Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization + shortlink: https://sg.run/Wg3y + semgrep.dev: + rule: + rule_id: YGUrq5 + version_id: l4T5q2 + url: https://semgrep.dev/playground/r/l4T5q2/ruby.lang.security.cookie-serialization.cookie-serialization + origin: community + languages: + - ruby + severity: ERROR + pattern-either: + - pattern: | + Rails.application.config.action_dispatch.cookies_serializer = :marshal + - pattern: | + Rails.application.config.action_dispatch.cookies_serializer = :hybrid +- id: ruby.lang.security.create-with.create-with + patterns: + - pattern-not: | + $FUNC.create_with($PARAMSB.permit(...)) + - pattern: | + $FUNC.create_with($PARAMSA) + message: Checks for strong parameter bypass through usage of create_with. Create_with + bypasses strong parameter protection, which could allow attackers to set arbitrary + attributes on models. To fix this vulnerability, either remove all create_with + calls or use the permit function to specify tags that are allowed to be set. + metadata: + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb + - https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ + category: security + technology: + - ruby + owasp: + - A08:2021 - Software and Data Integrity Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/ruby.lang.security.create-with.create-with + shortlink: https://sg.run/0nLk + semgrep.dev: + rule: + rule_id: 6JUqbn + version_id: YDToG8 + url: https://semgrep.dev/playground/r/YDToG8/ruby.lang.security.create-with.create-with + origin: community + languages: + - ruby + severity: ERROR +- id: ruby.lang.security.divide-by-zero.divide-by-zero + message: Detected a possible ZeroDivisionError. + metadata: + cwe: + - 'CWE-369: Divide By Zero' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb + category: security + technology: + - ruby + confidence: MEDIUM + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero + shortlink: https://sg.run/KWpP + semgrep.dev: + rule: + rule_id: oqUzXA + version_id: X0TPe0 + url: https://semgrep.dev/playground/r/X0TPe0/ruby.lang.security.divide-by-zero.divide-by-zero + origin: community + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern: $VAR + - metavariable-regex: + metavariable: $VAR + regex: ^\d*(?!\.)$ + pattern-sinks: + - patterns: + - pattern-inside: $NUMER / 0 + - pattern: $NUMER +- id: ruby.lang.security.file-disclosure.file-disclosure + message: Special requests can determine whether a file exists on a filesystem that's + outside the Rails app's root directory. To fix this, set config.serve_static_assets + = false. + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb + - https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ + category: security + technology: + - ruby + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure + shortlink: https://sg.run/qrR1 + semgrep.dev: + rule: + rule_id: zdUyqE + version_id: jQTKe4 + url: https://semgrep.dev/playground/r/jQTKe4/ruby.lang.security.file-disclosure.file-disclosure + origin: community + languages: + - ruby + severity: ERROR + pattern: config.serve_static_assets = true + fix-regex: + regex: =(\s)*true + replacement: = false +- id: ruby.lang.security.force-ssl-false.force-ssl-false + message: Checks for configuration setting of force_ssl to false. Force_ssl forces + usage of HTTPS, which could lead to network interception of unencrypted application + traffic. To fix, set config.force_ssl = true. + metadata: + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb + category: security + technology: + - ruby + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false + shortlink: https://sg.run/YgkW + semgrep.dev: + rule: + rule_id: 2ZU4lx + version_id: 9lTzN2 + url: https://semgrep.dev/playground/r/9lTzN2/ruby.lang.security.force-ssl-false.force-ssl-false + origin: community + languages: + - ruby + severity: WARNING + pattern: config.force_ssl = false + fix-regex: + regex: =\s*false + replacement: = true +- id: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller + patterns: + - pattern-inside: | + class $CONTROLLER < ApplicationController + ... + http_basic_authenticate_with ..., :password => "$SECRET", ... + end + - focus-metavariable: $SECRET + message: Detected hardcoded password used in basic authentication in a controller + class. Including this password in version control could expose this credential. + Consider refactoring to use environment variables or configuration files. + severity: WARNING + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/basic_auth/index.markdown + category: security + technology: + - ruby + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller + shortlink: https://sg.run/6r0w + semgrep.dev: + rule: + rule_id: X5UZWK + version_id: yeTXbl + url: https://semgrep.dev/playground/r/yeTXbl/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller + origin: community + languages: + - ruby +- id: ruby.lang.security.jruby-xml.jruby-xml + patterns: + - pattern: a() + - pattern: b() + message: This rule is deprecated. + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_jruby_xml.rb + category: security + technology: + - ruby + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/ruby.lang.security.jruby-xml.jruby-xml + shortlink: https://sg.run/ok07 + semgrep.dev: + rule: + rule_id: j2Uqk5 + version_id: NdT1Ww + url: https://semgrep.dev/playground/r/NdT1Ww/ruby.lang.security.jruby-xml.jruby-xml + origin: community + languages: + - ruby + severity: WARNING +- id: ruby.lang.security.json-encoding.json-encoding + message: This rule is deprecated. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_encoding.rb + - https://groups.google.com/g/rubyonrails-security/c/7VlB_pck3hU/m/3QZrGIaQW6cJ + category: security + technology: + - ruby + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.lang.security.json-encoding.json-encoding + shortlink: https://sg.run/zkYz + semgrep.dev: + rule: + rule_id: 10UZ8v + version_id: kbT7vl + url: https://semgrep.dev/playground/r/kbT7vl/ruby.lang.security.json-encoding.json-encoding + origin: community + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.lang.security.json-entity-escape.json-entity-escape + pattern-either: + - pattern: | + ActiveSupport.escape_html_entities_in_json = false + - pattern: | + config.active_support.escape_html_entities_in_json = false + message: Checks if HTML escaping is globally disabled for JSON output. This could + lead to XSS. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_entity_escape.rb + category: security + technology: + - ruby + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.lang.security.json-entity-escape.json-entity-escape + shortlink: https://sg.run/plr3 + semgrep.dev: + rule: + rule_id: 9AUOQB + version_id: w8T3gb + url: https://semgrep.dev/playground/r/w8T3gb/ruby.lang.security.json-entity-escape.json-entity-escape + origin: community + languages: + - ruby + severity: WARNING +- id: ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled + pattern: $MODEL.new(params[...], ..., :without_protection => true, ...) + message: Mass assignment protection disabled for '$MODEL'. This could permit assignment + to sensitive model fields without intention. Instead, use 'attr_accessible' for + the model or disable mass assigment using 'config.active_record.whitelist_attributes + = true'. ':without_protection => true' must be removed for this to take effect. + metadata: + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + owasp: + - A08:2021 - Software and Data Integrity Failures + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/mass_assignment/index.markdown + category: security + technology: + - ruby + references: + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled + shortlink: https://sg.run/2byz + semgrep.dev: + rule: + rule_id: yyUvkJ + version_id: xyT4bz + url: https://semgrep.dev/playground/r/xyT4bz/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled + origin: community + severity: WARNING + languages: + - ruby +- id: ruby.lang.security.missing-csrf-protection.missing-csrf-protection + patterns: + - pattern: | + class $CONTROLLER < ActionController::Base + ... + end + - pattern-not: | + class $CONTROLLER < ActionController::Base + ... + protect_from_forgery :with => :exception + end + - pattern-not: | + class $CONTROLLER < ActionController::Base + ... + protect_from_forgery prepend: true, with: :exception + end + message: Detected controller which does not enable cross-site request forgery protections + using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to + your controller class. + severity: ERROR + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross-site_request_forgery/index.markdown + category: security + technology: + - ruby + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection + shortlink: https://sg.run/XLel + semgrep.dev: + rule: + rule_id: r6UkO5 + version_id: e1TxPn + url: https://semgrep.dev/playground/r/e1TxPn/ruby.lang.security.missing-csrf-protection.missing-csrf-protection + origin: community + languages: + - ruby +- id: ruby.lang.security.model-attr-accessible.model-attr-accessible + message: 'Checks for dangerous permitted attributes that can lead to mass assignment + vulnerabilities. Query parameters allowed using permit and attr_accessible are + checked for allowance of dangerous attributes admin, banned, role, and account_id. + Also checks for usages of params.permit!, which allows everything. Fix: don''t + allow admin, banned, role, and account_id using permit or attr_accessible.' + metadata: + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb + category: security + technology: + - ruby + owasp: + - A08:2021 - Software and Data Integrity Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible + shortlink: https://sg.run/jNrZ + semgrep.dev: + rule: + rule_id: bwUOAG + version_id: vdT2bq + url: https://semgrep.dev/playground/r/vdT2bq/ruby.lang.security.model-attr-accessible.model-attr-accessible + origin: community + languages: + - ruby + severity: ERROR + pattern-either: + - pattern: | + ....permit(..., :admin, ...) + - pattern: | + ....permit(..., :role, ...) + - pattern: | + ....permit(..., :banned, ...) + - pattern: | + ....permit(..., :account_id, ...) + - pattern: | + attr_accessible ..., :admin, ... + - pattern: | + attr_accessible ..., :role, ... + - pattern: | + attr_accessible ..., :banned, ... + - pattern: | + attr_accessible ..., :account_id, ... + - pattern: | + params.permit! +- id: ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible + patterns: + - pattern-not: | + class $CLASS < $TYPE + ... + attr_accessible :$XXX + ... + end + ... + $CLASS.$FUNC(...) + - pattern: | + class $CLASS < $TYPE + ... + end + ... + $CLASS.$FUNC(...) + - metavariable-pattern: + metavariable: $TYPE + patterns: + - pattern-not-regex: (?i)(Error|Exception) + - focus-metavariable: $CLASS + message: Checks for models that do not use attr_accessible. This means there is + no limiting of which variables can be manipulated through mass assignment. For + newer Rails applications, parameters should be allowlisted using strong parameters. + For older Rails versions, they should be allowlisted using strong_attributes. + metadata: + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb + category: security + owasp: + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + technology: + - rails + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible + shortlink: https://sg.run/1nrb + semgrep.dev: + rule: + rule_id: NbUADO + version_id: d6TDNB + url: https://semgrep.dev/playground/r/d6TDNB/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible + origin: community + languages: + - ruby + severity: ERROR +- id: ruby.lang.security.model-attributes-attr-protected.model-attributes-attr-protected + message: This rule is deprecated. + metadata: + cwe: + - 'CWE-284: Improper Access Control' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb + - https://groups.google.com/g/rubyonrails-security/c/AFBKNY7VSH8/discussion + category: security + technology: + - ruby + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-protected.model-attributes-attr-protected + shortlink: https://sg.run/9qZk + semgrep.dev: + rule: + rule_id: kxURK4 + version_id: ZRTwRw + url: https://semgrep.dev/playground/r/ZRTwRw/ruby.lang.security.model-attributes-attr-protected.model-attributes-attr-protected + origin: community + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.lang.security.nested-attributes-bypass.nested-attributes-bypass + message: This rule is deprecated. + metadata: + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + references: + - https://groups.google.com/g/rubyonrails-security/c/cawsWcQ6c8g/m/tegZtYdbFQAJ + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_nested_attributes_bypass.rb + category: security + technology: + - ruby + owasp: + - A08:2021 - Software and Data Integrity Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/ruby.lang.security.nested-attributes-bypass.nested-attributes-bypass + shortlink: https://sg.run/yzy8 + semgrep.dev: + rule: + rule_id: wdU891 + version_id: nWT7De + url: https://semgrep.dev/playground/r/nWT7De/ruby.lang.security.nested-attributes-bypass.nested-attributes-bypass + origin: community + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.lang.security.nested-attributes.nested-attributes + message: This rule is deprecated. + metadata: + cwe: + - 'CWE-20: Improper Input Validation' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_nested_attributes.rb + - https://groups.google.com/g/rubyonrails-security/c/-fkT0yja_gw/discussion + category: security + technology: + - ruby + owasp: + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/ruby.lang.security.nested-attributes.nested-attributes + shortlink: https://sg.run/rA66 + semgrep.dev: + rule: + rule_id: x8UWKK + version_id: ExTn5B + url: https://semgrep.dev/playground/r/ExTn5B/ruby.lang.security.nested-attributes.nested-attributes + origin: community + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.lang.security.no-eval.ruby-eval + message: Use of eval with user-controllable input detected. This can lead to attackers + running arbitrary code. Ensure external data does not reach here, otherwise this + is a security vulnerability. Consider other ways to do this without eval. + severity: WARNING + metadata: + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + category: security + cwe2022-top25: true + cwe2021-top25: true + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_evaluation.rb + subcategory: + - vuln + technology: + - ruby + - rails + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval + shortlink: https://sg.run/bDwZ + semgrep.dev: + rule: + rule_id: OrUGNk + version_id: 7ZTOqz + url: https://semgrep.dev/playground/r/7ZTOqz/ruby.lang.security.no-eval.ruby-eval + origin: community + languages: + - ruby + mode: taint + pattern-sources: + - pattern-either: + - pattern: params + - pattern: cookies + - patterns: + - pattern: | + RubyVM::InstructionSequence.compile(...) + - pattern-not: | + RubyVM::InstructionSequence.compile("...") + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $X.eval + - pattern: $X.class_eval + - pattern: $X.instance_eval + - pattern: $X.module_eval + - pattern: $X.eval(...) + - pattern: $X.class_eval(...) + - pattern: $X.instance_eval(...) + - pattern: $X.module_eval(...) + - pattern: eval(...) + - pattern: class_eval(...) + - pattern: module_eval(...) + - pattern: instance_eval(...) + - pattern-not: $M("...",...) +- id: ruby.lang.security.no-send.bad-send + message: Checks for unsafe use of Object#send, try, __send__, and public_send. These + only account for unsafe use of a method, not target. This can lead to arbitrary + calling of exit, along with arbitrary code execution. Please be sure to sanitize + input in order to avoid this. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb + - https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html + category: security + technology: + - ruby + owasp: + - A03:2021 - Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.no-send.bad-send + shortlink: https://sg.run/Nrbx + semgrep.dev: + rule: + rule_id: eqUv0L + version_id: LjT0Dq + url: https://semgrep.dev/playground/r/LjT0Dq/ruby.lang.security.no-send.bad-send + origin: community + languages: + - ruby + severity: ERROR + pattern-either: + - pattern: | + $PARAM = params[...] + ... + $RES = $MOD.send($PARAM.$FUNC) + - pattern: | + $PARAM = params[...] + ... + $RES = $MOD.try($PARAM.$FUNC) + - pattern: | + $PARAM = params[...] + ... + $RES = $MOD.__send__($PARAM.$FUNC) + - pattern: |- + $PARAM = params[...] + ... + $RES = $MOD.public_send($PARAM.$FUNC) +- id: ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify + pattern: OpenSSL::SSL::VERIFY_NONE + message: Detected SSL that will accept an unverified connection. This makes the + connections susceptible to man-in-the-middle attacks. Use 'OpenSSL::SSL::VERIFY_PEER' + instead. + fix-regex: + regex: VERIFY_NONE + replacement: VERIFY_PEER + severity: WARNING + languages: + - ruby + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + category: security + technology: + - ruby + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify + shortlink: https://sg.run/kLxX + semgrep.dev: + rule: + rule_id: v8U5Yn + version_id: 8KTbO4 + url: https://semgrep.dev/playground/r/8KTbO4/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify + origin: community +- id: ruby.lang.security.timing-attack.timing-attack + message: This rule is deprecated. + metadata: + cwe: + - 'CWE-208: Observable Timing Discrepancy' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_basic_auth_timing_attack.rb + - https://groups.google.com/g/rubyonrails-security/c/ANv0HDHEC3k/m/mt7wNGxbFQAJ + category: security + technology: + - ruby + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.lang.security.timing-attack.timing-attack + shortlink: https://sg.run/wxdx + semgrep.dev: + rule: + rule_id: d8Uzrz + version_id: gETqGA + url: https://semgrep.dev/playground/r/gETqGA/ruby.lang.security.timing-attack.timing-attack + origin: community + languages: + - ruby + severity: ERROR + patterns: + - pattern: a() + - pattern: b() +- id: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln + patterns: + - pattern-either: + - pattern: | + $MOD.new(params[$CODE]) + - pattern: | + $MOD.new(..., params[$CODE], :without_protection => true, ...) + - pattern-not-inside: | + attr_accessible $VAR + ... + $MOD.new(params[$CODE]) + message: 'Checks for calls to without_protection during mass assignment (which allows + record creation from hash values). This can lead to users bypassing permissions + protections. For Rails 4 and higher, mass protection is on by default. Fix: Don''t + use :without_protection => true. Instead, configure attr_accessible to control + attribute access.' + metadata: + owasp: + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + references: + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb + - https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/ + category: security + technology: + - ruby + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln + shortlink: https://sg.run/xY8e + semgrep.dev: + rule: + rule_id: ZqUqQg + version_id: QkTJlz + url: https://semgrep.dev/playground/r/QkTJlz/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln + origin: community + languages: + - ruby + severity: WARNING +- id: ruby.lang.security.weak-hashes-md5.weak-hashes-md5 + message: Should not use md5 to generate hashes. md5 is proven to be vulnerable through + the use of brute-force attacks. Could also result in collisions, leading to potential + collision attacks. Use SHA256 or other hashing functions instead. + metadata: + cwe: + - 'CWE-328: Use of Weak Hash' + references: + - https://www.ibm.com/support/pages/security-bulletin-vulnerability-md5-signature-and-hash-algorithm-affects-sterling-integrator-and-sterling-file-gateway-cve-2015-7575 + category: security + technology: + - ruby + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/ruby.lang.security.weak-hashes-md5.weak-hashes-md5 + shortlink: https://sg.run/O1re + semgrep.dev: + rule: + rule_id: nJUYxZ + version_id: 3ZTdDB + url: https://semgrep.dev/playground/r/3ZTdDB/ruby.lang.security.weak-hashes-md5.weak-hashes-md5 + origin: community + languages: + - ruby + severity: WARNING + pattern-either: + - pattern: Digest::MD5.base64digest $X + - pattern: Digest::MD5.hexdigest $X + - pattern: Digest::MD5.digest $X + - pattern: Digest::MD5.new + - pattern: OpenSSL::Digest::MD5.base64digest $X + - pattern: OpenSSL::Digest::MD5.hexdigest $X + - pattern: OpenSSL::Digest::MD5.digest $X + - pattern: OpenSSL::Digest::MD5.new +- id: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1 + message: Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision + by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing + functions instead. + metadata: + cwe: + - 'CWE-328: Use of Weak Hash' + references: + - https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html + - https://shattered.io/ + category: security + technology: + - ruby + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1 + shortlink: https://sg.run/e4qX + semgrep.dev: + rule: + rule_id: EwU4jq + version_id: 44ToW2 + url: https://semgrep.dev/playground/r/44ToW2/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1 + origin: community + languages: + - ruby + severity: WARNING + pattern-either: + - pattern: Digest::SHA1.$FUNC + - pattern: OpenSSL::Digest::SHA1.$FUNC + - pattern: OpenSSL::HMAC.$FUNC("sha1",...) +- id: ruby.lang.security.yaml-parsing.yaml-parsing + message: This rule is deprecated. + severity: WARNING + languages: + - ruby + patterns: + - pattern: a() + - pattern: b() + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - ruby + owasp: + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.yaml-parsing.yaml-parsing + shortlink: https://sg.run/v08X + semgrep.dev: + rule: + rule_id: 7KUegx + version_id: jQTZJ8 + url: https://semgrep.dev/playground/r/jQTZJ8/ruby.lang.security.yaml-parsing.yaml-parsing + origin: community +- id: ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_content_tag.rb + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown + - https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/ + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag + shortlink: https://sg.run/dg8P + semgrep.dev: + rule: + rule_id: L1U4qz + version_id: 0bTvRB + url: https://semgrep.dev/playground/r/0bTvRB/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag + origin: community + message: '''content_tag()'' bypasses HTML escaping for some portion of the content. + If external data can reach here, this exposes your application to cross-site scripting + (XSS) attacks. Ensure no external data reaches here. If you must do this, create + your HTML manually and use ''html_safe''. Ensure no external data enters the HTML-safe + string!' + languages: + - ruby + severity: WARNING + pattern: content_tag(...) +- id: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown + - https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/ + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe + shortlink: https://sg.run/Zeq7 + semgrep.dev: + rule: + rule_id: 8GUEQK + version_id: qkTNzD + url: https://semgrep.dev/playground/r/qkTNzD/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe + origin: community + message: '''html_safe()'' does not make the supplied string safe. ''html_safe()'' + bypasses HTML escaping. If external data can reach here, this exposes your application + to cross-site scripting (XSS) attacks. Ensure no external data reaches here.' + languages: + - ruby + severity: WARNING + pattern-either: + - pattern: $STR.html_safe + - pattern: $STR.html_safe.$MORE +- id: ruby.rails.security.audit.xss.avoid-raw.avoid-raw + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw + - https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/ + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw + shortlink: https://sg.run/nqJG + semgrep.dev: + rule: + rule_id: gxUW3x + version_id: YDToj9 + url: https://semgrep.dev/playground/r/YDToj9/ruby.rails.security.audit.xss.avoid-raw.avoid-raw + origin: community + message: '''raw()'' bypasses HTML escaping. If external data can reach here, this + exposes your application to cross-site scripting (XSS) attacks. If you must do + this, construct individual strings and mark them as safe for HTML rendering with + `html_safe()`.' + languages: + - ruby + severity: WARNING + pattern: raw(...) +- id: ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_inline.rb + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline + shortlink: https://sg.run/E5w8 + semgrep.dev: + rule: + rule_id: QrU6Ww + version_id: zyT5v2 + url: https://semgrep.dev/playground/r/zyT5v2/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline + origin: community + message: '''render inline: ...'' renders an entire ERB template inline and is dangerous. + If external data can reach here, this exposes your application to server-side + template injection (SSTI) or cross-site scripting (XSS) attacks. Instead, consider + using a partial or another safe rendering method.' + languages: + - ruby + severity: WARNING + pattern: 'render inline: ...' +- id: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_inline.rb + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text + shortlink: https://sg.run/70Kv + semgrep.dev: + rule: + rule_id: 3qUBk4 + version_id: pZTrvY + url: https://semgrep.dev/playground/r/pZTrvY/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text + origin: community + message: '''render text: ...'' actually sets the content-type to ''text/html''. + If external data can reach here, this exposes your application to cross-site scripting + (XSS) attacks. Instead, use ''render plain: ...'' to render non-HTML text.' + languages: + - ruby + severity: WARNING + pattern: 'render text: ...' + fix-regex: + regex: 'text:' + replacement: 'plain:' +- id: ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_template_injection.rb + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation + shortlink: https://sg.run/L01L + semgrep.dev: + rule: + rule_id: 4bUzR9 + version_id: 2KT1Bq + url: https://semgrep.dev/playground/r/2KT1Bq/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation + origin: community + message: Detected manual creation of an ERB template. Manual creation of templates + may expose your application to server-side template injection (SSTI) or cross-site + scripting (XSS) attacks if user input is used to create the template. Instead, + create a '.erb' template file and use 'render'. + languages: + - ruby + severity: WARNING + pattern: ERB.new(...) +- id: ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe + message: The syntax `<%== ... %>` is an alias for `html_safe`. This means the content + inside these tags will be rendered as raw HTML. This may expose your application + to cross-site scripting. If you need raw HTML, prefer using the more explicit + `html_safe` and be sure to correctly sanitize variables using a library such as + DOMPurify. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027 + - https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text=== + category: security + technology: + - rails + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe + shortlink: https://sg.run/8nGJ + semgrep.dev: + rule: + rule_id: PeUkJe + version_id: X0TPXb + url: https://semgrep.dev/playground/r/X0TPXb/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe + origin: community + languages: + - generic + paths: + include: + - '*.erb' + severity: WARNING + patterns: + - pattern: <%== ... %> + - pattern-not: <%== $...A.to_json %> +- id: ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag + message: '''content_tag'' exhibits unintuitive escaping behavior and may accidentally + expose your application to cross-site scripting. If using Rails 2, only attribute + values are escaped. If using Rails 3, content and attribute values are escaped. + Tag and attribute names are never escaped. Because of this, it is recommended + to use ''html_safe'' if you must render raw HTML data.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://brakemanscanner.org/docs/warning_types/content_tag/ + references: + - https://brakemanscanner.org/docs/warning_types/content_tag/ + category: security + technology: + - rails + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag + shortlink: https://sg.run/gJxo + semgrep.dev: + rule: + rule_id: JDUPNG + version_id: jQTKAE + url: https://semgrep.dev/playground/r/jQTKAE/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag + origin: community + languages: + - generic + paths: + include: + - '*.erb' + severity: WARNING + patterns: + - pattern-inside: <%= ... %> + - pattern: content_tag +- id: ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe + message: '''html_safe'' renders raw HTML. This means that normal HTML escaping is + bypassed. If user data can be controlled here, this exposes your application to + cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize + the data using a library such as DOMPurify.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb + references: + - https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text=== + - https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027 + category: security + technology: + - rails + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe + shortlink: https://sg.run/Q8rD + semgrep.dev: + rule: + rule_id: 5rU4dE + version_id: 1QTjAj + url: https://semgrep.dev/playground/r/1QTjAj/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe + origin: community + languages: + - generic + paths: + include: + - '*.erb' + severity: WARNING + patterns: + - pattern-inside: <%= ... %> + - pattern: $SOMETHING.html_safe +- id: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw + message: '''raw'' renders raw HTML, as the name implies. This means that normal + HTML escaping is bypassed. If user data can be controlled here, this exposes your + application to cross-site scripting (XSS). If you need to do this, be sure to + correctly sanitize the data using a library such as DOMPurify.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb + references: + - https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text=== + - https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027 + category: security + technology: + - rails + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw + shortlink: https://sg.run/3Aqg + semgrep.dev: + rule: + rule_id: GdU0vJ + version_id: 9lTzYK + url: https://semgrep.dev/playground/r/9lTzYK/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw + origin: community + languages: + - generic + paths: + include: + - '*.erb' + severity: WARNING + patterns: + - pattern-inside: <%= ... %> + - pattern: raw +- id: ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute + message: 'Detected a unquoted template variable as an attribute. If unquoted, a + malicious actor could inject custom JavaScript handlers. To fix this, add quotes + around the template expression, like this: "<%= expr %>".' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes + - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss + category: security + technology: + - rails + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute + shortlink: https://sg.run/PpeN + semgrep.dev: + rule: + rule_id: AbUW9y + version_id: rxTxJO + url: https://semgrep.dev/playground/r/rxTxJO/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute + origin: community + languages: + - generic + paths: + include: + - '*.erb' + severity: WARNING + patterns: + - pattern-inside: <$TAG ...> + - pattern-not-inside: ="..." + - pattern-not-inside: ="<%= ... %>" + - pattern-not-inside: ='...' + - pattern-not-inside: ='<%= ... %>' + - pattern: <%= ... %> + fix-regex: + regex: <%=(.*?)%> + replacement: '"<%=\1%>"' +- id: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href + message: 'Detected a template variable used in an anchor tag with the ''href'' attribute. + This allows a malicious actor to input the ''javascript:'' URI and is subject + to cross- site scripting (XSS) attacks. If using a relative URL, start with a + literal forward slash and concatenate the URL, like this: href=''/<%= link =>''. + You may also consider setting the Content Security Policy (CSP) header.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI + - https://github.com/pugjs/pug/issues/2952 + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href + shortlink: https://sg.run/J3Do + semgrep.dev: + rule: + rule_id: BYUBXo + version_id: bZTGgb + url: https://semgrep.dev/playground/r/bZTGgb/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href + origin: community + languages: + - generic + paths: + include: + - '*.erb' + severity: WARNING + pattern-either: + - pattern: + - pattern: +- id: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag + message: Detected a template variable used in a script tag. Although template variables + are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) + attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` + or its alias, `j`. However, this will not protect from XSS in all circumstances; + see the references for more information. Consider placing this value in the HTML + portion (outside of a script tag). + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/ + - https://www.youtube.com/watch?v=yYTkLUEdIyE + - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough + category: security + technology: + - rails + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag + shortlink: https://sg.run/58r6 + semgrep.dev: + rule: + rule_id: DbUW6B + version_id: NdT1pg + url: https://semgrep.dev/playground/r/NdT1pg/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag + origin: community + languages: + - generic + paths: + include: + - '*.erb' + severity: WARNING + patterns: + - pattern-inside: + - pattern-not: <%= j ... > + - pattern-not: <%= escape_javascript ... > + - pattern: <%= ... > +- id: terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume + languages: + - hcl + message: An EBS volume is configured without encryption enabled. + patterns: + - pattern: resource + - pattern-not-inside: | + resource "aws_ebs_volume" "..." {... encrypted=true ...} + - pattern-inside: | + resource "aws_ebs_volume" "..." {...} + severity: WARNING + metadata: + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume + shortlink: https://sg.run/GWdB + semgrep.dev: + rule: + rule_id: WAUZW5 + version_id: NdT171 + url: https://semgrep.dev/playground/r/NdT171/terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume + origin: community +- id: terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push + patterns: + - pattern: resource + - pattern-not-inside: | + resource "aws_ecr_repository" "..." { + ... + image_scanning_configuration { + ... + scan_on_push=true + ... + } + ... + } + - pattern-inside: | + resource "aws_ecr_repository" "..." { + ... + } + languages: + - hcl + message: The ECR Repository isn't configured to scan images on push + severity: WARNING + metadata: + cwe: + - 'CWE-1104: Use of Unmaintained Third Party Components' + category: security + technology: + - terraform + - aws + owasp: + - A06:2021 - Vulnerable and Outdated Components + references: + - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push + shortlink: https://sg.run/R8eE + semgrep.dev: + rule: + rule_id: 0oUELR + version_id: w8T3OQ + url: https://semgrep.dev/playground/r/w8T3OQ/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push + origin: community +- id: terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled + patterns: + - pattern: | + resource + - pattern-inside: | + resource "aws_eks_cluster" "..." {...} + - pattern-not-inside: | + resource "aws_eks_cluster" "..."{ + ... + vpc_config{ + ... + endpoint_public_access = false + ... + } + ... + } + languages: + - hcl + message: The vpc_config resource inside the eks cluster has not explicitly disabled + public endpoint access + severity: WARNING + metadata: + category: security + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled + shortlink: https://sg.run/Albg + semgrep.dev: + rule: + rule_id: KxU4v6 + version_id: O9TygN + url: https://semgrep.dev/playground/r/O9TygN/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled + origin: community +- id: terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest + patterns: + - pattern: | + resource + - pattern-not-inside: | + resource "aws_elasticsearch_domain" "..."{ + ... + encrypt_at_rest{ + ... + enabled = true + ... + } + ... + } + - pattern-inside: | + resource "aws_elasticsearch_domain" "..." {...} + languages: + - hcl + message: Encryption at rest is not enabled for the elastic search domain resource + severity: WARNING + metadata: + category: security + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest + shortlink: https://sg.run/B4Yb + semgrep.dev: + rule: + rule_id: qNUo2d + version_id: e1TxNg + url: https://semgrep.dev/playground/r/e1TxNg/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest + origin: community +- id: terraform.lang.security.s3-cors-all-origins.all-origins-allowed + patterns: + - pattern-inside: cors_rule { ... } + - pattern: allowed_origins = ["*"] + languages: + - hcl + severity: WARNING + message: CORS rule on bucket permits any origin + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors + cwe: + - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' + category: security + technology: + - terraform + - aws + owasp: + - A05:2021 - Security Misconfiguration + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed + shortlink: https://sg.run/DJb2 + semgrep.dev: + rule: + rule_id: lBUd4g + version_id: 3ZTd0r + url: https://semgrep.dev/playground/r/3ZTd0r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed + origin: community +- id: terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket + patterns: + - pattern-either: + - pattern: acl = "public-read" + - pattern: acl = "authenticated-read" + - pattern-not-inside: | + resource "aws_s3_bucket" "..." { + ... + website { ... } + ... + } + languages: + - hcl + severity: WARNING + message: S3 bucket with public read access detected. + metadata: + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl + - https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl + category: security + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket + shortlink: https://sg.run/WgAy + semgrep.dev: + rule: + rule_id: YGUrp5 + version_id: 44To0E + url: https://semgrep.dev/playground/r/44To0E/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket + origin: community +- id: terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket + pattern: acl = "public-read-write" + languages: + - hcl + severity: ERROR + message: S3 bucket with public read-write access detected. + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl + - https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + category: security + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket + shortlink: https://sg.run/0nok + semgrep.dev: + rule: + rule_id: 6JUqvn + version_id: PkTYPz + url: https://semgrep.dev/playground/r/PkTYPz/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket + origin: community +- id: typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust + message: Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting + (XSS) vulnerability if this comes from user-provided input. If you have to use + `$TRUST`, ensure it does not come from user-input or use the appropriate prevention + mechanism e.g. input validation or sanitization depending on the context. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://angular.io/api/platform-browser/DomSanitizer + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + confidence: MEDIUM + category: security + technology: + - angular + - browser + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust + shortlink: https://sg.run/KWxP + semgrep.dev: + rule: + rule_id: oqUzgA + version_id: 5PT6gr + url: https://semgrep.dev/playground/r/5PT6gr/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust + origin: community + languages: + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + function ...({..., $X: string, ...}) { ... } + - pattern-inside: | + function ...(..., $X: string, ...) { ... } + - focus-metavariable: $X + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $X.$TRUST($Y) + - focus-metavariable: $Y + - pattern-not: | + $X.$TRUST(`...`) + - pattern-not: | + $X.$TRUST("...") + - metavariable-regex: + metavariable: $TRUST + regex: (bypassSecurityTrustHtml|bypassSecurityTrustStyle|bypassSecurityTrustScript|bypassSecurityTrustUrl|bypassSecurityTrustResourceUrl) + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + import * as $S from "underscore.string" + ... + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + $S = require("underscore.string") + ... + - pattern-either: + - pattern: $S.escapeHTML(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "dompurify" + ... + - pattern-inside: | + import { ..., $S,... } from "dompurify" + ... + - pattern-inside: | + import * as $S from "dompurify" + ... + - pattern-inside: | + $S = require("dompurify") + ... + - pattern-inside: | + import $S from "isomorphic-dompurify" + ... + - pattern-inside: | + import * as $S from "isomorphic-dompurify" + ... + - pattern-inside: | + $S = require("isomorphic-dompurify") + ... + - pattern-either: + - patterns: + - pattern-inside: | + $VALUE = $S(...) + ... + - pattern: $VALUE.sanitize(...) + - patterns: + - pattern-inside: | + $VALUE = $S.sanitize + ... + - pattern: $S(...) + - pattern: $S.sanitize(...) + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'xss'; + ... + - pattern-inside: | + import * as $S from 'xss'; + ... + - pattern-inside: | + $S = require("xss") + ... + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'sanitize-html'; + ... + - pattern-inside: | + import * as $S from "sanitize-html"; + ... + - pattern-inside: | + $S = require("sanitize-html") + ... + - pattern: $S(...) + - patterns: + - pattern: sanitizer.sanitize(...) + - pattern-not: sanitizer.sanitize(SecurityContext.NONE, ...); +- id: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any + message: Access-Control-Allow-Origin response header is set to "*". This will disable + CORS Same Origin Policy restrictions. + metadata: + cwe: + - 'CWE-183: Permissive List of Allowed Inputs' + asvs: + section: 'V14: Configuration Verification Requirements' + control_id: 14.4.8 Permissive CORS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements + version: '4' + category: security + technology: + - nestjs + owasp: + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any + shortlink: https://sg.run/ljBL + semgrep.dev: + rule: + rule_id: pKUG17 + version_id: 0bTvPk + url: https://semgrep.dev/playground/r/0bTvPk/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any + origin: community + languages: + - typescript + severity: WARNING + pattern-either: + - pattern: | + class $CN { + @Header("=~/[Aa][Cc][Cc][Ee][Ss][Ss]-[Cc][Oo][Nn][Tt][Rr][Oo][Ll]-[Aa][Ll][Ll][Oo][Ww]-[Oo][Rr][Ii][Gg][Ii][Nn]/", '*') + $FN(...) { + ... + } + } + - pattern: | + NestFactory.create($MODULE, {cors: true}) + - pattern: | + NestFactory.create($MODULE, {cors: {origin: '*'}}) + - pattern: | + $APP.enableCors() + - pattern: | + $APP.enableCors({origin: '*'}) +- id: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled + message: X-XSS-Protection header is set to 0. This will disable the browser's XSS + Filter. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + category: security + technology: + - nestjs + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled + shortlink: https://sg.run/YgGW + semgrep.dev: + rule: + rule_id: 2ZU4zx + version_id: K3TlWB + url: https://semgrep.dev/playground/r/K3TlWB/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled + origin: community + languages: + - typescript + severity: WARNING + pattern: | + class $CN { + ... + @Header("=~/[Xx]-[Xx][Ss][Ss]-[Pp][Rr][Oo][Tt][Ee][Cc][Tt][Ii][Oo][Nn]/", '0') + $FN(...) { + ... + } + ... + } +- id: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect + message: 'Untrusted user input in {url: ...} can result in Open Redirect vulnerability.' + metadata: + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + category: security + technology: + - nestjs + owasp: + - A01:2021 - Broken Access Control + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect + shortlink: https://sg.run/6rJw + semgrep.dev: + rule: + rule_id: X5UZQK + version_id: qkTN8P + url: https://semgrep.dev/playground/r/qkTN8P/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect + origin: community + languages: + - typescript + severity: WARNING + patterns: + - pattern: | + return {url: $URL} + - pattern-inside: | + class $CN { + @Redirect(...) + $FN(...) { + ... + } + } + - pattern-not: | + return {url: "..."} +- id: typescript.react.security.react-controlled-component-password.react-controlled-component-password + message: this rule has been deprecated. + metadata: + category: security + deprecated: true + technology: + - react + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://semgrep.dev + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.react-controlled-component-password.react-controlled-component-password + shortlink: https://sg.run/jN2Z + semgrep.dev: + rule: + rule_id: bwUObG + version_id: kbT7nA + url: https://semgrep.dev/playground/r/kbT7nA/typescript.react.security.react-controlled-component-password.react-controlled-component-password + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: typescript.react.security.react-insecure-request.react-insecure-request + message: Unencrypted request over HTTP detected. + metadata: + vulnerability: Insecure Transport + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://www.npmjs.com/package/axios + category: security + technology: + - react + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request + shortlink: https://sg.run/1n0b + semgrep.dev: + rule: + rule_id: NbUA3O + version_id: w8T37Q + url: https://semgrep.dev/playground/r/w8T37Q/typescript.react.security.react-insecure-request.react-insecure-request + origin: community + languages: + - typescript + - javascript + severity: ERROR + pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + import $AXIOS from 'axios'; + ... + $AXIOS.$METHOD(...) + - pattern-inside: | + $AXIOS = require('axios'); + ... + $AXIOS.$METHOD(...) + - pattern-either: + - pattern: $AXIOS.get("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) + - pattern: $AXIOS.post("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) + - pattern: $AXIOS.delete("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) + - pattern: $AXIOS.head("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) + - pattern: $AXIOS.patch("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) + - pattern: $AXIOS.put("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) + - pattern: $AXIOS.options("=~/[Hh][Tt][Tt][Pp]:\/\/.*/",...) + - patterns: + - pattern-either: + - pattern-inside: | + import $AXIOS from 'axios'; + ... + $AXIOS(...) + - pattern-inside: | + $AXIOS = require('axios'); + ... + $AXIOS(...) + - pattern-either: + - pattern: '$AXIOS({url: "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"}, ...)' + - pattern: | + $OPTS = {url: "=~/[Hh][Tt][Tt][Pp]:\/\/.*/"} + ... + $AXIOS($OPTS, ...) + - pattern: fetch("=~/[Hh][Tt][Tt][Pp]:\/\/.*/", ...) +- id: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html + message: Overwriting `transformLinkUri` or `transformImageUri` to something insecure, + or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the + code up to XSS vectors. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://www.npmjs.com/package/react-markdown#security + category: security + technology: + - react + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html + shortlink: https://sg.run/9qAk + semgrep.dev: + rule: + rule_id: kxURd4 + version_id: xyT4eL + url: https://semgrep.dev/playground/r/xyT4eL/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html + origin: community + languages: + - typescript + - javascript + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + $X = require('react-markdown/with-html'); + ... + - pattern-inside: | + $X = require('react-markdown'); + ... + - pattern-inside: | + import 'react-markdown/with-html'; + ... + - pattern-inside: | + import 'react-markdown'; + ... + - pattern-either: + - pattern: | + <$EL allowDangerousHtml /> + - pattern: | + <$EL escapeHtml={false} /> + - pattern: | + <$EL transformLinkUri=... /> + - pattern: | + <$EL transformImageUri=... /> +- id: typescript.react.security.audit.react-css-injection.react-css-injection + message: this rule has been deprecated. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1 + category: security + deprecated: true + technology: + - react + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.audit.react-css-injection.react-css-injection + shortlink: https://sg.run/yze8 + semgrep.dev: + rule: + rule_id: wdU861 + version_id: l4T5nK + url: https://semgrep.dev/playground/r/l4T5nK/typescript.react.security.audit.react-css-injection.react-css-injection + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml + message: Detection of dangerouslySetInnerHTML from non-constant definition. This + can inadvertently expose users to cross-site scripting (XSS) attacks if this comes + from user-provided input. If you have to use dangerouslySetInnerHTML, consider + using a sanitization library such as DOMPurify to sanitize your HTML. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html + category: security + confidence: MEDIUM + technology: + - react + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml + shortlink: https://sg.run/rAx6 + semgrep.dev: + rule: + rule_id: x8UWvK + version_id: jQTglPx + url: https://semgrep.dev/playground/r/jQTglPx/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml + origin: community + languages: + - typescript + - javascript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + function ...({..., $X, ...}) { ... } + - pattern-inside: | + function ...(..., $X, ...) { ... } + - focus-metavariable: $X + - pattern-not-inside: | + $F. ... .$SANITIZEUNC(...) + pattern-sinks: + - patterns: + - focus-metavariable: $X + - pattern-either: + - pattern: | + {...,dangerouslySetInnerHTML: {__html: $X},...} + - pattern: | + <$Y ... dangerouslySetInnerHTML={{__html: $X}} /> + - pattern-not: | + <$Y ... dangerouslySetInnerHTML={{__html: "..."}} /> + - pattern-not: | + {...,dangerouslySetInnerHTML:{__html: "..."},...} + - metavariable-pattern: + patterns: + - pattern-not: | + {...} + metavariable: $X + - pattern-not: | + <... {__html: "..."} ...> + - pattern-not: | + <... {__html: `...`} ...> + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + import * as $S from "underscore.string" + ... + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + $S = require("underscore.string") + ... + - pattern-either: + - pattern: $S.escapeHTML(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "dompurify" + ... + - pattern-inside: | + import { ..., $S,... } from "dompurify" + ... + - pattern-inside: | + import * as $S from "dompurify" + ... + - pattern-inside: | + $S = require("dompurify") + ... + - pattern-inside: | + import $S from "isomorphic-dompurify" + ... + - pattern-inside: | + import * as $S from "isomorphic-dompurify" + ... + - pattern-inside: | + $S = require("isomorphic-dompurify") + ... + - pattern-either: + - patterns: + - pattern-inside: | + $VALUE = $S(...) + ... + - pattern: $VALUE.sanitize(...) + - patterns: + - pattern-inside: | + $VALUE = $S.sanitize + ... + - pattern: $S(...) + - pattern: $S.sanitize(...) + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'xss'; + ... + - pattern-inside: | + import * as $S from 'xss'; + ... + - pattern-inside: | + $S = require("xss") + ... + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'sanitize-html'; + ... + - pattern-inside: | + import * as $S from "sanitize-html"; + ... + - pattern-inside: | + $S = require("sanitize-html") + ... + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + $S = new Remarkable() + ... + - pattern: $S.render(...) +- id: typescript.react.security.audit.react-http-leak.react-http-leak + message: this rule has been deprecated. + metadata: + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + deprecated: true + references: + - https://github.com/cure53/HTTPLeaks + category: security + technology: + - react + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/typescript.react.security.audit.react-http-leak.react-http-leak + shortlink: https://sg.run/kLbX + semgrep.dev: + rule: + rule_id: v8U51n + version_id: zyT57z + url: https://semgrep.dev/playground/r/zyT57z/typescript.react.security.audit.react-http-leak.react-http-leak + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property + message: Property decoded from JWT token without verifying and cannot be trustworthy. + metadata: + cwe: + - 'CWE-922: Insecure Storage of Sensitive Information' + references: + - https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html + category: security + owasp: + - A01:2021 - Broken Access Control + technology: + - react + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property + shortlink: https://sg.run/wx8x + semgrep.dev: + rule: + rule_id: d8Uzqz + version_id: pZTr75 + url: https://semgrep.dev/playground/r/pZTr75/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern-inside: | + import jwt_decode from "jwt-decode"; + ... + - pattern-inside: | + $DECODED = jwt_decode($TOKEN,...); + ... + - pattern: $DECODED.$PROPERTY +- id: typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage + message: Storing JWT tokens in localStorage known to be a bad practice, consider + moving your tokens from localStorage to a HTTP cookie. + metadata: + cwe: + - 'CWE-922: Insecure Storage of Sensitive Information' + references: + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + category: security + owasp: + - A01:2021 - Broken Access Control + technology: + - react + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage + shortlink: https://sg.run/xYye + semgrep.dev: + rule: + rule_id: ZqUq6g + version_id: 2KT1JJ + url: https://semgrep.dev/playground/r/2KT1JJ/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern-inside: | + import jwt_decode from "jwt-decode"; + ... + - pattern-either: + - pattern: | + $DECODED = jwt_decode($TOKEN,...); + ... + localStorage.setItem($NAME, <... $TOKEN ...>); + - pattern: | + $DECODED = jwt_decode(...); + ... + localStorage.setItem($NAME, <... $DECODED ...>); +- id: typescript.react.security.audit.react-props-injection.react-props-injection + message: this rule has been deprecated. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + deprecated: true + references: + - https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1 + category: security + technology: + - react + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.audit.react-props-injection.react-props-injection + shortlink: https://sg.run/dg6P + semgrep.dev: + rule: + rule_id: L1U47z + version_id: 9lTzPw + url: https://semgrep.dev/playground/r/9lTzPw/typescript.react.security.audit.react-props-injection.react-props-injection + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: typescript.react.security.audit.react-router-redirect.react-router-redirect + message: this rule has been deprecated. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + deprecated: true + category: security + technology: + - react + references: + - https://v5.reactrouter.com/web/api/Redirect + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + - https://semgrep.dev + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.audit.react-router-redirect.react-router-redirect + shortlink: https://sg.run/ZeR7 + semgrep.dev: + rule: + rule_id: 8GUE4K + version_id: yeTX7j + url: https://semgrep.dev/playground/r/yeTX7j/typescript.react.security.audit.react-router-redirect.react-router-redirect + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: typescript.react.security.audit.react-styled-components-injection.react-styled-components-injection + message: this rule has been deprecated. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://styled-components.com/docs/advanced#security + category: security + deprecated: true + technology: + - react + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.audit.react-styled-components-injection.react-styled-components-injection + shortlink: https://sg.run/nqWG + semgrep.dev: + rule: + rule_id: gxUW6x + version_id: rxTx7Z + url: https://semgrep.dev/playground/r/rxTx7Z/typescript.react.security.audit.react-styled-components-injection.react-styled-components-injection + origin: community + languages: + - typescript + - javascript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method + message: Detection of $HTML from non-constant definition. This can inadvertently + expose users to cross-site scripting (XSS) attacks if this comes from user-provided + input. If you have to use $HTML, consider using a sanitization library such as + DOMPurify to sanitize your HTML. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln + - https://developer.mozilla.org/en-US/docs/Web/API/Document/write + - https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML + category: security + confidence: MEDIUM + technology: + - react + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method + shortlink: https://sg.run/E5x8 + semgrep.dev: + rule: + rule_id: QrU68w + version_id: bZTGjY + url: https://semgrep.dev/playground/r/bZTGjY/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method + origin: community + languages: + - typescript + - javascript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + function ...({..., $X, ...}) { ... } + - pattern-inside: | + function ...(..., $X, ...) { ... } + - focus-metavariable: $X + - pattern-either: + - pattern: $X.$Y + - pattern: $X[...] + pattern-sinks: + - patterns: + - pattern-either: + - pattern: "this.window.document. ... .$HTML('...',$SINK) \n" + - pattern: "window.document. ... .$HTML('...',$SINK) \n" + - pattern: "document.$HTML($SINK) \n" + - metavariable-regex: + metavariable: $HTML + regex: (writeln|write) + - focus-metavariable: $SINK + - patterns: + - pattern-either: + - pattern: "$PROP. ... .$HTML('...',$SINK) \n" + - metavariable-regex: + metavariable: $HTML + regex: (insertAdjacentHTML) + - focus-metavariable: $SINK + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + import * as $S from "underscore.string" + ... + - pattern-inside: | + import $S from "underscore.string" + ... + - pattern-inside: | + $S = require("underscore.string") + ... + - pattern-either: + - pattern: $S.escapeHTML(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from "dompurify" + ... + - pattern-inside: | + import { ..., $S,... } from "dompurify" + ... + - pattern-inside: | + import * as $S from "dompurify" + ... + - pattern-inside: | + $S = require("dompurify") + ... + - pattern-inside: | + import $S from "isomorphic-dompurify" + ... + - pattern-inside: | + import * as $S from "isomorphic-dompurify" + ... + - pattern-inside: | + $S = require("isomorphic-dompurify") + ... + - pattern-either: + - patterns: + - pattern-inside: | + $VALUE = $S(...) + ... + - pattern: $VALUE.sanitize(...) + - patterns: + - pattern-inside: | + $VALUE = $S.sanitize + ... + - pattern: $S(...) + - pattern: $S.sanitize(...) + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'xss'; + ... + - pattern-inside: | + import * as $S from 'xss'; + ... + - pattern-inside: | + $S = require("xss") + ... + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + import $S from 'sanitize-html'; + ... + - pattern-inside: | + import * as $S from "sanitize-html"; + ... + - pattern-inside: | + $S = require("sanitize-html") + ... + - pattern: $S(...) + - patterns: + - pattern-either: + - pattern-inside: | + $S = new Remarkable() + ... + - pattern: $S.render(...) +- id: ruby.lang.security.dangerous-exec.dangerous-exec + mode: taint + pattern-sources: + - patterns: + - pattern: | + def $F(...,$ARG,...) + ... + end + - focus-metavariable: $ARG + - pattern: params + - pattern: cookies + pattern-sinks: + - patterns: + - pattern: | + $EXEC(...) + - pattern-not: | + $EXEC("...","...","...",...) + - pattern-not: | + $EXEC(["...","...","...",...],...) + - pattern-not: | + $EXEC({...},"...","...","...",...) + - pattern-not: | + $EXEC({...},["...","...","...",...],...) + - metavariable-regex: + metavariable: $EXEC + regex: ^(system|exec|spawn|Process.exec|Process.spawn|Open3.capture2|Open3.capture2e|Open3.capture3|Open3.popen2|Open3.popen2e|Open3.popen3|IO.popen|Gem::Util.popen|PTY.spawn)$ + message: Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If + unverified user data can reach this call site, this is a code injection vulnerability. + A malicious actor can inject a malicious script to execute arbitrary code. + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_execute.rb + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - ruby + - rails + references: + - https://guides.rubyonrails.org/security.html#command-line-injection + cwe2022-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec + shortlink: https://sg.run/R8GY + semgrep.dev: + rule: + rule_id: WAUZOw + version_id: 6xTe7A + url: https://semgrep.dev/playground/r/6xTe7A/ruby.lang.security.dangerous-exec.dangerous-exec + origin: community + severity: WARNING + languages: + - ruby +- id: ruby.lang.security.dangerous-open.dangerous-open + patterns: + - pattern: | + open($CMD,...) + - pattern-not: | + open("...",...) + - metavariable-regex: + metavariable: $CMD + regex: '|' + message: Detected non-static command inside 'open'. Audit the input to 'open'. If + unverified user data can reach this call site, this is a code injection vulnerability. + A malicious actor can inject a malicious script to execute arbitrary code. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - ruby + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open + shortlink: https://sg.run/Al8Q + semgrep.dev: + rule: + rule_id: 0oUEyd + version_id: o5TnQP + url: https://semgrep.dev/playground/r/o5TnQP/ruby.lang.security.dangerous-open.dangerous-open + origin: community + severity: WARNING + languages: + - ruby +- id: ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline + patterns: + - pattern: | + Open3.$PIPE(...) + - pattern-not: | + Open3.$PIPE(...,"...",...) + - metavariable-regex: + metavariable: $PIPE + regex: ^(pipeline|pipeline_r|pipeline_rw|pipeline_start|pipeline_w)$ + message: Detected non-static command inside $PIPE. Audit the input to '$PIPE'. If + unverified user data can reach this call site, this is a code injection vulnerability. + A malicious actor can inject a malicious script to execute arbitrary code. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - ruby + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline + shortlink: https://sg.run/B4jv + semgrep.dev: + rule: + rule_id: KxU4nd + version_id: zyT5g6 + url: https://semgrep.dev/playground/r/zyT5g6/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline + origin: community + severity: WARNING + languages: + - ruby +- id: ruby.lang.security.dangerous-syscall.dangerous-syscall + pattern: | + syscall + message: '''syscall'' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) + library is preferred for safer and a bit more portable programming.' + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - ruby + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall + shortlink: https://sg.run/DJkv + semgrep.dev: + rule: + rule_id: qNUo50 + version_id: 2KT1NB + url: https://semgrep.dev/playground/r/2KT1NB/ruby.lang.security.dangerous-syscall.dangerous-syscall + origin: community + severity: WARNING + languages: + - ruby +- id: ruby.lang.security.dangerous-subshell.dangerous-subshell + patterns: + - pattern: | + `...#{$VAL}...` + - pattern-not: | + `...#{"..."}...` + - pattern-not-inside: | + $VAL = "..." + ... + message: Detected non-static command inside `...`. If unverified user data can reach + this call site, this is a code injection vulnerability. A malicious actor can + inject a malicious script to execute arbitrary code. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - ruby + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell + shortlink: https://sg.run/NrxL + semgrep.dev: + rule: + rule_id: OrUGn8 + version_id: pZTrgg + url: https://semgrep.dev/playground/r/pZTrgg/ruby.lang.security.dangerous-subshell.dangerous-subshell + origin: community + severity: WARNING + languages: + - ruby +- id: javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell + message: Detected non-literal calls to $EXEC(). This could lead to a command injection + vulnerability. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js + category: security + technology: + - javascript + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell + shortlink: https://sg.run/DJ8v + semgrep.dev: + rule: + rule_id: qNUo10 + version_id: K3TlGp + url: https://semgrep.dev/playground/r/K3TlGp/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + function ... (...,$FUNC,...) { + ... + } + - focus-metavariable: $FUNC + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('child_process') + ... + - pattern-inside: | + import 'child_process' + ... + - pattern-either: + - pattern: spawn(...) + - pattern: spawnSync(...) + - pattern: $CP.spawn(...) + - pattern: $CP.spawnSync(...) + - pattern-either: + - pattern: | + $EXEC("=~/(sh|bash|ksh|csh|tcsh|zsh)/",["-c", $ARG, ...],...) + - patterns: + - pattern: $EXEC($CMD,["-c", $ARG, ...],...) + - pattern-inside: | + $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/" + ... + - pattern: | + $EXEC("=~/(sh|bash|ksh|csh|tcsh|zsh)/",[$ARG, ...],...) + - patterns: + - pattern: $EXEC($CMD,[$ARG, ...],...) + - pattern-inside: | + $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/" + ... + - focus-metavariable: $ARG +- id: javascript.lang.security.audit.spawn-shell-true.spawn-shell-true + message: 'Found ''$SPAWN'' with ''{shell: $SHELL}''. This is dangerous because this + call will spawn the command using a shell process. Doing so propagates current + shell settings and variables, which makes it much easier for a malicious actor + to execute commands. Use ''{shell: false}'' instead.' + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + category: security + technology: + - javascript + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true + shortlink: https://sg.run/Wgeo + semgrep.dev: + rule: + rule_id: lBUdr5 + version_id: K3TlKr + url: https://semgrep.dev/playground/r/K3TlKr/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern-either: + - pattern: | + spawn(...,{shell: $SHELL}) + - pattern: | + spawnSync(...,{shell: $SHELL}) + - pattern: | + $CP.spawn(...,{shell: $SHELL}) + - pattern: | + $CP.spawnSync(...,{shell: $SHELL}) + - pattern-not: | + spawn(...,{shell: false}) + - pattern-not: | + spawnSync(...,{shell: false}) + - pattern-not: | + $CP.spawn(...,{shell: false}) + - pattern-not: | + $CP.spawnSync(...,{shell: false}) +- id: javascript.lang.security.audit.vm-injection.vm-sourcetextmodule-code-injection + message: this rule has been deprecated. + severity: INFO + languages: + - javascript + - typescript + metadata: + owasp: + - A03:2021 - Injection + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - javascript + references: + - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-sourcetextmodule-code-injection + shortlink: https://sg.run/0ngr + semgrep.dev: + rule: + rule_id: YGUr6P + version_id: 9lTz4E + url: https://semgrep.dev/playground/r/9lTz4E/javascript.lang.security.audit.vm-injection.vm-sourcetextmodule-code-injection + origin: community + patterns: + - pattern: a() + - pattern: b() +- id: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run + message: Detected non-literal calls to Deno.run(). This could lead to a command + injection vulnerability. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + category: security + technology: + - deno + references: + - https://deno.land/manual/examples/subprocess#simple-example + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run + shortlink: https://sg.run/Nrrn + semgrep.dev: + rule: + rule_id: x8UWWg + version_id: w8T3nR + url: https://semgrep.dev/playground/r/w8T3nR/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-inside: function ... (..., $ARG,...) {...} + - focus-metavariable: $ARG + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + Deno.run({cmd: [$INPUT,...]},...) + - pattern: | + Deno.run({cmd: ["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$INPUT,...]},...) + - patterns: + - pattern: | + Deno.run({cmd: [$CMD,"-c",$INPUT,...]},...) + - pattern-inside: | + $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/" + ... + - focus-metavariable: $INPUT +- id: java.lang.security.audit.command-injection-process-builder.command-injection-process-builder + pattern-either: + - patterns: + - pattern: | + new ProcessBuilder($CMD,...) + - pattern-not-inside: | + $CMD = "..."; + ... + - pattern-not-inside: | + $CMD = Arrays.asList("...",...); + ... + - pattern-not-inside: | + $CMD = new String[]{"...",...}; + ... + - pattern-not: | + new ProcessBuilder("...",...) + - pattern-not: | + new ProcessBuilder(new String[]{"...",...},...) + - pattern-not: | + new ProcessBuilder(Arrays.asList("...",...),...) + - patterns: + - pattern: | + $PB.command($CMD,...) + - pattern-inside: | + $TYPE $PB = new ProcessBuilder(...); + ... + - pattern-not-inside: | + $CMD = "..."; + ... + - pattern-not-inside: | + $CMD = Arrays.asList("...",...); + ... + - pattern-not-inside: | + $CMD = new String[]{"...",...}; + ... + - pattern-not: | + $PB.command("...",...) + - pattern-not: | + $PB.command(new String[]{"...",...},...) + - pattern-not: | + $PB.command(Arrays.asList("...",...),...) + - patterns: + - pattern-either: + - pattern: | + new ProcessBuilder("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...) + - pattern: | + new ProcessBuilder("cmd","/c",$ARG,...) + - pattern: | + new ProcessBuilder(Arrays.asList("cmd","/c",$ARG,...),...) + - pattern: | + new ProcessBuilder(new String[]{"cmd","/c",$ARG,...},...) + - patterns: + - pattern-either: + - pattern: | + new ProcessBuilder($CMD,"/c",$ARG,...) + - pattern: | + new ProcessBuilder(Arrays.asList($CMD,"/c",$ARG,...),...) + - pattern: | + new ProcessBuilder(new String[]{$CMD,"/c",$ARG,...},...) + - pattern-inside: | + $CMD = "cmd"; + ... + - pattern-not-inside: | + $ARG = "..."; + ... + - pattern-not: | + new ProcessBuilder("...","...","...",...) + - pattern-not: | + new ProcessBuilder(new String[]{"...","...","...",...},...) + - pattern-not: | + new ProcessBuilder(Arrays.asList("...","...","...",...),...) + - patterns: + - pattern-either: + - pattern: | + $PB.command("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...) + - pattern: | + $PB.command("cmd","/c",$ARG,...) + - pattern: | + $PB.command(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...) + - pattern: | + $PB.command(Arrays.asList("cmd","/c",$ARG,...),...) + - pattern: | + $PB.command(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...) + - pattern: | + $PB.command(new String[]{"cmd","/c",$ARG,...},...) + - patterns: + - pattern-either: + - pattern: | + $PB.command($CMD,"-c",$ARG,...) + - pattern: | + $PB.command(Arrays.asList($CMD,"-c",$ARG,...),...) + - pattern: | + $PB.command(new String[]{$CMD,"-c",$ARG,...},...) + - pattern-inside: | + $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; + ... + - patterns: + - pattern-either: + - pattern: | + $PB.command($CMD,"/c",$ARG,...) + - pattern: | + $PB.command(Arrays.asList($CMD,"/c",$ARG,...),...) + - pattern: | + $PB.command(new String[]{$CMD,"/c",$ARG,...},...) + - pattern-inside: | + $CMD = "cmd"; + ... + - pattern-inside: | + $TYPE $PB = new ProcessBuilder(...); + ... + - pattern-not-inside: | + $ARG = "..."; + ... + - pattern-not: | + $PB.command("...","...","...",...) + - pattern-not: | + $PB.command(new String[]{"...","...","...",...},...) + - pattern-not: | + $PB.command(Arrays.asList("...","...","...",...),...) + message: A formatted or concatenated string was detected as input to a ProcessBuilder + call. This is dangerous if a variable is controlled by user input and could result + in a command injection. Ensure your variables are not controlled by users or sufficiently + sanitized. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder + shortlink: https://sg.run/gJJe + semgrep.dev: + rule: + rule_id: 4bUzzo + version_id: 3ZTd3l + url: https://semgrep.dev/playground/r/3ZTd3l/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder + origin: community + severity: ERROR + languages: + - java +- id: java.spring.security.audit.spring-jsp-eval.spring-jsp-eval + pattern: | + + message: A Spring expression is built with a dynamic value. The source of the value(s) + should be verified to avoid that unfiltered values fall into this risky code evaluation. + severity: WARNING + languages: + - generic + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL + category: security + technology: + - spring + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval + shortlink: https://sg.run/Q88o + semgrep.dev: + rule: + rule_id: PeUkkL + version_id: e1Tx98 + url: https://semgrep.dev/playground/r/e1Tx98/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval + origin: community + paths: + include: + - '*.jsp' +- id: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls + message: 'If TLS is disabled on server side (Postgresql server), Sequelize establishes + connection without TLS and no error will be thrown. To prevent MITN (Man In The + Middle) attack, TLS must be enforce by Sequelize. Set "ssl: true" or define settings + "ssl: {...}"' + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://node-postgres.com/features/ssl + - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket + - https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options + - https://nodejs.org/api/tls.html#tls_tls_default_min_version + category: security + technology: + - sequelize + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls + shortlink: https://sg.run/yz6Z + semgrep.dev: + rule: + rule_id: NbUAYW + version_id: qkTNOp + url: https://semgrep.dev/playground/r/qkTNOp/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern: | + { + host: $HOST, + database: $DATABASE, + dialect: $DIALECT + } + - pattern-not: | + { + host: $HOST, + database: $DATABASE, + dialect: "postgres", + dialectOptions: { + ssl: true + } + } + - pattern-not: | + { + host: $HOST, + database: $DATABASE, + dialect: $DIALECT, + dialectOptions: { + ssl: { ... } + } + } + - metavariable-regex: + metavariable: $DIALECT + regex: '[''"](mariadb|mysql|postgres)[''"]' +- id: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation + message: Set "rejectUnauthorized" to false is a convenient way to resolve certificate + error. But this method is unsafe because it disables the server certificate verification, + making the Node app open to MITM attack. "rejectUnauthorized" option must be alway + set to True (default value). With self -signed certificate or custom CA, use "ca" + option to define Root Certificate. This rule checks TLS configuration only for + Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. + This rule could be extended for MSSQL, but the dialectOptions is specific for + Tedious. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://node-postgres.com/features/ssl + - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket + - https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options + category: security + technology: + - sequelize + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation + shortlink: https://sg.run/rAkj + semgrep.dev: + rule: + rule_id: kxUR80 + version_id: o5Tndb + url: https://semgrep.dev/playground/r/o5Tndb/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern: | + { + host: $HOST, + database: $DATABASE, + dialect: $DIALECT, + dialectOptions: { + ssl: { + rejectUnauthorized: false + } + } + } + - metavariable-regex: + metavariable: $DIALECT + regex: '[''"](mariadb|mysql|postgres)[''"]' +- id: javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version + message: TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, + NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. + Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for + PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. + This rule could be extended for MSSQL, but the dialectOptions is specific for + Tedious. + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://node-postgres.com/features/ssl + - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket + - https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options + - https://nodejs.org/api/tls.html#tls_tls_default_min_version + category: security + technology: + - sequelize + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version + shortlink: https://sg.run/bDrq + semgrep.dev: + rule: + rule_id: wdU8GB + version_id: zyT5LL + url: https://semgrep.dev/playground/r/zyT5LL/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-inside: | + { + host: $HOST, + database: $DATABASE, + dialect: $DIALECT, + dialectOptions: + { ssl: ... } + } + - pattern-either: + - pattern: | + { + minVersion: 'TLSv1' + } + - pattern: | + { + minVersion: 'TLSv1.1' + } + - metavariable-regex: + metavariable: $DIALECT + regex: '[''"](mariadb|mysql|postgres)[''"]' +- id: java.jboss.security.seam-log-injection.seam-log-injection + patterns: + - pattern: | + $LOG.$INFO($X + $Y,...) + - pattern-either: + - pattern-inside: | + import org.jboss.seam.log.Log; + ... + - pattern-inside: | + org.jboss.seam.log.Log $LOG = ...; + ... + - metavariable-regex: + metavariable: $INFO + regex: (debug|error|fatal|info|trace|warn) + languages: + - java + message: Seam Logging API support an expression language to introduce bean property + to log messages. The expression language can also be the source to unwanted code + execution. In this context, an expression is built with a dynamic value. The source + of the value(s) should be verified to avoid that unfiltered values fall into this + risky code evaluation. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION + category: security + technology: + - jboss + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection + shortlink: https://sg.run/3A4o + semgrep.dev: + rule: + rule_id: JDUPQ7 + version_id: ZRTwGr + url: https://semgrep.dev/playground/r/ZRTwGr/java.jboss.security.seam-log-injection.seam-log-injection + origin: community + severity: ERROR +- id: java.lang.security.audit.unsafe-reflection.unsafe-reflection + patterns: + - pattern: | + Class.forName($CLASS,...) + - pattern-not: | + Class.forName("...",...) + - pattern-not-inside: | + $CLASS = "..."; + ... + message: If an attacker can supply values that the application then uses to determine + which class to instantiate or which method to invoke, the potential exists for + the attacker to create control flow paths through the application that were not + intended by the application developers. This attack vector may allow the attacker + to bypass authentication or access control checks or otherwise cause the application + to behave in an unexpected manner. + metadata: + cwe: + - 'CWE-470: Use of Externally-Controlled Input to Select Classes or Code (''Unsafe + Reflection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection + shortlink: https://sg.run/R8X8 + semgrep.dev: + rule: + rule_id: DbUW1W + version_id: 8KTbv9 + url: https://semgrep.dev/playground/r/8KTbv9/java.lang.security.audit.unsafe-reflection.unsafe-reflection + origin: community + severity: WARNING + languages: + - java +- id: go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name + patterns: + - pattern-either: + - pattern: | + $SMTH.MethodByName($NAME,...) + - pattern: | + $SMTH.FieldByName($NAME,...) + - pattern-not: | + $SMTH.MethodByName("...",...) + - pattern-not: | + $SMTH.FieldByName("...",...) + - pattern-inside: | + import "reflect" + ... + message: If an attacker can supply values that the application then uses to determine + which method or field to invoke, the potential exists for the attacker to create + control flow paths through the application that were not intended by the application + developers. This attack vector may allow the attacker to bypass authentication + or access control checks or otherwise cause the application to behave in an unexpected + manner. + metadata: + cwe: + - 'CWE-470: Use of Externally-Controlled Input to Select Classes or Code (''Unsafe + Reflection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - go + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name + shortlink: https://sg.run/R8Xv + semgrep.dev: + rule: + rule_id: BYUBdJ + version_id: 44TogA + url: https://semgrep.dev/playground/r/44TogA/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name + origin: community + severity: WARNING + languages: + - go +- id: yaml.docker-compose.security.privileged-service.privileged-service + patterns: + - pattern-inside: | + version: ... + ... + services: + ... + $SERVICE: + ... + privileged: $TRUE + - focus-metavariable: $TRUE + - metavariable-regex: + metavariable: $TRUE + regex: (true) + fix: | + false + message: Service '$SERVICE' is running in privileged mode. This grants the container + the equivalent of root capabilities on the host machine. This can lead to container + escapes, privilege escalation, and other security concerns. Remove the 'privileged' + key to disable this capability. + metadata: + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + owasp: + - A06:2017 - Security Misconfiguration + - A05:2021 - Security Misconfiguration + references: + - https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html + - https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/ + category: security + technology: + - docker-compose + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service + shortlink: https://sg.run/AlX0 + semgrep.dev: + rule: + rule_id: DbUW17 + version_id: d6TDGj + url: https://semgrep.dev/playground/r/d6TDGj/yaml.docker-compose.security.privileged-service.privileged-service + origin: community + languages: + - yaml + severity: WARNING +- id: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash + pattern-regex: \$2[aby]?\$[\d]+\$[./A-Za-z0-9]{53} + languages: + - regex + message: bcrypt hash detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - secrets + - bcrypt + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash + shortlink: https://sg.run/3A8G + semgrep.dev: + rule: + rule_id: PeUk0Q + version_id: DkTQW8 + url: https://semgrep.dev/playground/r/DkTQW8/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash + origin: community +- id: generic.secrets.security.detected-etc-shadow.detected-etc-shadow + pattern-regex: root:[x!*]*:[0-9]*:[0-9]* + languages: + - regex + message: linux shadow file detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - secrets + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow + shortlink: https://sg.run/4ylL + semgrep.dev: + rule: + rule_id: JDUP6p + version_id: 0bTvJx + url: https://semgrep.dev/playground/r/0bTvJx/generic.secrets.security.detected-etc-shadow.detected-etc-shadow + origin: community +- id: generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token + patterns: + - pattern: $AUTHTOKEN = $VALUE + - metavariable-regex: + metavariable: $AUTHTOKEN + regex: _(authToken|auth|password) + - pattern-not: $AUTHTOKEN = ${...} + languages: + - generic + message: NPM registry authentication token detected + paths: + include: + - '*npmrc*' + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - secrets + - npm + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token + shortlink: https://sg.run/Ppg3 + semgrep.dev: + rule: + rule_id: 5rU4pe + version_id: NdT1YG + url: https://semgrep.dev/playground/r/NdT1YG/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token + origin: community +- id: javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket + message: Insecure WebSocket Detected. WebSocket Secure (wss) should be used for + all WebSocket connections. + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + asvs: + section: 'V13: API and Web Service Verification Requirements' + control_id: 13.5.1 Insecure WebSocket + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v135-websocket-security-requirements + version: '4' + category: security + technology: + - regex + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket + shortlink: https://sg.run/GWyz + semgrep.dev: + rule: + rule_id: AbUWeE + version_id: e1TxyQ + url: https://semgrep.dev/playground/r/e1TxyQ/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket + origin: community + languages: + - regex + severity: ERROR + pattern-regex: \bws:\/\/ +- id: yaml.docker-compose.security.no-new-privileges.no-new-privileges + patterns: + - pattern-inside: | + version: ... + ... + services: + ... + - pattern: | + $SERVICE: + ... + image: ... + - pattern-not: | + $SERVICE: + ... + image: ... + ... + security_opt: + - ... + - no-new-privileges:true + - focus-metavariable: $SERVICE + message: Service '$SERVICE' allows for privilege escalation via setuid or setgid + binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this. + metadata: + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + references: + - https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/ + - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag + category: security + technology: + - docker-compose + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges + shortlink: https://sg.run/0n8q + semgrep.dev: + rule: + rule_id: qNUoWr + version_id: vdT2zp + url: https://semgrep.dev/playground/r/vdT2zp/yaml.docker-compose.security.no-new-privileges.no-new-privileges + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled + patterns: + - pattern-inside: | + version: ... + ... + services: + ... + - pattern: | + $SERVICE: + ... + image: ... + ... + security_opt: + - ... + - seccomp:unconfined + message: Service '$SERVICE' is explicitly disabling seccomp confinement. This runs + the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this. + metadata: + cwe: + - 'CWE-284: Improper Access Control' + references: + - https://docs.docker.com/engine/security/seccomp/ + category: security + technology: + - docker-compose + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled + shortlink: https://sg.run/KWkY + semgrep.dev: + rule: + rule_id: lBUdW3 + version_id: ZRTwPq + url: https://semgrep.dev/playground/r/ZRTwPq/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled + patterns: + - pattern-inside: | + version: ... + ... + services: + ... + - pattern: | + $SERVICE: + ... + image: ... + ... + security_opt: + - ... + - label:disable + message: Service '$SERVICE' is explicitly disabling SELinux separation. This runs + the service as an unconfined type. Remove 'label:disable' to prevent this. + metadata: + cwe: + - 'CWE-284: Improper Access Control' + references: + - https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/ + - https://docs.docker.com/engine/reference/run/#security-configuration + category: security + technology: + - docker-compose + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled + shortlink: https://sg.run/qryb + semgrep.dev: + rule: + rule_id: YGUrAG + version_id: nWT74r + url: https://semgrep.dev/playground/r/nWT74r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation + patterns: + - pattern-inside: | + containers: + ... + - pattern-inside: | + - name: $CONTAINER + ... + - pattern: | + image: ... + ... + - pattern-inside: | + image: ... + ... + $SC: + ... + - metavariable-regex: + metavariable: $SC + regex: ^(securityContext)$ + - pattern-not-inside: | + image: ... + ... + securityContext: + ... + allowPrivilegeEscalation: $VAL + - focus-metavariable: $SC + fix: | + securityContext: + allowPrivilegeEscalation: false # + message: In Kubernetes, each pod runs in its own isolated environment with its own set + of security policies. However, certain container images may contain `setuid` + or `setgid` binaries that could allow an attacker to perform privilege escalation + and gain access to sensitive resources. To mitigate this risk, it's recommended + to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` + set to `false`. This will prevent the container from running any privileged processes + and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` + parameter to your the `securityContext`, you can help to ensure that your containerized + applications are more secure and less vulnerable to privilege escalation attacks. + metadata: + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag + category: security + technology: + - kubernetes + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation + shortlink: https://sg.run/ljp6 + semgrep.dev: + rule: + rule_id: 6JUqEO + version_id: JdTqrn + url: https://semgrep.dev/playground/r/JdTqrn/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.privileged-container.privileged-container + pattern-either: + - patterns: + - pattern-inside: | + containers: + ... + - pattern: | + image: ... + ... + securityContext: + ... + privileged: true + - patterns: + - pattern-inside: | + spec: + ... + - pattern-not-inside: | + image: ... + ... + - pattern: | + privileged: true + message: Container or pod is running in privileged mode. This grants the container + the equivalent of root capabilities on the host machine. This can lead to container + escapes, privilege escalation, and other security concerns. Remove the 'privileged' + key to disable this capability. + metadata: + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html + category: security + technology: + - kubernetes + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container + shortlink: https://sg.run/Ygr5 + semgrep.dev: + rule: + rule_id: oqUz2p + version_id: DkTQ0L + url: https://semgrep.dev/playground/r/DkTQ0L/yaml.kubernetes.security.privileged-container.privileged-container + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled + patterns: + - pattern-inside: | + containers: + ... + - pattern: | + image: ... + ... + securityContext: + ... + seccompProfile: unconfined + message: 'Container is explicitly disabling seccomp confinement. This runs the service + in an unrestricted state. Remove ''seccompProfile: unconfined'' to prevent this.' + metadata: + cwe: + - 'CWE-284: Improper Access Control' + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + category: security + technology: + - kubernetes + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled + shortlink: https://sg.run/6rgY + semgrep.dev: + rule: + rule_id: zdUynw + version_id: YDTo0B + url: https://semgrep.dev/playground/r/YDTo0B/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled + origin: community + languages: + - yaml + severity: WARNING +- id: python.lang.security.dangerous-globals-use.dangerous-globals-use + patterns: + - pattern-either: + - pattern: globals().get(...) + - pattern: locals().get(...) + - pattern: globals()[...] + - pattern: locals()[...] + - patterns: + - pattern-either: + - pattern-inside: | + $G = globals() + ... + - pattern-inside: | + $G = locals() + ... + - pattern-either: + - pattern: $G.get(...) + - pattern: $G[...] + - pattern: $FUNC.__globals__[...] + - pattern-not: globals().get("...") + - pattern-not: locals().get("...") + - pattern-not: globals()["..."] + - pattern-not: locals()["..."] + - pattern-not: $G.get("...") + - pattern-not: $G.get["..."] + - pattern-not: $G["..."] + - pattern-not: $FUNC.__globals__["..."] + - pattern-not-inside: globals()[...] = ... + - pattern-not-inside: locals()[...] = ... + - pattern-not-inside: $G[...] = ... + - pattern-not-inside: $FUNC.__globals__[...] = ... + message: Found non static data as an index to 'globals()'. This is extremely dangerous + because it allows an attacker to execute arbitrary code on the system. Refactor + your code not to use 'globals()'. + metadata: + cwe: + - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static + Code Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186 + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use + shortlink: https://sg.run/jNzn + semgrep.dev: + rule: + rule_id: 9AUOZP + version_id: QkTJLN + url: https://semgrep.dev/playground/r/QkTJLN/python.lang.security.dangerous-globals-use.dangerous-globals-use + origin: community + severity: WARNING + languages: + - python +- id: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell + patterns: + - pattern-either: + - pattern: | + $SHELL.parse(...) + - pattern: | + $SHELL.evaluate(...) + - pattern: | + $SHELL.parseClass(...) + - pattern-either: + - pattern-inside: | + groovy.lang.GroovyShell $SHELL = ...; + ... + - pattern-inside: | + groovy.lang.GroovyClassLoader $SHELL = ...; + ... + - pattern-not: | + $SHELL.parse("...",...) + - pattern-not: | + $SHELL.evaluate("...",...) + - pattern-not: | + $SHELL.parseClass("...",...) + message: A expression is built with a dynamic value. The source of the value(s) + should be verified to avoid that unfiltered values fall into this risky code evaluation. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL + category: security + technology: + - groovy + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell + shortlink: https://sg.run/58LK + semgrep.dev: + rule: + rule_id: ReUPKp + version_id: YDTolW + url: https://semgrep.dev/playground/r/YDTolW/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell + origin: community + languages: + - java + severity: WARNING +- id: yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster + pattern: | + cluster: + ... + insecure-skip-tls-verify: true + message: 'Cluster is disabling TLS certificate verification when communicating with + the server. This makes your HTTPS connections insecure. Remove the ''insecure-skip-tls-verify: + true'' key to secure communication.' + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster + category: security + technology: + - kubernetes + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster + shortlink: https://sg.run/okyn + semgrep.dev: + rule: + rule_id: zdUyWx + version_id: 5PT6DW + url: https://semgrep.dev/playground/r/5PT6DW/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service + pattern: | + spec: + ... + insecureSkipTLSVerify: true + message: 'Service is disabling TLS certificate verification when communicating with + the server. This makes your HTTPS connections insecure. Remove the ''insecureSkipTLSVerify: + true'' key to secure communication.' + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + references: + - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io + category: security + technology: + - kubernetes + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service + shortlink: https://sg.run/zk10 + semgrep.dev: + rule: + rule_id: pKUGXr + version_id: GxT2E1 + url: https://semgrep.dev/playground/r/GxT2E1/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service + origin: community + languages: + - yaml + severity: WARNING +- id: python.flask.security.flask-api-method-string-format.flask-api-method-string-format + patterns: + - pattern-either: + - pattern: | + def $METHOD(...,$ARG,...): + ... + $STRING = "...".format(...,$ARG,...) + ... + ... = requests.$REQMETHOD($STRING,...) + - pattern: | + def $METHOD(...,$ARG,...): + ... + ... = requests.$REQMETHOD("...".format(...,$ARG,...),...) + - pattern-inside: | + class $CLASS(...): + method_decorators = ... + ... + message: Method $METHOD in API controller $CLASS provides user arg $ARG to requests + method $REQMETHOD + severity: ERROR + languages: + - python + metadata: + cwe: + - 'CWE-134: Use of Externally-Controlled Format String' + category: security + technology: + - flask + references: + - https://cwe.mitre.org/data/definitions/134.html + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format + shortlink: https://sg.run/bDWr + semgrep.dev: + rule: + rule_id: NbUAeY + version_id: QkTJQL + url: https://semgrep.dev/playground/r/QkTJQL/python.flask.security.flask-api-method-string-format.flask-api-method-string-format + origin: community +- id: yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume + patterns: + - pattern-inside: | + version: ... + ... + - pattern-either: + - pattern: | + volumes: + - ... + - /var/run/docker.sock:/var/run/docker.sock + - ... + - pattern: | + volumes: + - ... + - /run/docker.sock:/run/docker.sock + - ... + - pattern: | + volumes: + - ... + - /var/run/docker.sock:/run/docker.sock + - ... + - pattern: | + volumes: + - ... + - /run/docker.sock:/var/run/docker.sock + - ... + - pattern: | + volumes: + - ... + - /var/run/docker.sock + - ... + - pattern: | + volumes: + - ... + - /run/docker.sock + - ... + - pattern: | + volumes: + - ... + - ... + source: /var/run/docker.sock + ... + - ... + - pattern: | + volumes: + - ... + - ... + source: /run/docker.sock + ... + - ... + message: Exposing host's Docker socket to containers via a volume. The owner of + this socket is root. Giving someone access to it is equivalent to giving unrestricted + root access to your host. Remove 'docker.sock' from volumes to prevent this. + metadata: + references: + - https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers + category: security + technology: + - docker-compose + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + owasp: + - A06:2017 - Security Misconfiguration + - A05:2021 - Security Misconfiguration + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume + shortlink: https://sg.run/O14b + semgrep.dev: + rule: + rule_id: eqUvZ9 + version_id: e1Txkg + url: https://semgrep.dev/playground/r/e1Txkg/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service + patterns: + - pattern-inside: | + version: ... + ... + services: + ... + - pattern: | + $SERVICE: + ... + image: ... + ... + - pattern-not: | + $SERVICE: + ... + image: ... + ... + read_only: true + - focus-metavariable: $SERVICE + message: 'Service ''$SERVICE'' is running with a writable root filesystem. This + may allow malicious applications to download and run additional payloads, or modify + container files. If an application inside a container has to save something temporarily + consider using a tmpfs. Add ''read_only: true'' to this service to prevent this.' + metadata: + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + references: + - https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir + - https://blog.atomist.com/security-of-docker-kubernetes/ + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only + category: security + technology: + - docker-compose + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service + shortlink: https://sg.run/e4JE + semgrep.dev: + rule: + rule_id: v8U5vN + version_id: ExTnDK + url: https://semgrep.dev/playground/r/ExTnDK/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath + patterns: + - pattern-inside: | + volumes: + ... + - pattern: | + hostPath: + ... + path: /var/run/docker.sock + message: Exposing host's Docker socket to containers via a volume. The owner of + this socket is root. Giving someone access to it is equivalent to giving unrestricted + root access to your host. Remove 'docker.sock' from hostpath to prevent this. + metadata: + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + references: + - https://kubernetes.io/docs/concepts/storage/volumes/#hostpath + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers + category: security + technology: + - kubernetes + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath + shortlink: https://sg.run/v0pR + semgrep.dev: + rule: + rule_id: d8Uz6v + version_id: GxT2EB + url: https://semgrep.dev/playground/r/GxT2EB/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.run-as-non-root.run-as-non-root + patterns: + - pattern-inside: | + $SPEC: + ... + containers: + ... + ... + - metavariable-regex: + metavariable: $SPEC + regex: ^(spec)$ + - pattern-not-inside: | + spec: + ... + securityContext: + ... + ... + - pattern-inside: | + $SPEC: + ... + containers: + ... + - pattern-not-inside: | + $SPEC: + ... + containers: + ... + - name: $NAME + image: ... + ... + securityContext: + ... + runAsNonRoot: $VALUE + - focus-metavariable: $SPEC + fix: | + $SPEC: + securityContext: + runAsNonRoot: true # + message: When running containers in Kubernetes, it's important to ensure that they are + properly secured to prevent privilege escalation attacks. One potential vulnerability + is when a container is allowed to run applications as the root user, which could + allow an attacker to gain access to sensitive resources. To mitigate this risk, + it's recommended to add a `securityContext` to the container, with the parameter + `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root + user, limiting the damage that could be caused by any potential attacks. By adding + a `securityContext` to the container in your Kubernetes pod, you can help to + ensure that your containerized applications are more secure and less vulnerable + to privilege escalation attacks. + metadata: + references: + - https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/ + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user + category: security + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + technology: + - kubernetes + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root + shortlink: https://sg.run/dgP5 + semgrep.dev: + rule: + rule_id: ZqUqeK + version_id: l4T5OK + url: https://semgrep.dev/playground/r/l4T5OK/yaml.kubernetes.security.run-as-non-root.run-as-non-root + origin: community + languages: + - yaml + severity: INFO +- id: yaml.kubernetes.security.hostipc-pod.hostipc-pod + patterns: + - pattern-inside: | + spec: + ... + - pattern: | + hostIPC: true + message: Pod is sharing the host IPC namespace. This allows container processes + to communicate with processes on the host which reduces isolation and bypasses + container protection models. Remove the 'hostIPC' key to disable this functionality. + metadata: + cwe: + - 'CWE-693: Protection Mechanism Failure' + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + category: security + technology: + - kubernetes + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod + shortlink: https://sg.run/nqGO + semgrep.dev: + rule: + rule_id: nJUYPE + version_id: RGTbGr + url: https://semgrep.dev/playground/r/RGTbGr/yaml.kubernetes.security.hostipc-pod.hostipc-pod + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod + patterns: + - pattern-inside: | + spec: + ... + - pattern: | + hostNetwork: true + message: Pod may use the node network namespace. This gives the pod access to the + loopback device, services listening on localhost, and could be used to snoop on + network activity of other pods on the same node. Remove the 'hostNetwork' key + to disable this functionality. + metadata: + cwe: + - 'CWE-406: Insufficient Control of Network Message Volume (Network Amplification)' + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + category: security + technology: + - kubernetes + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod + shortlink: https://sg.run/E51A + semgrep.dev: + rule: + rule_id: EwU4NO + version_id: A8TR7n + url: https://semgrep.dev/playground/r/A8TR7n/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.hostpid-pod.hostpid-pod + patterns: + - pattern-inside: | + spec: + ... + - pattern: | + hostPID: true + message: Pod is sharing the host process ID namespace. When paired with ptrace this + can be used to escalate privileges outside of the container. Remove the 'hostPID' + key to disable this functionality. + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + category: security + technology: + - kubernetes + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod + shortlink: https://sg.run/708R + semgrep.dev: + rule: + rule_id: 7KUeo0 + version_id: BjTE0Q + url: https://semgrep.dev/playground/r/BjTE0Q/yaml.kubernetes.security.hostpid-pod.hostpid-pod + origin: community + languages: + - yaml + severity: WARNING +- id: go.lang.security.audit.sqli.gosql-sqli.gosql-sqli + patterns: + - pattern-either: + - patterns: + - pattern: $DB.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = fmt.Sprintf("...", $PARAM1, ...) + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern: $DB.$METHOD(..., $X + $Y, ...) + - pattern: $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) + - pattern-either: + - pattern-inside: | + $DB, ... = sql.Open(...) + ... + - pattern-inside: | + func $FUNCNAME(..., $DB *sql.DB, ...) { + ... + } + - pattern-not: $DB.$METHOD(..., "..." + "...", ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(Exec|ExecContent|Query|QueryContext|QueryRow|QueryRowContext)$ + languages: + - go + message: Detected string concatenation with a non-literal variable in a "database/sql" + Go SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. You can use prepared statements with the + 'Prepare' and 'PrepareContext' calls. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + references: + - https://golang.org/pkg/database/sql/ + category: security + technology: + - go + confidence: LOW + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli + shortlink: https://sg.run/YgOX + semgrep.dev: + rule: + rule_id: YGUrnQ + version_id: 8KTbze + url: https://semgrep.dev/playground/r/8KTbze/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli + origin: community + severity: ERROR +- id: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli + patterns: + - pattern-inside: | + import ( + ... + "$IMPORT" + ) + ... + - metavariable-regex: + metavariable: $IMPORT + regex: .*go-pg + - pattern-either: + - patterns: + - pattern: $DB.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = fmt.Sprintf("...", $PARAM1, ...) + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern: | + $DB.$INTFUNC1(...).$METHOD(..., $X + $Y, ...).$INTFUNC2(...) + - pattern: | + $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) + - pattern-inside: | + $DB = pg.Connect(...) + ... + - pattern-inside: | + func $FUNCNAME(..., $DB *pg.DB, ...) { + ... + } + - pattern-not-inside: | + $QUERY = fmt.Sprintf("...", ...,"...", ...) + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not: $DB.$METHOD(...,"...",...) + - pattern-not: | + $DB.$INTFUNC1(...).$METHOD(..., "...", ...).$INTFUNC2(...) + - pattern-not-inside: | + $QUERY = "..." + "..." + - pattern-not: | + "..." + - pattern-not: path.Join(...) + - pattern-not: filepath.Join(...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(Where|WhereOr|Join|GroupExpr|OrderExpr|ColumnExpr)$ + languages: + - go + message: Detected string concatenation with a non-literal variable in a go-pg ORM + SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, do not use strings + concatenated with user-controlled input. Instead, use parameterized statements. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + references: + - https://pg.uptrace.dev/queries/ + category: security + technology: + - go-pg + confidence: LOW + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli + shortlink: https://sg.run/6rA6 + semgrep.dev: + rule: + rule_id: 6JUqQ1 + version_id: gETqJZ + url: https://semgrep.dev/playground/r/gETqJZ/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli + origin: community + severity: ERROR +- id: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli + languages: + - go + message: 'Detected string concatenation with a non-literal variable in a pgx Go + SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, + `data1)' + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + references: + - https://github.com/jackc/pgx + - https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool + category: security + technology: + - pgx + confidence: LOW + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli + shortlink: https://sg.run/okKN + semgrep.dev: + rule: + rule_id: oqUz92 + version_id: 3ZTd6l + url: https://semgrep.dev/playground/r/3ZTd6l/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli + origin: community + patterns: + - pattern-either: + - patterns: + - pattern: $DB.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = fmt.Sprintf("...", $PARAM1, ...) + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern: $DB.$METHOD(..., $X + $Y, ...) + - pattern: $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) + - pattern-either: + - pattern-inside: | + $DB, ... = pgx.Connect(...) + ... + - pattern-inside: | + $DB, ... = pgx.NewConnPool(...) + ... + - pattern-inside: | + $DB, ... = pgx.ConnectConfig(...) + ... + - pattern-inside: | + func $FUNCNAME(..., $DB *pgx.Conn, ...) { + ... + } + - pattern-not: $DB.$METHOD(..., "..." + "...", ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(Exec|ExecEx|Query|QueryEx|QueryRow|QueryRowEx)$ + severity: ERROR +- id: go.lang.security.audit.sqli.pg-sqli.pg-sqli + languages: + - go + message: 'Detected string concatenation with a non-literal variable in a go-pg SQL + statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries instead of string concatenation. You can use parameterized queries like + so: ''(SELECT ? FROM table, data1)''' + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + references: + - https://pg.uptrace.dev/ + - https://pkg.go.dev/github.com/go-pg/pg/v10 + category: security + technology: + - go-pg + confidence: LOW + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli + shortlink: https://sg.run/Al94 + semgrep.dev: + rule: + rule_id: AbUWXY + version_id: QkTJnW + url: https://semgrep.dev/playground/r/QkTJnW/go.lang.security.audit.sqli.pg-sqli.pg-sqli + origin: community + severity: ERROR + patterns: + - pattern-either: + - patterns: + - pattern: | + $DB.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = fmt.Sprintf("...", $PARAM1, ...) + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern: $DB.$METHOD(..., $X + $Y, ...) + - pattern: $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) + - pattern-either: + - pattern-inside: | + $DB = pg.Connect(...) + ... + - pattern-inside: | + func $FUNCNAME(..., $DB *pg.DB, ...) { + ... + } + - pattern-not: $DB.$METHOD(..., "..." + "...", ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(Exec|ExecContext|ExecOne|ExecOneContext|Query|QueryOne|QueryContext|QueryOneContext)$ +- id: python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli + languages: + - python + message: 'Detected string concatenation with a non-literal variable in an aiopg + Python SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries instead. You can create parameterized queries like so: ''cur.execute("SELECT + %s FROM table", (user_value,))''.' + metadata: + references: + - https://github.com/aio-libs/aiopg + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aiopg + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli + shortlink: https://sg.run/WgGL + semgrep.dev: + rule: + rule_id: DbUWRY + version_id: e1TxwX + url: https://semgrep.dev/playground/r/e1TxwX/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli + origin: community + patterns: + - pattern-either: + - patterns: + - pattern: $CUR.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = '...'.format(...) + ... + - pattern-inside: | + $QUERY = '...' % (...) + ... + - pattern-inside: | + $QUERY = f'...{$USERINPUT}...' + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern-not-inside: | + $QUERY = '...'.format() + ... + - pattern-not-inside: | + $QUERY = '...' % () + ... + - pattern: $CUR.$METHOD(..., $X + $Y, ...) + - pattern: $CUR.$METHOD(..., '...'.format(...), ...) + - pattern: $CUR.$METHOD(..., '...' % (...), ...) + - pattern: $CUR.$METHOD(..., f'...{$USERINPUT}...', ...) + - pattern-either: + - pattern-inside: | + $CONN = await aiopg.connect(...) + ... + $CUR = await $CONN.cursor(...) + ... + - pattern-inside: | + $POOL = await aiopg.create_pool(...) + ... + async with $POOL.acquire(...) as $CONN: + ... + async with $CONN.cursor(...) as $CUR: + ... + - pattern-inside: | + $POOL = await aiopg.create_pool(...) + ... + with (await $POOL.cursor(...)) as $CUR: + ... + - pattern-inside: | + $POOL = await aiopg.create_pool(...) + ... + async with $POOL as $CONN: + ... + $CUR = await $CONN.cursor(...) + ... + - pattern-inside: | + $POOL = await aiopg.create_pool(...) + ... + async with $POOL.cursor(...) as $CUR: + ... + - pattern-not: $CUR.$METHOD(..., "..." + "...", ...) + - pattern-not: $CUR.$METHOD(..., '...'.format(), ...) + - pattern-not: $CUR.$METHOD(..., '...'%(), ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(execute)$ + severity: WARNING +- id: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli + languages: + - python + message: 'Detected string concatenation with a non-literal variable in a asyncpg + Python SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. You can create parameterized queries like + so: ''conn.fetch("SELECT $1 FROM table", value)''. You can also create prepared + statements with ''Connection.prepare'': ''stmt = conn.prepare("SELECT $1 FROM + table"); await stmt.fetch(user_value)''' + metadata: + references: + - https://github.com/MagicStack/asyncpg + - https://magicstack.github.io/asyncpg/current/ + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - asyncpg + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli + shortlink: https://sg.run/0nBB + semgrep.dev: + rule: + rule_id: WAUZqq + version_id: 3ZTkkNZ + url: https://semgrep.dev/playground/r/3ZTkkNZ/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli + origin: community + patterns: + - pattern-either: + - patterns: + - pattern: $CONN.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = '...'.format(...) + ... + - pattern-inside: | + $QUERY = '...' % (...) + ... + - pattern-inside: | + $QUERY = f'...{$USERINPUT}...' + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern-not-inside: | + $QUERY = '...'.format() + ... + - pattern-not-inside: | + $QUERY = '...' % () + ... + - pattern: $CONN.$METHOD(..., $X + $Y, ...) + - pattern: $CONN.$METHOD(..., $Y.format(...), ...) + - pattern: $CONN.$METHOD(..., '...'.format(...), ...) + - pattern: $CONN.$METHOD(..., '...' % (...), ...) + - pattern: $CONN.$METHOD(..., f'...{$USERINPUT}...', ...) + - pattern-either: + - pattern-inside: | + $CONN = await asyncpg.connect(...) + ... + - pattern-inside: | + async with asyncpg.create_pool(...) as $CONN: + ... + - pattern-inside: | + async with $POOL.acquire(...) as $CONN: + ... + - pattern-inside: | + $CONN = await $POOL.acquire(...) + ... + - pattern-inside: | + def $FUNCNAME(..., $CONN: Connection, ...): + ... + - pattern-inside: | + def $FUNCNAME(..., $CONN: asyncpg.Connection, ...): + ... + - pattern-not: $CONN.$METHOD(..., "..." + "...", ...) + - pattern-not: $CONN.$METHOD(..., '...'.format(), ...) + - pattern-not: $CONN.$METHOD(..., '...'%(), ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(fetch|fetchrow|fetchval|execute|executemany|prepare|cursor|copyfromquery)$ + severity: WARNING +- id: python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli + languages: + - python + message: 'Detected string concatenation with a non-literal variable in a pg8000 + Python SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. You can create parameterized queries like + so: ''conn.run("SELECT :value FROM table", value=myvalue)''. You can also create + prepared statements with ''conn.prepare'': ''conn.prepare("SELECT (:v) FROM table")''' + metadata: + references: + - https://github.com/tlocke/pg8000 + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - pg8000 + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli + shortlink: https://sg.run/KWAL + semgrep.dev: + rule: + rule_id: 0oUEKo + version_id: d6TDE0 + url: https://semgrep.dev/playground/r/d6TDE0/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli + origin: community + patterns: + - pattern-either: + - patterns: + - pattern: $CONN.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = '...'.format(...) + ... + - pattern-inside: | + $QUERY = '...' % (...) + ... + - pattern-inside: | + $QUERY = f'...{$USERINPUT}...' + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern-not-inside: | + $QUERY = '...'.format() + ... + - pattern-not-inside: | + $QUERY = '...' % () + ... + - pattern: $CONN.$METHOD(..., $X + $Y, ...) + - pattern: $CONN.$METHOD(..., '...'.format(...), ...) + - pattern: $CONN.$METHOD(..., '...' % (...), ...) + - pattern: $CONN.$METHOD(..., f'...{$USERINPUT}...', ...) + - pattern-either: + - pattern-inside: | + $CONN = pg8000.native.Connection(...) + ... + - pattern-inside: | + $CONN = pg8000.dhapi.connect(...) + ... + - pattern-inside: | + $CONN1 = pg8000.connect(...) + ... + $CONN = $CONN1.cursor(...) + ... + - pattern-inside: | + $CONN = pg8000.connect(...) + ... + - pattern-not: $CONN.$METHOD(..., "..." + "...", ...) + - pattern-not: $CONN.$METHOD(..., '...'.format(), ...) + - pattern-not: $CONN.$METHOD(..., '...'%(), ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(run|execute|executemany|prepare)$ + severity: WARNING +- id: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli + languages: + - python + message: 'Detected string concatenation with a non-literal variable in a psycopg2 + Python SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. You can use prepared statements by creating + a ''sql.SQL'' string. You can also use the pyformat binding style to create parameterized + queries. For example: ''cur.execute(SELECT * FROM table WHERE name=%s, user_input)''' + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + references: + - https://www.psycopg.org/docs/sql.html + category: security + technology: + - psycopg + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli + shortlink: https://sg.run/qrLe + semgrep.dev: + rule: + rule_id: KxU4Kg + version_id: ZRTwJ8 + url: https://semgrep.dev/playground/r/ZRTwJ8/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli + origin: community + patterns: + - pattern-either: + - patterns: + - pattern: $CUR.$METHOD(...,$QUERY,...) + - pattern-either: + - pattern-inside: | + $QUERY = $X + $Y + ... + - pattern-inside: | + $QUERY += $X + ... + - pattern-inside: | + $QUERY = '...'.format(...) + ... + - pattern-inside: | + $QUERY = '...' % (...) + ... + - pattern-inside: | + $QUERY = f'...{$USERINPUT}...' + ... + - pattern-not-inside: | + $QUERY += "..." + ... + - pattern-not-inside: | + $QUERY = "..." + "..." + ... + - pattern-not-inside: | + $QUERY = '...'.format() + ... + - pattern-not-inside: | + $QUERY = '...' % () + ... + - pattern: $CUR.$METHOD(..., $X + $Y, ...) + - pattern: $CUR.$METHOD(..., '...'.format(...), ...) + - pattern: $CUR.$METHOD(..., '...' % (...), ...) + - pattern: $CUR.$METHOD(..., f'...{$USERINPUT}...', ...) + - pattern-either: + - pattern-inside: | + $CONN = psycopg2.connect(...) + ... + $CUR = $CONN.cursor(...) + ... + - pattern-inside: | + $CONN = psycopg2.connect(...) + ... + with $CONN.cursor(...) as $CUR: + ... + - pattern-not: $CUR.$METHOD(..., "..." + "...", ...) + - pattern-not: $CUR.$METHOD(..., '...'.format(), ...) + - pattern-not: $CUR.$METHOD(..., '...'%(), ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(execute|executemany|mogrify)$ + severity: WARNING +- id: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli + mode: taint + pattern-propagators: + - pattern: $X << $Y + from: $Y + to: $X + pattern-sources: + - pattern-either: + - pattern: | + params + - pattern: | + cookies + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $CON = PG.connect(...) + ... + - pattern-inside: | + $CON = PG::Connection.open(...) + ... + - pattern-inside: | + $CON = PG::Connection.new(...) + ... + - pattern-either: + - pattern: | + $CON.$METHOD($X,...) + - pattern: | + $CON.$METHOD $X, ... + - focus-metavariable: $X + - metavariable-regex: + metavariable: $METHOD + regex: ^(exec|exec_params)$ + languages: + - ruby + message: 'Detected string concatenation with a non-literal variable in a pg Ruby + SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. You can use parameterized queries like + so: `conn.exec_params(''SELECT $1 AS a, $2 AS b, $3 AS c'', [1, 2, nil])` And + you can use prepared statements with `exec_prepared`.' + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://www.rubydoc.info/gems/pg/PG/Connection + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli + shortlink: https://sg.run/kL0o + semgrep.dev: + rule: + rule_id: NbUAz7 + version_id: WrTb2D + url: https://semgrep.dev/playground/r/WrTb2D/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli + origin: community + severity: WARNING +- id: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled + pattern: management.endpoints.web.exposure.include=* + message: Spring Boot Actuator is fully enabled. This exposes sensitive endpoints + such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless + you have Spring Security enabled or another means to protect these endpoints, + this functionality is available without authentication, causing a severe security + risk. + severity: WARNING + languages: + - generic + paths: + include: + - '*properties' + metadata: + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + owasp: + - A01:2021 - Broken Access Control + references: + - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints + - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 + - https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators + category: security + technology: + - spring + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled + shortlink: https://sg.run/L0vY + semgrep.dev: + rule: + rule_id: EwU4vg + version_id: kbT7YK + url: https://semgrep.dev/playground/r/kbT7YK/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled + origin: community +- id: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling + patterns: + - pattern-either: + - pattern: | + proxy_http_version 1.1 ...; + ... + proxy_set_header Upgrade ...; + ... + proxy_set_header Connection ...; + - pattern: | + proxy_set_header Upgrade ...; + ... + proxy_set_header Connection ...; + ... + proxy_http_version 1.1 ...; + - pattern: | + proxy_set_header Upgrade ...; + ... + proxy_http_version 1.1 ...; + ... + proxy_set_header Connection ...; + - pattern-inside: | + location ... { + ... + } + languages: + - generic + severity: WARNING + message: 'Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading + HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which + can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted + HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: + Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). + WebSocket support not required: Do not forward Upgrade headers.' + paths: + include: + - '*.conf' + - '*.vhost' + - sites-available/* + - sites-enabled/* + metadata: + cwe: + - 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request/Response + Smuggling'')' + references: + - https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c + category: security + technology: + - nginx + confidence: MEDIUM + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling + shortlink: https://sg.run/ploZ + semgrep.dev: + rule: + rule_id: 6JUq0Z + version_id: WrTbOG + url: https://semgrep.dev/playground/r/WrTbOG/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling + origin: community +- id: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query + message: 'Avoiding SQL string concatenation: untrusted input concatenated with raw + SQL query can result in SQL Injection. In order to execute raw query safely, prepared + statement should be used. SQLAlchemy provides TextualSQL to easily used prepared + statement with named parameters. For complex SQL composition, use SQL Expression + Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be + a better option.' + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql + - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm + - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column + category: security + technology: + - sqlalchemy + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query + shortlink: https://sg.run/2b1L + semgrep.dev: + rule: + rule_id: oqUz5y + version_id: gETq8A + url: https://semgrep.dev/playground/r/gETq8A/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query + origin: community + severity: ERROR + languages: + - python + pattern-either: + - pattern: | + $CONNECTION.execute( $SQL + ..., ... ) + - pattern: | + $CONNECTION.execute( $SQL % (...), ...) + - pattern: | + $CONNECTION.execute( $SQL.format(...), ... ) + - pattern: | + $CONNECTION.execute(f"...{...}...", ...) + - patterns: + - pattern-inside: | + $QUERY = $SQL + ... + ... + - pattern: | + $CONNECTION.execute($QUERY, ...) + - patterns: + - pattern-inside: | + $QUERY = $SQL % (...) + ... + - pattern: | + $CONNECTION.execute($QUERY, ...) + - patterns: + - pattern-inside: | + $QUERY = $SQL.format(...) + ... + - pattern: | + $CONNECTION.execute($QUERY, ...) + - patterns: + - pattern-inside: | + $QUERY = f"...{...}..." + ... + - pattern: | + $CONNECTION.execute($QUERY, ...) +- id: javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli + message: 'Detected string concatenation with a non-literal variable in a node-postgres + JS SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. You can use parameterized statements like + so: `client.query(''SELECT $1 from table'', [userinput])`' + metadata: + owasp: + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + references: + - https://node-postgres.com/features/queries + category: security + technology: + - node-postgres + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli + shortlink: https://sg.run/0n3v + semgrep.dev: + rule: + rule_id: ReUPN9 + version_id: 6xTe2Q + url: https://semgrep.dev/playground/r/6xTe2Q/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + function ... (...,$FUNC,...) { + ... + } + - focus-metavariable: $FUNC + - pattern-not-inside: | + $F. ... .$SOURCE(...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + const { $CLIENT } = require('pg') + ... + - pattern-inside: | + var { $CLIENT } = require('pg') + ... + - pattern-inside: | + let { $CLIENT } = require('pg') + ... + - pattern-either: + - pattern-inside: | + $DB = new $CLIENT(...) + ... + - pattern-inside: | + $NEWPOOL = new $CLIENT(...) + ... + $NEWPOOL.connect((..., $DB, ...) => { + ... + }) + - pattern: $DB.query($QUERY,...) + - focus-metavariable: $QUERY +- id: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide + category: security + technology: + - .net + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization + shortlink: https://sg.run/ZeXW + semgrep.dev: + rule: + rule_id: bwUOjK + version_id: GxT2v6 + url: https://semgrep.dev/playground/r/GxT2v6/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization + origin: community + message: The BinaryFormatter type is dangerous and is not recommended for data processing. + Applications should stop using BinaryFormatter as soon as possible, even if they + believe the data they're processing to be trustworthy. BinaryFormatter is insecure + and can't be made secure + patterns: + - pattern-inside: | + using System.Runtime.Serialization.Formatters.Binary; + ... + - pattern: | + new BinaryFormatter(); +- id: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://github.com/mgholam/fastJSON#security-warning-update + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization + shortlink: https://sg.run/nqnd + semgrep.dev: + rule: + rule_id: NbUAwk + version_id: A8TR9g + url: https://semgrep.dev/playground/r/A8TR9g/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization + origin: community + message: $type extension has the potential to be unsafe, so use it with common sense + and known json sources and not public facing ones to be safe + patterns: + - pattern-inside: | + using fastJSON; + ... + - pattern: | + new JSONParameters + { + BadListTypeChecking = false + } +- id: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution + category: security + technology: + - .net + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization + shortlink: https://sg.run/E5e5 + semgrep.dev: + rule: + rule_id: kxURnR + version_id: BjTEXb + url: https://semgrep.dev/playground/r/BjTEXb/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization + origin: community + message: The FsPickler is dangerous and is not recommended for data processing. + Default configuration tend to insecure deserialization vulnerability. + patterns: + - pattern-inside: | + using MBrace.FsPickler.Json; + ... + - pattern: | + FsPickler.CreateJsonSerializer(); +- id: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8 + category: security + technology: + - .net + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization + shortlink: https://sg.run/70pG + semgrep.dev: + rule: + rule_id: wdU87G + version_id: 0bTvLq + url: https://semgrep.dev/playground/r/0bTvLq/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization + origin: community + message: The LosFormatter type is dangerous and is not recommended for data processing. + Applications should stop using LosFormatter as soon as possible, even if they + believe the data they're processing to be trustworthy. LosFormatter is insecure + and can't be made secure + patterns: + - pattern-inside: | + using System.Web.UI; + ... + - pattern: | + new LosFormatter(); +- id: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security + category: security + technology: + - .net + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization + shortlink: https://sg.run/L0AX + semgrep.dev: + rule: + rule_id: x8UW7x + version_id: K3TlvQ + url: https://semgrep.dev/playground/r/K3TlvQ/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization + origin: community + message: The NetDataContractSerializer type is dangerous and is not recommended + for data processing. Applications should stop using NetDataContractSerializer + as soon as possible, even if they believe the data they're processing to be trustworthy. + NetDataContractSerializer is insecure and can't be made secure + patterns: + - pattern-inside: | + using System.Runtime.Serialization; + ... + - pattern: | + new NetDataContractSerializer(); +- id: csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization + patterns: + - pattern-either: + - pattern: TypeNameHandling = TypeNameHandling.$TYPEHANDLER + - pattern: | + $SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER; + ... + JsonConvert.DeserializeObject<$TYPE>(...,$SETTINGS); + - pattern: | + $SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER; + ... + JsonConvert.DeserializeObject(...,$SETTINGS); + - pattern-inside: | + using Newtonsoft.Json; + ... + - metavariable-regex: + metavariable: $TYPEHANDLER + regex: (All|Auto|Objects|Arrays) + message: TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code + execution in the context of the process. Use a custom SerializationBinder whenever + using a setting other than TypeNameHandling.None. + languages: + - csharp + severity: WARNING + metadata: + category: security + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks + technology: + - .net + - newtonsoft + - json + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization + shortlink: https://sg.run/8n2g + semgrep.dev: + rule: + rule_id: OrUGgl + version_id: qkTN2K + url: https://semgrep.dev/playground/r/qkTN2K/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization + origin: community +- id: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks + category: security + technology: + - .net + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization + shortlink: https://sg.run/gJnR + semgrep.dev: + rule: + rule_id: eqUvND + version_id: l4T54e + url: https://semgrep.dev/playground/r/l4T54e/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization + origin: community + message: The SoapFormatter type is dangerous and is not recommended for data processing. + Applications should stop using SoapFormatter as soon as possible, even if they + believe the data they're processing to be trustworthy. SoapFormatter is insecure + and can't be made secure + patterns: + - pattern-inside: | + using System.Runtime.Serialization.Formatters.Soap; + ... + - pattern: | + new SoapFormatter(); +- id: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization + severity: ERROR + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization + shortlink: https://sg.run/0nJq + semgrep.dev: + rule: + rule_id: PeUkrK + version_id: WrTbWG + url: https://semgrep.dev/playground/r/WrTbWG/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization + origin: community + message: The SimpleTypeResolver class is insecure and should not be used. Using + SimpleTypeResolver to deserialize JSON could allow the remote client to execute + malicious code within the app and take control of the web server. + patterns: + - pattern-inside: | + using System.Web.Script.Serialization; + ... + - pattern: | + new JavaScriptSerializer(new SimpleTypeResolver()); +- id: csharp.lang.security.injections.os-command.os-command-injection + severity: ERROR + languages: + - csharp + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/www-community/attacks/Command_Injection + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection + shortlink: https://sg.run/Ze6p + semgrep.dev: + rule: + rule_id: 9AUOjg + version_id: 5PT6d9 + url: https://semgrep.dev/playground/r/5PT6d9/csharp.lang.security.injections.os-command.os-command-injection + origin: community + message: The software constructs all or part of an OS command using externally-influenced + input from an upstream component, but it does not neutralize or incorrectly neutralizes + special elements that could modify the intended OS command when it is sent to + a downstream component. + patterns: + - pattern-inside: | + using System.Diagnostics; + ... + - pattern-inside: | + public $T $F(..., $ARG, ...) + { + ... + } + - pattern-either: + - patterns: + - pattern: | + Process.Start($ARG, ...); + - focus-metavariable: $ARG + - patterns: + - pattern-inside: | + Process $PROC = new Process(); + ... + - pattern-either: + - pattern-inside: | + $PROC.StartInfo.FileName = $ARG; + ... + - pattern-inside: | + $PROC.StartInfo.Arguments = <... $ARG ...>; + ... + - pattern: | + $PROC.Start(); + - patterns: + - patterns: + - pattern-inside: | + ProcessStartInfo $PSINFO = new ProcessStartInfo() + { + ... + }; + ... + - pattern-either: + - pattern-inside: | + FileName = $ARG; + ... + - pattern-inside: | + Arguments = <... $ARG ...>; + ... + - pattern: | + Process.Start($PSINFO); + - focus-metavariable: $PSINFO +- id: generic.secrets.security.detected-github-token.detected-github-token + patterns: + - pattern-either: + - pattern: | + $VAR = $SECRET + - pattern: | + $VAR: $SECRET + - pattern: | + $VAR = '$SECRET' + - pattern: | + $VAR: '$SECRET' + - pattern: | + '$VAR' = '$SECRET' + - pattern: | + '$VAR': '$SECRET' + - pattern: | + "[hH][tT][tT][pP][sS]?://.*$SECRET.*" + - metavariable-regex: + metavariable: $SECRET + regex: gh[pousr]_[A-Za-z0-9_]{36,251} + - metavariable-analysis: + analyzer: entropy + metavariable: $SECRET + languages: + - generic + message: GitHub Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.blog/changelog/2021-03-04-authentication-token-format-updates/ + category: security + technology: + - secrets + - github + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-github-token.detected-github-token + shortlink: https://sg.run/PpOv + semgrep.dev: + rule: + rule_id: eqUv7b + version_id: 6xTe6q + url: https://semgrep.dev/playground/r/6xTe6q/generic.secrets.security.detected-github-token.detected-github-token + origin: community +- id: trailofbits.go.anonymous-race-condition.anonymous-race-condition + message: Possible race condition due to memory aliasing of variable `$X` + languages: + - go + severity: ERROR + metadata: + category: security + cwe: 'CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization + (''Race Condition'')' + subcategory: + - vuln + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: + - --no-technology-- + description: Race conditions within anonymous goroutines + references: + - https://github.com/golang/go/wiki/CommonMistakes#using-goroutines-on-loop-iterator-variables + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.anonymous-race-condition.anonymous-race-condition + shortlink: https://sg.run/BL22 + semgrep.dev: + rule: + rule_id: nJUr88 + version_id: 5PTdkvQ + url: https://semgrep.dev/playground/r/5PTdkvQ/trailofbits.go.anonymous-race-condition.anonymous-race-condition + origin: community + patterns: + - pattern-either: + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $FOO(..., $X, ...) + ... + }(...) + ... + } + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $FOO(..., $Y, ...) + ... + }(...) + ... + } + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $X(...) + ... + }(...) + ... + } + - pattern: | + for $X:=...;$Y;$Z { + ... + go func(...) { + ... + $FOO(..., $X,...) + ... + }(...) + ... + } + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $X. ... .$M(...) + ... + }(...) + ... + } + - pattern-not: | + for ..., $X := range ... { + ... + ..., $X := ..., $X + ... + go func(...){ + ... + $FOO(..., $X, ...) + ... + }(...) + ... + } + - pattern-not: | + for ..., $X := range ... { + ... + $X, ... := $X, ... + ... + go func(...){ + ... + $FOO(..., $X, ...) + ... + }(...) + ... + } + - pattern-not: | + for $Y, $X := range ... { + ... + $Y, $X := $Y, $X + ... + go func(...){ + ... + }(...) + ... + } +- id: trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil + message: The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does + not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect + implementation could lead to denial of service + languages: + - go + severity: WARNING + metadata: + category: security + cwe: 'CWE-476: NULL Pointer Dereference' + subcategory: + - vuln + confidence: HIGH + likelihood: MEDIUM + impact: LOW + technology: + - --no-technology-- + description: Possible incorrect `ServerCodec` interface implementation + references: + - https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658 + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil + shortlink: https://sg.run/lx09 + semgrep.dev: + rule: + rule_id: QrUp7k + version_id: DkTO3W + url: https://semgrep.dev/playground/r/DkTO3W/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil + origin: community + patterns: + - pattern: | + func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { + ... + } + - pattern-not: | + func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { + ... + if $ARG == nil { ... } + ... + } + - pattern-not: | + func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { + ... + if $ARG != nil { ... } + ... + } +- id: trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast + message: Downcasting or changing sign of an integer with `$CAST_METHOD` method + languages: + - go + severity: WARNING + metadata: + category: security + cwe: 'CWE-681: Incorrect Conversion between Numeric Types' + subcategory: + - audit + confidence: HIGH + likelihood: LOW + impact: MEDIUM + technology: + - --no-technology-- + description: Integer underflows + references: + - https://github.com/golang/go/issues/30209 + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast + shortlink: https://sg.run/65WB + semgrep.dev: + rule: + rule_id: 4bU2AZ + version_id: WrTRkP + url: https://semgrep.dev/playground/r/WrTRkP/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast + origin: community + pattern-either: + - patterns: + - metavariable-pattern: + metavariable: $CAST_METHOD + pattern-either: + - pattern: uint8 + - pattern: uint16 + - pattern: uint32 + - pattern: int8 + - pattern: int16 + - pattern: int32 + - pattern-either: + - pattern: | + $X, ... = strconv.Atoi(...) + ... + $CAST_METHOD($X) + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 64) + ... + $CAST_METHOD($X) + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 64) + ... + $CAST_METHOD($X) + - pattern: | + $X, ... = strconv.Atoi(...) + ... + uint64($X) + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 64) + ... + uint64($X) + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 64) + ... + int64($X) + - patterns: + - metavariable-pattern: + metavariable: $CAST_METHOD + pattern-either: + - pattern: uint8 + - pattern: uint16 + - pattern: int8 + - pattern: int16 + - pattern-either: + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 32) + ... + $CAST_METHOD($X) + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 32) + ... + $CAST_METHOD($X) + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 32) + ... + uint32($X) + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 32) + ... + int32($X) + - patterns: + - metavariable-pattern: + metavariable: $CAST_METHOD + pattern-either: + - pattern: uint8 + - pattern: int8 + - pattern-either: + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 16) + ... + $CAST_METHOD($X) + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 16) + ... + $CAST_METHOD($X) + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 16) + ... + uint16($X) + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 16) + ... + int16($X) + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 8) + ... + uint8($X) + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 8) + ... + int8($X) +- id: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied + message: A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As + a result, the struct `$T` may not be locked as intended + languages: + - go + severity: ERROR + metadata: + category: security + cwe: 'CWE-688: Function Call With Incorrect Variable or Reference as Argument' + subcategory: + - vuln + confidence: HIGH + likelihood: HIGH + impact: LOW + technology: + - --no-technology-- + description: Copying of `sync.Mutex` via value receivers + references: + - https://go101.org/article/concurrent-common-mistakes.html + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied + shortlink: https://sg.run/owlR + semgrep.dev: + rule: + rule_id: PeUBW1 + version_id: 0bT4Q2 + url: https://semgrep.dev/playground/r/0bT4Q2/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied + origin: community + patterns: + - pattern-either: + - pattern: | + func ($T $TYPE) $FUNC(...){ + ... + $T.Lock() + ... + } + - pattern: | + func ($T $TYPE) $FUNC(...){ + ... + $T.RLock() + ... + } + - pattern-not: | + func ($T2 *$TYPE2) $FUNC(...){ + ... + } +- id: trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine + message: | + Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait` + waiting for more or less calls to `$WG.Done()` than expected + languages: + - go + severity: ERROR + metadata: + category: security + cwe: 'CWE-667: Improper Locking' + subcategory: + - vuln + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + technology: + - --no-technology-- + description: Calls to `sync.WaitGroup.Add` inside of anonymous goroutines + references: + - https://go101.org/article/concurrent-common-mistakes.html + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine + shortlink: https://sg.run/z98W + semgrep.dev: + rule: + rule_id: JDUQ3v + version_id: qkT09Q + url: https://semgrep.dev/playground/r/qkT09Q/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine + origin: community + patterns: + - pattern-either: + - pattern: | + $WG := &sync.WaitGroup{} + ... + go func(...) { + ... + $WG.Add(...) + ... + }(...) + ... + $WG.Wait() + - pattern: | + var $WG sync.WaitGroup + ... + go func(...) { + ... + $WG.Add(...) + ... + }(...) + ... + $WG.Wait() + - pattern-not-inside: | + for ... { + ... + $WG.Add(...) + ... + } +- id: trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop + message: Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()` + languages: + - go + severity: WARNING + metadata: + category: security + cwe: 'CWE-667: Improper Locking' + subcategory: + - vuln + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + technology: + - --no-technology-- + description: Calls to `sync.WaitGroup.Wait` inside a loop + references: + - https://go101.org/article/concurrent-common-mistakes.html + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop + shortlink: https://sg.run/pkGL + semgrep.dev: + rule: + rule_id: 5rU8Po + version_id: l4TLeX + url: https://semgrep.dev/playground/r/l4TLeX/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop + origin: community + patterns: + - pattern-either: + - pattern: | + var $WG sync.WaitGroup + ... + for ... { + ... + go func(...){ + ... + defer $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } + - pattern: | + $WG := &sync.WaitGroup{} + ... + for ... { + ... + go func(...){ + ... + defer $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } + - pattern: | + var $WG sync.WaitGroup + ... + for ... { + ... + go func(...){ + ... + $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } + - pattern: | + $WG := &sync.WaitGroup{} + ... + for ... { + ... + go func(...){ + ... + $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } +- id: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal + message: Possible path traversal through `tarfile.open($PATH).extractall()` if the + source tar is controlled by an attacker + languages: + - python + severity: ERROR + metadata: + category: security + cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + subcategory: + - vuln + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + technology: + - --no-technology-- + description: Potential path traversal in call to `extractall` for a `tarfile` + references: + - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal + shortlink: https://sg.run/2RLD + semgrep.dev: + rule: + rule_id: GdUZxq + version_id: yeT6Q1 + url: https://semgrep.dev/playground/r/yeT6Q1/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal + origin: community + patterns: + - pattern-either: + - pattern: | + with tarfile.open(...) as $TAR: + ... + $TAR.extractall(...) + - pattern: | + tarfile.open(...).extractall(...) + - pattern: | + $TAR = tarfile.open(...) + ... + $TAR.extractall(...) + - pattern-not: | + with tarfile.open(...) as $TAR: + ... + $TAR.extractall(..., members=$MEMBERS, ...) + - pattern-not: | + tarfile.open(...).extractall(..., members=$MEMBERS, ...) + - pattern-not: | + $TAR = tarfile.open(...) + ... + $TAR.extractall(..., members=$MEMBERS, ...) +- id: trailofbits.go.racy-append-to-slice.racy-append-to-slice + message: Appending `$SLICE` from multiple goroutines is not concurrency safe + languages: + - go + severity: ERROR + metadata: + category: security + cwe: 'CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization + (''Race Condition'')' + subcategory: + - vuln + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: + - --no-technology-- + description: Concurrent calls to `append` from multiple goroutines + references: + - https://go.dev/blog/maps#concurrency + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice + shortlink: https://sg.run/jkNY + semgrep.dev: + rule: + rule_id: ReUoP7 + version_id: A8T6yr + url: https://semgrep.dev/playground/r/A8T6yr/trailofbits.go.racy-append-to-slice.racy-append-to-slice + origin: community + patterns: + - pattern: | + $SLICE = append($SLICE, $ITEM) + - pattern-either: + - pattern-inside: | + var $SLICE []$TYPE + ... + for ... { + ... + go func(...) { + ... + $SLICE = append($SLICE, ...) + ... + }(...) + ... + } + - pattern-inside: | + $SLICE := make([]$TYPE, ...) + ... + for ... { + ... + go func(...) { + ... + $SLICE = append($SLICE, ...) + ... + }(...) + ... + } + - pattern-not-inside: | + $MUTEX.Lock() + ... + $MUTEX.Unlock() +- id: trailofbits.go.racy-write-to-map.racy-write-to-map + message: Writing `$MAP` from multiple goroutines is not concurrency safe + languages: + - go + severity: ERROR + metadata: + category: security + cwe: 'CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization + (''Race Condition'')' + subcategory: + - vuln + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: + - --no-technology-- + description: Concurrent writes to the same map in multiple goroutines + references: + - https://go.dev/blog/maps#concurrency + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map + shortlink: https://sg.run/1Gnw + semgrep.dev: + rule: + rule_id: AbUGWD + version_id: BjT9QN + url: https://semgrep.dev/playground/r/BjT9QN/trailofbits.go.racy-write-to-map.racy-write-to-map + origin: community + patterns: + - pattern: | + $MAP[$KEY] = $VALUE + - pattern-inside: | + $MAP = make(map[$KTYPE]$VTYPE) + ... + for ... { + ... + go func(...) { + ... + $MAP[$KEY] = $VALUE + ... + }(...) + ... + } + - pattern-not-inside: | + $MUTEX.Lock() + ... + $MUTEX.Unlock() +- id: java.lang.security.audit.crypto.gcm-detection.gcm-detection + metadata: + category: security + cwe: + - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' + references: + - https://cwe.mitre.org/data/definitions/323.html + technology: + - java + owasp: + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-detection.gcm-detection + shortlink: https://sg.run/BLLb + semgrep.dev: + rule: + rule_id: 5rU88R + version_id: BjTEeK + url: https://semgrep.dev/playground/r/BjTEeK/java.lang.security.audit.crypto.gcm-detection.gcm-detection + origin: community + languages: + - java + message: GCM detected, please check that IV/nonce is not reused, an Initialization + Vector (IV) is a nonce used to randomize the encryption, so that even if multiple + messages with identical plaintext are encrypted, the generated corresponding ciphertexts + are different. Unlike the Key, the IV usually does not need to be secret, rather + it is important that it is random and unique. Certain encryption schemes the IV + is exchanged in public as part of the ciphertext. Reusing same Initialization + Vector with the same Key to encrypt multiple plaintext blocks allows an attacker + to compare the ciphertexts and then, with some assumptions on the content of the + messages, to gain important information about the data being encrypted. + patterns: + - pattern-either: + - pattern: $METHOD.getInstance("AES/GCM/NoPadding",...); + - pattern: new GCMParameterSpec(...); + severity: INFO +- id: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse + metadata: + cwe: + - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' + category: security + source-rule-url: https://www.youtube.com/watch?v=r1awgAl90wM + technology: + - java + owasp: + - A02:2021 - Cryptographic Failures + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse + shortlink: https://sg.run/Dww2 + semgrep.dev: + rule: + rule_id: GdUZZ3 + version_id: DkTQGN + url: https://semgrep.dev/playground/r/DkTQGN/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse + origin: community + languages: + - java + message: 'GCM IV/nonce is reused: encryption can be totally useless' + patterns: + - pattern-either: + - pattern: new GCMParameterSpec(..., "...".getBytes(...), ...); + - pattern: byte[] $NONCE = "...".getBytes(...); ... new GCMParameterSpec(..., + $NONCE, ...); + severity: ERROR +- id: java.lang.security.audit.java-reverse-shell.java-reverse-shell + patterns: + - pattern-either: + - pattern: | + Socket $S=new Socket(...); + ... + InputStream $SI = $S.getInputStream(); + ... + while(!$S.isClosed()) + { + ... + while($SI.available()>0)$PO.write($SI.read()); + ... + $SO.flush(); + ... + } + - pattern-inside: | + Process $P=new ProcessBuilder(...).redirectErrorStream(true).start(); + ... + $P.destroy(); + message: Semgrep found potential reverse shell behavior + severity: WARNING + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + category: security + technology: + - java + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/java.lang.security.audit.java-reverse-shell.java-reverse-shell + shortlink: https://sg.run/kkrX + semgrep.dev: + rule: + rule_id: KxUY7b + version_id: 2KT17O + url: https://semgrep.dev/playground/r/2KT17O/java.lang.security.audit.java-reverse-shell.java-reverse-shell + origin: community + languages: + - java +- id: typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard + message: 'Unescaped ''.'' character in CORS domain regex $CORS: $PATTERN' + metadata: + cwe: + - 'CWE-183: Permissive List of Allowed Inputs' + category: security + technology: + - cors + owasp: + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard + shortlink: https://sg.run/w13x + semgrep.dev: + rule: + rule_id: qNUbXo + version_id: WrTb4e + url: https://semgrep.dev/playground/r/WrTb4e/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard + origin: community + languages: + - ts + severity: WARNING + patterns: + - pattern-either: + - pattern: const $CORS = [...,$PATTERN,...] + - pattern: const $CORS = $PATTERN + - metavariable-regex: + metavariable: $PATTERN + regex: .+?(?, ...) + - pattern: format_html("..." % ..., ...) + - pattern: format_html("...".format(...), ...) +- id: python.pymongo.security.mongodb.mongo-client-bad-auth + pattern: | + pymongo.MongoClient(..., authMechanism='MONGODB-CR') + message: Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is + no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html + for details). + fix-regex: + regex: MONGODB-CR + replacement: SCRAM-SHA-256 + severity: WARNING + languages: + - python + metadata: + cwe: + - 'CWE-477: Use of Obsolete Function' + category: security + technology: + - pymongo + references: + - https://cwe.mitre.org/data/definitions/477.html + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth + shortlink: https://sg.run/YXRd + semgrep.dev: + rule: + rule_id: d8UlOX + version_id: 2KT1nB + url: https://semgrep.dev/playground/r/2KT1nB/python.pymongo.security.mongodb.mongo-client-bad-auth + origin: community +- id: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor + languages: + - java + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability + category: security + technology: + - snakeyaml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor + shortlink: https://sg.run/L8qY + semgrep.dev: + rule: + rule_id: 6JU67x + version_id: pZTrbj + url: https://semgrep.dev/playground/r/pZTrbj/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor + origin: community + message: Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, + which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) + constructor instead, with SafeConstructor or a custom Constructor as the argument. + patterns: + - pattern: | + $Y = new org.yaml.snakeyaml.Yaml(); + ... + $Y.load(...); + severity: WARNING +- id: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp + message: RegExp() called with a `$ARG` function argument, this might allow an attacker + to cause a Regular Expression Denial-of-Service (ReDoS) within your application + as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded + regexes instead. If your regex is run on user-controlled input, consider performing + input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck + to verify that the regex does not appear vulnerable to ReDoS. + metadata: + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + cwe: + - 'CWE-1333: Inefficient Regular Expression Complexity' + references: + - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js + category: security + technology: + - javascript + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp + shortlink: https://sg.run/gr65 + semgrep.dev: + rule: + rule_id: zdU1gD + version_id: YDTonX + url: https://semgrep.dev/playground/r/YDTonX/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + function ... (...,$ARG,...) {...} + - focus-metavariable: $ARG + pattern-sinks: + - patterns: + - pattern-either: + - pattern: new RegExp($ARG, ...) + - pattern: RegExp($ARG, ...) + - pattern-not: RegExp("...", ...) + - pattern-not: new RegExp("...", ...) + - pattern-not: RegExp(/.../, ...) + - pattern-not: new RegExp(/.../, ...) +- id: ocaml.lang.portability.crlf-support.broken-input-line + pattern: | + input_line + message: '''input_line'' leaves a ''\r'' (CR) character when reading lines from + a Windows text file, whose lines end in "\r\n" (CRLF). This is a problem for any + Windows file that is being read either on a Unix-like platform or on Windows in + binary mode. If the code already takes care of removing any trailing ''\r'' after + reading the line, add a ''(* nosemgrep *)'' comment to disable this warning.' + languages: + - ocaml + severity: WARNING + metadata: + category: portability + technology: + - ocaml + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line + shortlink: https://sg.run/v2gY + semgrep.dev: + rule: + rule_id: DbUKZX + version_id: kbTOJw + url: https://semgrep.dev/playground/r/kbTOJw/ocaml.lang.portability.crlf-support.broken-input-line + origin: community +- id: ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode + pattern: open_in + fix: open_in_bin + message: '''open_in'' behaves differently on Windows and on Unix-like systems with + respect to line endings. To get the same behavior everywhere, use ''open_in_bin'' + or ''open_in_gen [Open_binary]''. If you really want CRLF-to-LF translations to + take place when running on Windows, use ''open_in_gen [Open_text]''.' + languages: + - ocaml + severity: WARNING + metadata: + category: portability + technology: + - ocaml + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode + shortlink: https://sg.run/d0YE + semgrep.dev: + rule: + rule_id: WAUPAJ + version_id: w8TkYl + url: https://semgrep.dev/playground/r/w8TkYl/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode + origin: community +- id: ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode + pattern: open_out + fix: open_out_bin + message: '''open_out'' behaves differently on Windows and on Unix-like systems with + respect to line endings. To get the same behavior everywhere, use ''open_out_bin'' + or ''open_out_gen [Open_binary]''. If you really want LF-to-CRLF translations + to take place when running on Windows, use ''open_out_gen [Open_text]''.' + languages: + - ocaml + severity: WARNING + metadata: + category: portability + technology: + - ocaml + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode + shortlink: https://sg.run/ZkGw + semgrep.dev: + rule: + rule_id: 0oUJY9 + version_id: xyTd6N + url: https://semgrep.dev/playground/r/xyTd6N/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode + origin: community +- id: ocaml.lang.portability.slash-tmp.not-portable-tmp-string + pattern: | + "=~/\/tmp/" + message: You should probably use Filename.get_temp_dirname(). + languages: + - ocaml + severity: WARNING + metadata: + category: portability + technology: + - ocaml + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string + shortlink: https://sg.run/Q4ZZ + semgrep.dev: + rule: + rule_id: zdU100 + version_id: O9Tv1v + url: https://semgrep.dev/playground/r/O9Tv1v/ocaml.lang.portability.slash-tmp.not-portable-tmp-string + origin: community +- id: javascript.express.security.express-data-exfiltration.express-data-exfiltration + message: Depending on the context, user control data in `Object.assign` can cause + web response to include data that it should not have or can lead to a mass assignment + vulnerability. + metadata: + owasp: + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + references: + - https://en.wikipedia.org/wiki/Mass_assignment_vulnerability + - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + category: security + technology: + - express + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration + shortlink: https://sg.run/pkpL + semgrep.dev: + rule: + rule_id: ReUo60 + version_id: 9lTz5Z + url: https://semgrep.dev/playground/r/9lTz5Z/javascript.express.security.express-data-exfiltration.express-data-exfiltration + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - pattern: Object.assign(...) +- id: javascript.lang.security.insecure-object-assign.insecure-object-assign + message: Depending on the context, user control data in `Object.assign` can cause + web response to include data that it should not have or can lead to a mass assignment + vulnerability. + metadata: + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + owasp: + - A01:2021 - Broken Access Control + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html + - https://en.wikipedia.org/wiki/Mass_assignment_vulnerability + category: security + technology: + - javascript + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign + shortlink: https://sg.run/2R0D + semgrep.dev: + rule: + rule_id: AbUGOq + version_id: ExTnEW + url: https://semgrep.dev/playground/r/ExTnEW/javascript.lang.security.insecure-object-assign.insecure-object-assign + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern: JSON.parse(...) + - pattern-not: JSON.parse("...",...) + pattern-sinks: + - pattern: Object.assign(...) +- id: javascript.express.security.express-vm-injection.express-vm-injection + message: Make sure that unverified user data can not reach `$VM`. + metadata: + owasp: + - A03:2021 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - express + cwe2022-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection + shortlink: https://sg.run/jkqJ + semgrep.dev: + rule: + rule_id: DbUKPX + version_id: xyT4p8 + url: https://semgrep.dev/playground/r/xyT4p8/javascript.express.security.express-vm-injection.express-vm-injection + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-inside: | + $VM = require('vm'); + ... + - pattern-either: + - pattern: | + $VM.runInContext(...) + - pattern: | + $VM.runInNewContext(...) + - pattern: | + $VM.compileFunction(...) + - pattern: | + $VM.runInThisContext(...) + - pattern: new $VM.Script(...) +- id: javascript.express.security.express-vm2-injection.express-vm2-injection + message: Make sure that unverified user data can not reach `vm2`. + metadata: + owasp: + - A03:2021 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - express + cwe2022-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection + shortlink: https://sg.run/1GWv + semgrep.dev: + rule: + rule_id: WAUPXJ + version_id: O9TydQ + url: https://semgrep.dev/playground/r/O9TydQ/javascript.express.security.express-vm2-injection.express-vm2-injection + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-inside: | + require('vm2') + ... + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + $VM = new VM(...) + ... + - pattern-inside: | + $VM = new NodeVM(...) + ... + - pattern: | + $VM.run(...) + - pattern: | + new VM(...).run(...) + - pattern: | + new NodeVM(...).run(...) + - pattern: | + new VMScript(...) + - pattern: | + new VM(...) + - pattern: new NodeVM(...) +- id: generic.secrets.security.detected-jwt-token.detected-jwt-token + pattern-regex: eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}\.?[A-Za-z0-9-_.+/=]*? + languages: + - regex + message: JWT token detected + severity: ERROR + metadata: + source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py + category: security + technology: + - secrets + - jwt + confidence: LOW + references: + - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + cwe: + - 'CWE-321: Use of Hard-coded Cryptographic Key' + owasp: + - A02:2021 - Cryptographic Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token + shortlink: https://sg.run/05N5 + semgrep.dev: + rule: + rule_id: kxU8E8 + version_id: 9lTzk5 + url: https://semgrep.dev/playground/r/9lTzk5/generic.secrets.security.detected-jwt-token.detected-jwt-token + origin: community +- id: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key + pattern-regex: SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9-]{43}\b + languages: + - regex + message: SendGrid API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/narendrakadali/gitrob/blob/master/rules/contentsignatures.json + category: security + technology: + - secrets + - sendgrid + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key + shortlink: https://sg.run/qqOy + semgrep.dev: + rule: + rule_id: x8U2EG + version_id: ZRTwg1 + url: https://semgrep.dev/playground/r/ZRTwg1/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key + origin: community +- id: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key + pattern-regex: (?i)snyk.{0,50}['|"|`]?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"\s]? + languages: + - regex + message: Snyk API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - secrets + - snyk + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key + shortlink: https://sg.run/lxO9 + semgrep.dev: + rule: + rule_id: OrUD9J + version_id: 7ZTOpG + url: https://semgrep.dev/playground/r/7ZTOpG/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key + origin: community +- id: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key + pattern-regex: (?i)softlayer.{0,50}["|'|`]?[a-z0-9]{64}["|'|`]? + languages: + - regex + message: SoftLayer API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/softlayer.py + category: security + technology: + - secrets + - softlayer + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key + shortlink: https://sg.run/YXq4 + semgrep.dev: + rule: + rule_id: eqUplZ + version_id: LjT0rO + url: https://semgrep.dev/playground/r/LjT0rO/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key + origin: community +- id: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf + message: User-controllable argument $DATAVAL to $METHOD passed to Axios via internal + handler $INNERFUNC. This could be a server-side request forgery. A user could + call a restricted API or leak internal headers to an unauthorized party. Validate + your user arguments against an allowlist of known URLs, or consider refactoring + so that user-controlled data is not necessary. + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - apollo + - axios + references: + - https://www.cvedetails.com/cve/CVE-2020-28168/ + - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf + shortlink: https://sg.run/jkEZ + semgrep.dev: + rule: + rule_id: AbUGBR + version_id: K3TlJD + url: https://semgrep.dev/playground/r/K3TlJD/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf + origin: community + languages: + - javascript + severity: WARNING + patterns: + - pattern: const $RESPONSE = await axios.request($INNERARG,...) + - pattern-inside: | + Query: { + $METHOD(parent, args, context, info) { + ... + $DATA = args.$DATAVAL + ... + async function $INNERFUNC(...,$INNERARG,...){ + ... + } + ... + return $INNERFUNC(...,$DATA,...) + } + } +- id: javascript.lang.security.audit.code-string-concat.code-string-concat + message: Found data from an Express or Next web request flowing to `eval`. If this + data is user-controllable this can lead to execution of arbitrary system commands + in the context of your application process. Avoid `eval` whenever possible. + metadata: + interfile: true + confidence: HIGH + owasp: + - A03:2021 - Injection + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + references: + - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval + - https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback + - https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/ + - https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html + category: security + technology: + - node.js + - Express + - Next.js + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat + shortlink: https://sg.run/96Yk + semgrep.dev: + rule: + rule_id: DbUKEz + version_id: 0bTveA + url: https://semgrep.dev/playground/r/0bTveA/javascript.lang.security.audit.code-string-concat.code-string-concat + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) + {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + import { ...,$IMPORT,... } from 'next/router' + ... + - pattern-inside: | + import $IMPORT from 'next/router'; + ... + - pattern-either: + - patterns: + - pattern-inside: | + $ROUTER = $IMPORT() + ... + - pattern-either: + - pattern-inside: | + const { ...,$PROPS,... } = $ROUTER.query + ... + - pattern-inside: | + var { ...,$PROPS,... } = $ROUTER.query + ... + - pattern-inside: | + let { ...,$PROPS,... } = $ROUTER.query + ... + - focus-metavariable: $PROPS + - patterns: + - pattern-inside: | + $ROUTER = $IMPORT() + ... + - pattern: "$ROUTER.query.$VALUE \n" + - patterns: + - pattern: $IMPORT().query.$VALUE + pattern-sinks: + - patterns: + - pattern: | + eval(...) +- id: yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled + languages: + - yaml + severity: WARNING + message: Do not set FLASK_ENV to "development" since that sets `debug=True` in Flask. + Use "dev" or a similar term instead. + metadata: + owasp: A06:2017 - Security Misconfiguration + cwe: + - 'CWE-489: Active Debug Code' + references: + - https://flask.palletsprojects.com/en/2.0.x/debugging/ + - https://flask.palletsprojects.com/en/2.0.x/config/#ENV + category: security + technology: + - kubernetes + - flask + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled + shortlink: https://sg.run/y6x8 + semgrep.dev: + rule: + rule_id: WAUP0z + version_id: 5PT6Dr + url: https://semgrep.dev/playground/r/5PT6Dr/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled + origin: community + patterns: + - pattern-inside: | + env: [...] + - pattern: | + {name: FLASK_ENV, value: "development"} + fix-regex: + regex: development + replacement: dev +- id: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli + message: 'Detected string concatenation with a non-literal variable in a `mssql` + JS SQL statement. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. You can use parameterized statements like + so: `$REQ.input(''USER_ID'', mssql.Int, id);`' + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - mssql + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://www.npmjs.com/package/mssql + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: LOW + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli + shortlink: https://sg.run/lxlB + semgrep.dev: + rule: + rule_id: kxU8Pd + version_id: l4T5Jx + url: https://semgrep.dev/playground/r/l4T5Jx/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + function ... (...,$FUNC,...) { + ... + } + - focus-metavariable: $FUNC + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('mssql'); + ... + - pattern-inside: | + import 'mssql'; + ... + - pattern-inside: | + $REQ = $POOL.request(...) + ... + - pattern: | + $REQ.query($QUERY,...) + - focus-metavariable: $QUERY +- id: yaml.github-actions.security.run-shell-injection.run-shell-injection + languages: + - yaml + message: 'Using variable interpolation `${{...}}` with `github` context data in + a `run:` step could allow an attacker to inject their own code into the runner. + This would allow them to steal secrets and code. `github` context data can have + arbitrary user input and should be treated as untrusted. Instead, use an intermediate + environment variable with `env:` to store the data and use the environment variable + in the `run:` script. Be sure to use double-quotes the environment variable, like + this: "$ENVVAR".' + metadata: + category: security + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections + - https://securitylab.github.com/research/github-actions-untrusted-input/ + technology: + - github-actions + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection + shortlink: https://sg.run/pkzk + semgrep.dev: + rule: + rule_id: v8UjQj + version_id: QkTJr0 + url: https://semgrep.dev/playground/r/QkTJr0/yaml.github-actions.security.run-shell-injection.run-shell-injection + origin: community + patterns: + - pattern-inside: 'steps: [...]' + - pattern-inside: | + - run: ... + ... + - pattern: 'run: $SHELL' + - metavariable-pattern: + language: generic + metavariable: $SHELL + patterns: + - pattern-either: + - pattern: ${{ github.event.issue.title }} + - pattern: ${{ github.event.issue.body }} + - pattern: ${{ github.event.pull_request.title }} + - pattern: ${{ github.event.pull_request.body }} + - pattern: ${{ github.event.comment.body }} + - pattern: ${{ github.event.review.body }} + - pattern: ${{ github.event.review_comment.body }} + - pattern: ${{ github.event.pages. ... .page_name}} + - pattern: ${{ github.event.head_commit.message }} + - pattern: ${{ github.event.head_commit.author.email }} + - pattern: ${{ github.event.head_commit.author.name }} + - pattern: ${{ github.event.commits ... .author.email }} + - pattern: ${{ github.event.commits ... .author.name }} + - pattern: ${{ github.event.pull_request.head.ref }} + - pattern: ${{ github.event.pull_request.head.label }} + - pattern: ${{ github.event.pull_request.head.repo.default_branch }} + - pattern: ${{ github.head_ref }} + - pattern: ${{ github.event.inputs ... }} + severity: ERROR +- id: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout + languages: + - yaml + message: This GitHub Actions workflow file uses `pull_request_target` and checks + out code from the incoming pull request. When using `pull_request_target`, the + Action runs in the context of the target repository, which includes access to + all repository secrets. Normally, this is safe because the Action only runs code + from the target repository, not the incoming PR. However, by checking out the + incoming PR code, you're now using the incoming code for the rest of the action. + You may be inadvertently executing arbitrary code from the incoming PR with access + to repository secrets, which would let an attacker steal repository secrets. This + normally happens by running build scripts (e.g., `npm build` and `make`) or dependency + installation scripts (e.g., `python setup.py install`). Audit your workflow file + to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + for additional mitigations. + metadata: + category: security + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' + references: + - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md + technology: + - github-actions + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout + shortlink: https://sg.run/jkdn + semgrep.dev: + rule: + rule_id: d8Ulkd + version_id: gETq2e + url: https://semgrep.dev/playground/r/gETq2e/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout + origin: community + patterns: + - pattern-either: + - pattern-inside: | + on: + ... + pull_request_target: ... + ... + ... + - pattern-inside: | + on: [..., pull_request_target, ...] + ... + - pattern-inside: | + on: pull_request_target + ... + - pattern-inside: | + jobs: + ... + $JOBNAME: + ... + steps: + ... + - pattern: | + ... + uses: "$ACTION" + with: + ... + ref: $EXPR + - metavariable-regex: + metavariable: $ACTION + regex: actions/checkout@.* + - metavariable-pattern: + language: generic + metavariable: $EXPR + patterns: + - pattern: ${{ github.event.pull_request ... }} + severity: WARNING +- id: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop + message: 'Possibility of prototype polluting function detected. By adding or modifying + attributes of an object prototype, it is possible to create attributes that exist + on every object, or replace critical attributes with malicious ones. This can + be problematic if the software depends on existence or non-existence of certain + attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, + toString or valueOf). Possible mitigations might be: freezing the object prototype, + using an object without prototypes (via Object.create(null) ), blocking modifications + of attributes that resolve to object prototype, using Map instead of object.' + metadata: + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + category: security + references: + - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf + technology: + - typescript + owasp: + - A08:2021 - Software and Data Integrity Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop + shortlink: https://sg.run/w1DB + semgrep.dev: + rule: + rule_id: QrUpbJ + version_id: 0bTvKr + url: https://semgrep.dev/playground/r/0bTvKr/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop + origin: community + languages: + - typescript + - javascript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $SMTH = $SMTH[$A] + - pattern: | + $SMTH = $SMTH[$A] = ... + - pattern: | + $SMTH = $SMTH[$A] && $Z + - pattern: | + $SMTH = $SMTH[$A] || $Z + - pattern-either: + - pattern-inside: | + for(...) { + ... + } + - pattern-inside: | + while(...) { + ... + } + - pattern-inside: | + $X.forEach(function $NAME(...) { + ... + }) + - pattern-not-inside: | + for(var $A = $S; ...; ...) {...} + - pattern-not-inside: | + for($A = $S; ...; ...) {...} + - pattern-not-inside: | + $X.forEach(function $NAME($OBJ, $A,...) {...}) + - metavariable-pattern: + patterns: + - pattern-not: '"..."' + - pattern-not: | + `...${...}...` + - pattern-not: | + ($A: float) + metavariable: $A +- id: yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands + languages: + - yaml + severity: WARNING + message: The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this + workflow permissions to use the `set-env` and `add-path` commands. There is a + vulnerability in these commands that could result in environment variables being + modified by an attacker. Depending on the use of the environment variable, this + could enable an attacker to, at worst, modify the system path to run a different + command than intended, resulting in arbitrary code execution. This could result + in stolen code or secrets. Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, + use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files + for more information. + metadata: + cwe: + - 'CWE-749: Exposed Dangerous Method or Function' + owasp: A06:2017 - Security Misconfiguration + references: + - https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ + - https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w + - https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files + category: security + technology: + - github-actions + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands + shortlink: https://sg.run/qq78 + semgrep.dev: + rule: + rule_id: EwUQ9x + version_id: 7ZTO9W + url: https://semgrep.dev/playground/r/7ZTO9W/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands + origin: community + patterns: + - pattern-either: + - patterns: + - pattern-inside: '{env: ...}' + - pattern: 'ACTIONS_ALLOW_UNSECURE_COMMANDS: true' +- id: json.aws.security.public-s3-bucket.public-s3-bucket + languages: + - json + message: Detected public S3 bucket. This policy allows anyone to have some kind + of access to the bucket. The exact level of access and types of actions allowed + will depend on the configuration of bucket policy and ACLs. Please review the + bucket configuration to make sure they are set with intended values. + metadata: + category: security + cwe: + - 'CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + owasp: + - A01:2021 - Broken Access Control + references: + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html + technology: + - aws + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket + shortlink: https://sg.run/lxv5 + semgrep.dev: + rule: + rule_id: 7KUpLy + version_id: NdT1Z0 + url: https://semgrep.dev/playground/r/NdT1Z0/json.aws.security.public-s3-bucket.public-s3-bucket + origin: community + patterns: + - pattern-inside: | + $BUCKETNAME: { + "Type": "AWS::S3::Bucket", + "Properties": { + ..., + }, + ..., + } + - pattern-either: + - pattern: | + "PublicAccessBlockConfiguration": { + ..., + "RestrictPublicBuckets": false, + ..., + }, + - pattern: | + "PublicAccessBlockConfiguration": { + ..., + "IgnorePublicAcls": false, + ..., + }, + - pattern: | + "PublicAccessBlockConfiguration": { + ..., + "BlockPublicAcls": false, + ..., + }, + - pattern: | + "PublicAccessBlockConfiguration": { + ..., + "BlockPublicPolicy": false, + ..., + }, + severity: WARNING +- id: javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization + message: '`$STR.replace` method will only replace the first occurrence when used + with a string argument ($CHAR). If this method is used for escaping of dangerous + data then there is a possibility for a bypass. Try to use sanitization library + instead or use a Regex with a global flag.' + metadata: + cwe: + - 'CWE-116: Improper Encoding or Escaping of Output' + category: security + technology: + - javascript + owasp: + - A03:2021 - Injection + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Encoding + source: https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization + shortlink: https://sg.run/1GbQ + semgrep.dev: + rule: + rule_id: d8UlRq + version_id: GxT2kj + url: https://semgrep.dev/playground/r/GxT2kj/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern: | + $STR.replace(($CHAR: string), ...) + - metavariable-regex: + metavariable: $CHAR + regex: ^[\"\']([\'\"\<\>\*\|\{\}\[\]\%\$]{1}|\\n|\\r|\\t|\\&)[\"\']$ +- id: csharp.razor.security.html-raw-json.html-raw-json + patterns: + - pattern-either: + - pattern: '@Html.Raw(Json.Encode(...))' + - pattern: '@Html.Raw(JsonConvert.SerializeObject(...))' + - pattern: '@Html.Raw(...ToJson(...))' + message: Unencoded JSON in HTML context is vulnerable to cross-site scripting, because + `` is not properly encoded. + languages: + - generic + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + category: security + technology: + - razor + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json + shortlink: https://sg.run/P86E + semgrep.dev: + rule: + rule_id: lBUzPw + version_id: kbT7dG + url: https://semgrep.dev/playground/r/kbT7dG/csharp.razor.security.html-raw-json.html-raw-json + origin: community + paths: + include: + - '*.cshtml' + severity: ERROR +- id: terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges + pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ... + ] + ... + }) + ... + } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } + - patterns: + - pattern: | + {..., Action = "*", ...} + - pattern: | + {..., Resource = "*", ...} + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + } + ... + } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } + - patterns: + - pattern: | + {..., resources = ["*"], ...} + - pattern: | + {..., actions = ["*"], ...} + message: IAM policies that allow full "*-*" admin privileges violates the principle + of least privilege. This allows an attacker to take full control over all AWS + account resources. Instead, give each user more fine-grained control with only + the privileges they need. $TYPE + metadata: + references: + - https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py + category: security + cwe: + - 'CWE-269: Improper Privilege Management' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges + shortlink: https://sg.run/oY0N + semgrep.dev: + rule: + rule_id: NbUNDX + version_id: vdT27p + url: https://semgrep.dev/playground/r/vdT27p/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ... + ] + ... + }) + ... + } + - pattern: | + Action = $ACTION + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + } + ... + } + - pattern: | + actions = [..., $ACTION, ...] + - metavariable-pattern: + metavariable: $ACTION + pattern-either: + - pattern: | + "chime:CreateApiKey" + - pattern: | + "codepipeline:PollForJobs" + - pattern: | + "cognito-identity:GetOpenIdToken" + - pattern: | + "cognito-identity:GetOpenIdTokenForDeveloperEdentity" + - pattern: | + "cognito-identity:GetCredentialsForIdentity" + - pattern: | + "connect:GetFederationToken" + - pattern: | + "connect:GetFederationTokens" + - pattern: | + "ec2:GetPasswordData" + - pattern: | + "ecr:GetAuthorizationToken" + - pattern: | + "gamelift:RequestUploadCredentials" + - pattern: | + "iam:CreateAccessKey" + - pattern: | + "iam:CreateLoginProfile" + - pattern: | + "iam:CreateServiceSpecificCredential" + - pattern: | + "iam:ResetServiceSpecificCredential" + - pattern: | + "iam:UpdateAccessKey" + - pattern: | + "lightsail:GetInstanceAccessDetails" + - pattern: | + "lightsail:GetRelationalDatabaseMasterUserPassword" + - pattern: | + "rds-db:Connect" + - pattern: | + "redshift:GetClusterCredentials" + - pattern: | + "sso:GetRoleCredentials" + - pattern: | + "mediapackage:RotateChannelCredentials" + - pattern: | + "mediapackage:RotateIngestEndpointCredentials" + - pattern: | + "sts:AssumeRole" + - pattern: | + "sts:AssumeRoleWithSaml" + - pattern: | + "sts:AssumeRoleWithWebIdentity" + - pattern: | + "sts:GetFederationToken" + - pattern: | + "sts:GetSessionToken" + - pattern: | + "ec2:*" + - pattern: | + "codepipeline:*" + - pattern: | + "rds-db:*" + - pattern: | + "connect:*" + - pattern: | + "iam:*" + - pattern: | + "ecr:*" + - pattern: | + "sts:*" + - pattern: | + "chime:*" + - pattern: | + "mediapackage:*" + - pattern: | + "redshift:*" + - pattern: | + "gamelift:*" + - pattern: | + "cognito-identity:*" + - pattern: | + "lightsail:*" + - pattern: | + "sso:*" + message: Ensure IAM policies don't allow credentials exposure. Credentials exposure + actions return credentials as part of the API response, and can possibly lead + to leaking important credentials. Instead, use another action that doesn't return + sensitive data as part of the API response. + metadata: + references: + - https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/ + - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py + category: security + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure + shortlink: https://sg.run/zxY1 + semgrep.dev: + rule: + rule_id: kxUwK2 + version_id: d6TDdj + url: https://semgrep.dev/playground/r/d6TDdj/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Resource = "*" ...}, + ... + ] + ... + }) + ... + } + - pattern: | + Action = $ACTION + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + resources = ["*"] + ... + } + ... + } + - pattern: | + actions = [..., $ACTION, ...] + - metavariable-pattern: + metavariable: $ACTION + pattern-either: + - pattern: | + "s3:GetObject" + - pattern: | + "ssm:GetParameter*" + - pattern: | + "secretsmanager:GetSecretValue" + - pattern: | + "rds:CopyDBSnapshot" + - pattern: | + "rds:CreateDBSnapshot" + - pattern: | + "ssm:*" + - pattern: | + "s3:*" + - pattern: | + "rds:*" + - pattern: | + "rn: secretsmanager:*" + message: Ensure that IAM policies don't allow data exfiltration actions that are + not resource-constrained. This can allow the user to read sensitive data they + don't need to read. Instead, make sure that the user granted these privileges + are given these permissions on specific resources. + metadata: + references: + - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py + - https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/ + category: security + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration + shortlink: https://sg.run/pYrN + semgrep.dev: + rule: + rule_id: wdUj1k + version_id: ZRTwYq + url: https://semgrep.dev/playground/r/ZRTwYq/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ... + ] + ... + }) + ... + } + - pattern: Action = $ACTION + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + } + ... + } + - pattern: | + actions = [..., $ACTION, ...] + - metavariable-pattern: + metavariable: $ACTION + pattern-either: + - pattern: | + "iam:AddUserToGroup" + - pattern: | + "iam:CreatePolicyVersion" + - pattern: | + "iam:SetDefaultPolicyVersion" + - pattern: | + "iam:AttachUserPolicy" + - pattern: | + "iam:AttachGroupPolicy" + - pattern: | + "iam:AttachRolePolicy" + - pattern: | + "iam:PutUserPolicy" + - pattern: | + "iam:PutGroupPolicy" + - pattern: | + "iam:PutRolePolicy" + - pattern: | + "glue:UpdateDevEndpoint" + - pattern: | + "iam:*" + - pattern: | + "glue:*" + message: Ensure that actions that can result in privilege escalation are not used. + These actions could potentially result in an attacker gaining full administrator + access of an AWS account. Try not to use these actions. + metadata: + references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ + - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/ + category: security + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs + shortlink: https://sg.run/28y5 + semgrep.dev: + rule: + rule_id: x8UxLq + version_id: nWT7gr + url: https://semgrep.dev/playground/r/nWT7gr/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Resource = $RESOURCE ...}, + ... + ] + ... + }) + ... + } + - pattern: | + Action = $ACTION + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + resources = $RESOURCE + ... + } + ... + } + - pattern: | + actions = [..., $ACTION, ...] + - metavariable-pattern: + metavariable: $RESOURCE + pattern-either: + - pattern-regex: .*\*.* + - metavariable-pattern: + metavariable: $ACTION + pattern-either: + - pattern: | + "iam:CreateAccessKey" + - pattern: | + "iam:CreateLoginProfile" + - pattern: | + "iam:UpdateLoginProfile" + - pattern: | + "iam:*" + message: Ensure that IAM policies with permissions on other users don't allow for + privilege escalation. This can lead to an attacker gaining full administrator + access of AWS accounts. Instead, specify which user the permission should be used + on or do not use the listed actions. $RESOURCE + metadata: + references: + - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/ + - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py + category: security + cwe: + - 'CWE-269: Improper Privilege Management' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users + shortlink: https://sg.run/XOeA + semgrep.dev: + rule: + rule_id: OrU6jO + version_id: ExTn0K + url: https://semgrep.dev/playground/r/ExTn0K/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ... + ] + ... + }) + ... + } + - pattern: | + Action = $ACTION + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + } + ... + } + - pattern: | + actions = $ACTION + - metavariable-pattern: + metavariable: $ACTION + pattern-either: + - patterns: + - pattern: | + [..., "sts:AssumeRole", ...] + - pattern: | + [..., "iam:UpdateAssumeRolePolicy", ...] + - patterns: + - pattern: | + [..., "iam:PassRole", ...] + - pattern: | + [..., "lambda:CreateFunction", ...] + - pattern: | + [..., "lambda:InvokeFunction", ...] + - patterns: + - pattern: | + [..., "iam:PassRole", ...] + - pattern: | + [..., "lambda:CreateFunction", ...] + - pattern: | + [..., "lambda:CreateEventSourceMapping", ...] + - pattern: | + "lambda:UpdateFunctionCode" + - patterns: + - pattern: | + [..., "iam:PassRole", ...] + - pattern: | + [..., "glue:CreateDevEndpoint", ...] + - patterns: + - pattern: | + [..., "iam:PassRole", ...] + - pattern: | + [..., "cloudformation:CreateStack", ...] + - patterns: + - pattern: | + [..., "iam:PassRole", ...] + - pattern: | + [..., "datapipeline:CreatePipeline", ...] + - pattern: | + [..., "datapipeline:PutPipelineDefinition", ...] + message: Ensure that groups of actions that include iam:PassRole and could result + in privilege escalation are not all allowed for the same user. These actions could + result in an attacker gaining full admin access of an AWS account. Try not to + use these actions in conjuction. + metadata: + references: + - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/ + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ + category: security + cwe: + - 'CWE-269: Improper Privilege Management' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles + shortlink: https://sg.run/jwrA + semgrep.dev: + rule: + rule_id: eqUzR3 + version_id: 7ZTO4W + url: https://semgrep.dev/playground/r/7ZTO4W/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ... + ] + ... + }) + ... + } + - pattern: | + Action = $ACTION + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + } + ... + } + - pattern: | + actions = [..., $ACTION, ...] + - metavariable-pattern: + metavariable: $ACTION + pattern-either: + - pattern: | + "acm-pca:CreatePermission" + - pattern: | + "acm-pca:DeletePermission" + - pattern: | + "acm-pca:DeletePolicy" + - pattern: | + "acm-pca:PutPolicy" + - pattern: | + "apigateway:UpdateRestApiPolicy" + - pattern: | + "backup:DeleteBackupVaultAccessPolicy" + - pattern: | + "backup:PutBackupVaultAccessPolicy" + - pattern: | + "chime:DeleteVoiceConnectorTerminationCredentials" + - pattern: | + "chime:PutVoiceConnectorTerminationCredentials" + - pattern: | + "cloudformation:SetStackPolicy" + - pattern: | + "cloudsearch:UpdateServiceAccessPolicies" + - pattern: | + "codeartifact:DeleteDomainPermissionsPolicy" + - pattern: | + "codeartifact:DeleteRepositoryPermissionsPolicy" + - pattern: | + "codebuild:DeleteResourcePolicy" + - pattern: | + "codebuild:DeleteSourceCredentials" + - pattern: | + "codebuild:ImportSourceCredentials" + - pattern: | + "codebuild:PutResourcePolicy" + - pattern: | + "codeguru-profiler:PutPermission" + - pattern: | + "codeguru-profiler:RemovePermission" + - pattern: | + "codestar:AssociateTeamMember" + - pattern: | + "codestar:CreateProject" + - pattern: | + "codestar:DeleteProject" + - pattern: | + "codestar:DisassociateTeamMember" + - pattern: | + "codestar:UpdateTeamMember" + - pattern: | + "cognito-identity:CreateIdentityPool" + - pattern: | + "cognito-identity:DeleteIdentities" + - pattern: | + "cognito-identity:DeleteIdentityPool" + - pattern: | + "cognito-identity:GetId" + - pattern: | + "cognito-identity:MergeDeveloperIdentities" + - pattern: | + "cognito-identity:SetIdentityPoolRoles" + - pattern: | + "cognito-identity:UnlinkDeveloperIdentity" + - pattern: | + "cognito-identity:UnlinkIdentity" + - pattern: | + "cognito-identity:UpdateIdentityPool" + - pattern: | + "deeplens:AssociateServiceRoleToAccount" + - pattern: | + "ds:CreateConditionalForwarder" + - pattern: | + "ds:CreateDirectory" + - pattern: | + "ds:CreateMicrosoftAD" + - pattern: | + "ds:CreateTrust" + - pattern: | + "ds:ShareDirectory" + - pattern: | + "ec2:CreateNetworkInterfacePermission" + - pattern: | + "ec2:DeleteNetworkInterfacePermission" + - pattern: | + "ec2:ModifySnapshotAttribute" + - pattern: | + "ec2:ModifyVpcEndpointServicePermissions" + - pattern: | + "ec2:ResetSnapshotAttribute" + - pattern: | + "ecr:DeleteRepositoryPolicy" + - pattern: | + "ecr:SetRepositoryPolicy" + - pattern: | + "elasticfilesystem:DeleteFileSystemPolicy" + - pattern: | + "elasticfilesystem:PutFileSystemPolicy" + - pattern: | + "elasticmapreduce:PutBlockPublicAccessConfiguration" + - pattern: | + "es:CreateElasticsearchDomain" + - pattern: | + "es:UpdateElasticsearchDomainConfig" + - pattern: | + "glacier:AbortVaultLock" + - pattern: | + "glacier:CompleteVaultLock" + - pattern: | + "glacier:DeleteVaultAccessPolicy" + - pattern: | + "glacier:InitiateVaultLock" + - pattern: | + "glacier:SetDataRetrievalPolicy" + - pattern: | + "glacier:SetVaultAccessPolicy" + - pattern: | + "glue:DeleteResourcePolicy" + - pattern: | + "glue:PutResourcePolicy" + - pattern: | + "greengrass:AssociateServiceRoleToAccount" + - pattern: | + "health:DisableHealthServiceAccessForOrganization" + - pattern: | + "health:EnableHealthServiceAccessForOrganization" + - pattern: | + "iam:AddClientIDToOpenIDConnectProvider" + - pattern: | + "iam:AddRoleToInstanceProfile" + - pattern: | + "iam:AddUserToGroup" + - pattern: | + "iam:AttachGroupPolicy" + - pattern: | + "iam:AttachRolePolicy" + - pattern: | + "iam:AttachUserPolicy" + - pattern: | + "iam:ChangePassword" + - pattern: | + "iam:CreateAccessKey" + - pattern: | + "iam:CreateAccountAlias" + - pattern: | + "iam:CreateGroup" + - pattern: | + "iam:CreateInstanceProfile" + - pattern: | + "iam:CreateLoginProfile" + - pattern: | + "iam:CreateOpenIDConnectProvider" + - pattern: | + "iam:CreatePolicy" + - pattern: | + "iam:CreatePolicyVersion" + - pattern: | + "iam:CreateRole" + - pattern: | + "iam:CreateSAMLProvider" + - pattern: | + "iam:CreateServiceLinkedRole" + - pattern: | + "iam:CreateServiceSpecificCredential" + - pattern: | + "iam:CreateUser" + - pattern: | + "iam:CreateVirtualMFADevice" + - pattern: | + "iam:DeactivateMFADevice" + - pattern: | + "iam:DeleteAccessKey" + - pattern: | + "iam:DeleteAccountAlias" + - pattern: | + "iam:DeleteAccountPasswordPolicy" + - pattern: | + "iam:DeleteGroup" + - pattern: | + "iam:DeleteGroupPolicy" + - pattern: | + "iam:DeleteInstanceProfile" + - pattern: | + "iam:DeleteLoginProfile" + - pattern: | + "iam:DeleteOpenIDConnectProvider" + - pattern: | + "iam:DeletePolicy" + - pattern: | + "iam:DeletePolicyVersion" + - pattern: | + "iam:DeleteRole" + - pattern: | + "iam:DeleteRolePermissionsBoundary" + - pattern: | + "iam:DeleteRolePolicy" + - pattern: | + "iam:DeleteSAMLProvider" + - pattern: | + "iam:DeleteSSHPublicKey" + - pattern: | + "iam:DeleteServerCertificate" + - pattern: | + "iam:DeleteServiceLinkedRole" + - pattern: | + "iam:DeleteServiceSpecificCredential" + - pattern: | + "iam:DeleteSigningCertificate" + - pattern: | + "iam:DeleteUser" + - pattern: | + "iam:DeleteUserPermissionsBoundary" + - pattern: | + "iam:DeleteUserPolicy" + - pattern: | + "iam:DeleteVirtualMFADevice" + - pattern: | + "iam:DetachGroupPolicy" + - pattern: | + "iam:DetachRolePolicy" + - pattern: | + "iam:DetachUserPolicy" + - pattern: | + "iam:EnableMFADevice" + - pattern: | + "iam:PassRole" + - pattern: | + "iam:PutGroupPolicy" + - pattern: | + "iam:PutRolePermissionsBoundary" + - pattern: | + "iam:PutRolePolicy" + - pattern: | + "iam:PutUserPermissionsBoundary" + - pattern: | + "iam:PutUserPolicy" + - pattern: | + "iam:RemoveClientIDFromOpenIDConnectProvider" + - pattern: | + "iam:RemoveRoleFromInstanceProfile" + - pattern: | + "iam:RemoveUserFromGroup" + - pattern: | + "iam:ResetServiceSpecificCredential" + - pattern: | + "iam:ResyncMFADevice" + - pattern: | + "iam:SetDefaultPolicyVersion" + - pattern: | + "iam:SetSecurityTokenServicePreferences" + - pattern: | + "iam:UpdateAccessKey" + - pattern: | + "iam:UpdateAccountPasswordPolicy" + - pattern: | + "iam:UpdateAssumeRolePolicy" + - pattern: | + "iam:UpdateGroup" + - pattern: | + "iam:UpdateLoginProfile" + - pattern: | + "iam:UpdateOpenIDConnectProviderThumbprint" + - pattern: | + "iam:UpdateRole" + - pattern: | + "iam:UpdateRoleDescription" + - pattern: | + "iam:UpdateSAMLProvider" + - pattern: | + "iam:UpdateSSHPublicKey" + - pattern: | + "iam:UpdateServerCertificate" + - pattern: | + "iam:UpdateServiceSpecificCredential" + - pattern: | + "iam:UpdateSigningCertificate" + - pattern: | + "iam:UpdateUser" + - pattern: | + "iam:UploadSSHPublicKey" + - pattern: | + "iam:UploadServerCertificate" + - pattern: | + "iam:UploadSigningCertificate" + - pattern: | + "imagebuilder:PutComponentPolicy" + - pattern: | + "imagebuilder:PutImagePolicy" + - pattern: | + "imagebuilder:PutImageRecipePolicy" + - pattern: | + "iot:AttachPolicy" + - pattern: | + "iot:AttachPrincipalPolicy" + - pattern: | + "iot:DetachPolicy" + - pattern: | + "iot:DetachPrincipalPolicy" + - pattern: | + "iot:SetDefaultAuthorizer" + - pattern: | + "iot:SetDefaultPolicyVersion" + - pattern: | + "iotsitewise:CreateAccessPolicy" + - pattern: | + "iotsitewise:DeleteAccessPolicy" + - pattern: | + "iotsitewise:UpdateAccessPolicy" + - pattern: | + "kms:CreateGrant" + - pattern: | + "kms:PutKeyPolicy" + - pattern: | + "kms:RetireGrant" + - pattern: | + "kms:RevokeGrant" + - pattern: | + "lakeformation:BatchGrantPermissions" + - pattern: | + "lakeformation:BatchRevokePermissions" + - pattern: | + "lakeformation:GrantPermissions" + - pattern: | + "lakeformation:PutDataLakeSettings" + - pattern: | + "lakeformation:RevokePermissions" + - pattern: | + "lambda:AddLayerVersionPermission" + - pattern: | + "lambda:AddPermission" + - pattern: | + "lambda:DisableReplication" + - pattern: | + "lambda:EnableReplication" + - pattern: | + "lambda:RemoveLayerVersionPermission" + - pattern: | + "lambda:RemovePermission" + - pattern: | + "license-manager:UpdateServiceSettings" + - pattern: | + "lightsail:GetRelationalDatabaseMasterUserPassword" + - pattern: | + "logs:DeleteResourcePolicy" + - pattern: | + "logs:PutResourcePolicy" + - pattern: | + "mediapackage:RotateIngestEndpointCredentials" + - pattern: | + "mediastore:DeleteContainerPolicy" + - pattern: | + "mediastore:PutContainerPolicy" + - pattern: | + "opsworks:SetPermission" + - pattern: | + "opsworks:UpdateUserProfile" + - pattern: | + "quicksight:CreateAdmin" + - pattern: | + "quicksight:CreateGroup" + - pattern: | + "quicksight:CreateGroupMembership" + - pattern: | + "quicksight:CreateIAMPolicyAssignment" + - pattern: | + "quicksight:CreateUser" + - pattern: | + "quicksight:DeleteGroup" + - pattern: | + "quicksight:DeleteGroupMembership" + - pattern: | + "quicksight:DeleteIAMPolicyAssignment" + - pattern: | + "quicksight:DeleteUser" + - pattern: | + "quicksight:DeleteUserByPrincipalId" + - pattern: | + "quicksight:RegisterUser" + - pattern: | + "quicksight:UpdateDashboardPermissions" + - pattern: | + "quicksight:UpdateGroup" + - pattern: | + "quicksight:UpdateIAMPolicyAssignment" + - pattern: | + "quicksight:UpdateTemplatePermissions" + - pattern: | + "quicksight:UpdateUser" + - pattern: | + "ram:AcceptResourceShareInvitation" + - pattern: | + "ram:AssociateResourceShare" + - pattern: | + "ram:CreateResourceShare" + - pattern: | + "ram:DeleteResourceShare" + - pattern: | + "ram:DisassociateResourceShare" + - pattern: | + "ram:EnableSharingWithAwsOrganization" + - pattern: | + "ram:RejectResourceShareInvitation" + - pattern: | + "ram:UpdateResourceShare" + - pattern: | + "rds:AuthorizeDBSecurityGroupIngress" + - pattern: | + "rds-db:connect" + - pattern: | + "redshift:AuthorizeSnapshotAccess" + - pattern: | + "redshift:CreateClusterUser" + - pattern: | + "redshift:CreateSnapshotCopyGrant" + - pattern: | + "redshift:JoinGroup" + - pattern: | + "redshift:ModifyClusterIamRoles" + - pattern: | + "redshift:RevokeSnapshotAccess" + - pattern: | + "route53resolver:PutResolverRulePolicy" + - pattern: | + "s3:BypassGovernanceRetention" + - pattern: | + "s3:DeleteAccessPointPolicy" + - pattern: | + "s3:DeleteBucketPolicy" + - pattern: | + "s3:ObjectOwnerOverrideToBucketOwner" + - pattern: | + "s3:PutAccessPointPolicy" + - pattern: | + "s3:PutAccountPublicAccessBlock" + - pattern: | + "s3:PutBucketAcl" + - pattern: | + "s3:PutBucketPolicy" + - pattern: | + "s3:PutBucketPublicAccessBlock" + - pattern: | + "s3:PutObjectAcl" + - pattern: | + "s3:PutObjectVersionAcl" + - pattern: | + "secretsmanager:DeleteResourcePolicy" + - pattern: | + "secretsmanager:PutResourcePolicy" + - pattern: | + "secretsmanager:ValidateResourcePolicy" + - pattern: | + "servicecatalog:CreatePortfolioShare" + - pattern: | + "servicecatalog:DeletePortfolioShare" + - pattern: | + "sns:AddPermission" + - pattern: | + "sns:CreateTopic" + - pattern: | + "sns:RemovePermission" + - pattern: | + "sns:SetTopicAttributes" + - pattern: | + "sqs:AddPermission" + - pattern: | + "sqs:CreateQueue" + - pattern: | + "sqs:RemovePermission" + - pattern: | + "sqs:SetQueueAttributes" + - pattern: | + "ssm:ModifyDocumentPermission" + - pattern: | + "sso:AssociateDirectory" + - pattern: | + "sso:AssociateProfile" + - pattern: | + "sso:CreateApplicationInstance" + - pattern: | + "sso:CreateApplicationInstanceCertificate" + - pattern: | + "sso:CreatePermissionSet" + - pattern: | + "sso:CreateProfile" + - pattern: | + "sso:CreateTrust" + - pattern: | + "sso:DeleteApplicationInstance" + - pattern: | + "sso:DeleteApplicationInstanceCertificate" + - pattern: | + "sso:DeletePermissionSet" + - pattern: | + "sso:DeletePermissionsPolicy" + - pattern: | + "sso:DeleteProfile" + - pattern: | + "sso:DisassociateDirectory" + - pattern: | + "sso:DisassociateProfile" + - pattern: | + "sso:ImportApplicationInstanceServiceProviderMetadata" + - pattern: | + "sso:PutPermissionsPolicy" + - pattern: | + "sso:StartSSO" + - pattern: | + "sso:UpdateApplicationInstanceActiveCertificate" + - pattern: | + "sso:UpdateApplicationInstanceDisplayData" + - pattern: | + "sso:UpdateApplicationInstanceResponseConfiguration" + - pattern: | + "sso:UpdateApplicationInstanceResponseSchemaConfiguration" + - pattern: | + "sso:UpdateApplicationInstanceSecurityConfiguration" + - pattern: | + "sso:UpdateApplicationInstanceServiceProviderConfiguration" + - pattern: | + "sso:UpdateApplicationInstanceStatus" + - pattern: | + "sso:UpdateDirectoryAssociation" + - pattern: | + "sso:UpdatePermissionSet" + - pattern: | + "sso:UpdateProfile" + - pattern: | + "sso:UpdateSSOConfiguration" + - pattern: | + "sso:UpdateTrust" + - pattern: | + "sso-directory:AddMemberToGroup" + - pattern: | + "sso-directory:CreateAlias" + - pattern: | + "sso-directory:CreateGroup" + - pattern: | + "sso-directory:CreateUser" + - pattern: | + "sso-directory:DeleteGroup" + - pattern: | + "sso-directory:DeleteUser" + - pattern: | + "sso-directory:DisableUser" + - pattern: | + "sso-directory:EnableUser" + - pattern: | + "sso-directory:RemoveMemberFromGroup" + - pattern: | + "sso-directory:UpdateGroup" + - pattern: | + "sso-directory:UpdatePassword" + - pattern: | + "sso-directory:UpdateUser" + - pattern: | + "sso-directory:VerifyEmail" + - pattern: | + "storagegateway:DeleteChapCredentials" + - pattern: | + "storagegateway:SetLocalConsolePassword" + - pattern: | + "storagegateway:SetSMBGuestPassword" + - pattern: | + "storagegateway:UpdateChapCredentials" + - pattern: | + "waf:DeletePermissionPolicy" + - pattern: | + "waf:PutPermissionPolicy" + - pattern: | + "waf-regional:DeletePermissionPolicy" + - pattern: | + "waf-regional:PutPermissionPolicy" + - pattern: | + "wafv2:CreateWebACL" + - pattern: | + "wafv2:DeletePermissionPolicy" + - pattern: | + "wafv2:DeleteWebACL" + - pattern: | + "wafv2:PutPermissionPolicy" + - pattern: | + "wafv2:UpdateWebACL" + - pattern: | + "worklink:UpdateDevicePolicyConfiguration" + - pattern: | + "workmail:ResetPassword" + - pattern: | + "workmail:ResetUserPassword" + - pattern: | + "xray:PutEncryptionConfig" + - pattern: | + "worklink:*" + - pattern: | + "route53resolver:*" + - pattern: | + "es:*" + - pattern: | + "greengrass:*" + - pattern: | + "redshift:*" + - pattern: | + "license-manager:*" + - pattern: | + "rds:*" + - pattern: | + "lambda:*" + - pattern: | + "elasticfilesystem:*" + - pattern: | + "logs:*" + - pattern: | + "sso:*" + - pattern: | + "waf:*" + - pattern: | + "mediastore:*" + - pattern: | + "acm-pca:*" + - pattern: | + "sso-directory:*" + - pattern: | + "imagebuilder:*" + - pattern: | + "sqs:*" + - pattern: | + "codeguru-profiler:*" + - pattern: | + "wafv2:*" + - pattern: | + "cloudformation:*" + - pattern: | + "xray:*" + - pattern: | + "codeartifact:*" + - pattern: | + "iotsitewise:*" + - pattern: | + "workmail:*" + - pattern: | + "glue:*" + - pattern: | + "deeplens:*" + - pattern: | + "chime:*" + - pattern: | + "mediapackage:*" + - pattern: | + "opsworks:*" + - pattern: | + "ds:*" + - pattern: | + "ram:*" + - pattern: | + "iam:*" + - pattern: | + "waf-regional:*" + - pattern: | + "glacier:*" + - pattern: | + "cloudsearch:*" + - pattern: | + "lakeformation:*" + - pattern: | + "elasticmapreduce:*" + - pattern: | + "quicksight:*" + - pattern: | + "sns:*" + - pattern: | + "ec2:*" + - pattern: | + "health:*" + - pattern: | + "lightsail:*" + - pattern: | + "codestar:*" + - pattern: | + "kms:*" + - pattern: | + "codebuild:*" + - pattern: | + "s3:*" + - pattern: | + "cognito-identity:*" + - pattern: | + "apigateway:*" + - pattern: | + "rds-db:*" + - pattern: | + "iot:*" + - pattern: | + "backup:*" + - pattern: | + "secretsmanager:*" + - pattern: | + "servicecatalog:*" + - pattern: | + "ssm:*" + - pattern: | + "storagegateway:*" + - pattern: | + "ecr:*" + message: Ensure IAM policies don't allow resource exposure. These actions can expose + AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an + attacker retrieve container images. Instead, use another action that doesn't expose + AWS resources. + metadata: + references: + - https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/ + - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py + category: security + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure + shortlink: https://sg.run/18rD + semgrep.dev: + rule: + rule_id: v8U9r0 + version_id: LjT08E + url: https://semgrep.dev/playground/r/LjT08E/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ... + ] + ... + }) + ... + } + - pattern-either: + - pattern: Action = "*" + - pattern: Action = ["*"] + - metavariable-pattern: + metavariable: $TYPE + pattern-either: + - pattern: | + "aws_iam_role_policy" + - pattern: | + "aws_iam_policy" + - pattern: | + "aws_iam_user_policy" + - pattern: | + "aws_iam_group_policy" + - patterns: + - pattern-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + } + ... + } + - pattern: | + actions = ["*"] + message: Ensure that no IAM policies allow "*" as a statement's actions. This allows + all actions to be performed on the specified resources, and is a violation of + the principle of least privilege. Instead, specify the actions that a certain + user or policy is allowed to take. + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy + - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py + category: security + cwe: + - 'CWE-269: Improper Privilege Management' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + technology: + - terraform + - aws + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions + shortlink: https://sg.run/9rZ4 + semgrep.dev: + rule: + rule_id: d8Uew3 + version_id: 8KTb8v + url: https://semgrep.dev/playground/r/8KTb8v/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions + origin: community + languages: + - hcl + severity: WARNING +- id: javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true + message: 'By setting `allErrors: true` in `Ajv` library, all error objects will + be allocated without limit. This allows the attacker to produce a huge number + of errors which can lead to denial of service. Do not use `allErrors: true` in + production.' + metadata: + cwe: + - 'CWE-400: Uncontrolled Resource Consumption' + category: security + technology: + - ajv + references: + - https://ajv.js.org/options.html#allerrors + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true + shortlink: https://sg.run/d2jY + semgrep.dev: + rule: + rule_id: PeUo5X + version_id: QkTJZG + url: https://semgrep.dev/playground/r/QkTJZG/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern-either: + - pattern: | + new Ajv({...,allErrors: true,...},...) + - patterns: + - pattern: | + new Ajv($SETTINGS,...) + - pattern-inside: | + $SETTINGS = {...,allErrors: true,...} + ... +- id: javascript.express.security.audit.remote-property-injection.remote-property-injection + message: Bracket object notation with user input is present, this might allow an + attacker to access all properties of the object and even it's prototype. Use literal + values for object properties. + metadata: + confidence: LOW + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + category: security + technology: + - express + references: + - https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection + shortlink: https://sg.run/Z4gn + semgrep.dev: + rule: + rule_id: JDUL1B + version_id: BjTErZ + url: https://semgrep.dev/playground/r/BjTErZ/javascript.express.security.audit.remote-property-injection.remote-property-injection + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-inside: $OBJ[...] = ... + - pattern-not-inside: $OBJ["..."] = ... + - pattern-not-inside: $OBJ[...] = "..." + - pattern: $INDEX + - pattern-not: | + "..." + $INDEX + - pattern-not: | + $INDEX + "..." + pattern-sanitizers: + - patterns: + - pattern: var $X = ... + - pattern-not: var $X = $REQ.$ANY +- id: javascript.express.security.cors-misconfiguration.cors-misconfiguration + message: By letting user input control CORS parameters, there is a risk that software + does not properly verify that the source of data or communication is valid. Use + literal values for CORS settings. + metadata: + owasp: + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-346: Origin Validation Error' + category: security + references: + - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS + technology: + - express + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration + shortlink: https://sg.run/nKXO + semgrep.dev: + rule: + rule_id: 5rULJQ + version_id: 1QTj7d + url: https://semgrep.dev/playground/r/1QTj7d/javascript.express.security.cors-misconfiguration.cors-misconfiguration + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $RES.set($HEADER, $X) + - pattern: $RES.header($HEADER, $X) + - pattern: $RES.setHeader($HEADER, $X) + - pattern: | + $RES.set({$HEADER: $X}, ...) + - pattern: | + $RES.writeHead($STATUS, {$HEADER: $X}, ...) + - focus-metavariable: $X + - metavariable-regex: + metavariable: $HEADER + regex: .*(Access-Control-Allow-Origin|access-control-allow-origin).* +- id: javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration + message: By letting user input control `X-Frame-Options` header, there is a risk + that software does not properly verify whether or not a browser should be allowed + to render a page in an `iframe`. + metadata: + references: + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + owasp: + - A04:2021 - Insecure Design + cwe: + - 'CWE-451: User Interface (UI) Misrepresentation of Critical Information' + category: security + technology: + - express + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration + shortlink: https://sg.run/EvjA + semgrep.dev: + rule: + rule_id: GdUrLy + version_id: 7ZTOnJ + url: https://semgrep.dev/playground/r/7ZTOnJ/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $RES.set($HEADER, ...) + - pattern: $RES.header($HEADER, ...) + - pattern: $RES.setHeader($HEADER, ...) + - pattern: | + $RES.set({$HEADER: ...}, ...) + - pattern: | + $RES.writeHead($STATUS, {$HEADER: ...}, ...) + - metavariable-regex: + metavariable: $HEADER + regex: .*(X-Frame-Options|x-frame-options).* +- id: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring + message: Detected string concatenation with a non-literal variable in a util.format + / console.log function. If an attacker injects a format specifier in the string, + it will forge the log message. Try to use constant values for the format string. + metadata: + cwe: + - 'CWE-134: Use of Externally-Controlled Format String' + owasp: + - A01:2021 - Broken Access Control + category: security + technology: + - javascript + subcategory: + - audit + likelihood: MEDIUM + impact: LOW + confidence: LOW + references: + - https://cwe.mitre.org/data/definitions/134.html + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring + shortlink: https://sg.run/7Y5R + semgrep.dev: + rule: + rule_id: ReU3OJ + version_id: pZTr02 + url: https://semgrep.dev/playground/r/pZTr02/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring + origin: community + languages: + - javascript + - typescript + severity: INFO + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $X + $Y + - pattern: $X.concat($Y) + - pattern: | + `...${...}...` + - pattern-not: | + "..." + "..." + - pattern-not: | + $X.concat("...") + pattern-sinks: + - patterns: + - focus-metavariable: $STR + - pattern-either: + - pattern: | + console.$LOG($STR,$PARAM,...) + - patterns: + - pattern-inside: | + $UTIL = require('util') + ... + - pattern: | + $UTIL.format($STR,$PARAM,...) +- id: ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation + metadata: + shortDescription: Allowing an attacker to manipulate the session may lead to unintended + behavior. + tags: + - security + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-276: Incorrect Default Permissions' + references: + - https://brakemanscanner.org/docs/warning_types/session_manipulation/ + category: security + technology: + - rails + help: | + ## Remediation + Session manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior. + + ## References + [Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/) + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation + shortlink: https://sg.run/86q7 + semgrep.dev: + rule: + rule_id: BYUdW6 + version_id: JdTqA6 + url: https://semgrep.dev/playground/r/JdTqA6/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation + origin: community + message: This gets data from session using user inputs. A malicious user may be + able to retrieve information from your session that you didn't intend them to. + Do not use user input as a session key. + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - pattern: params + - pattern: cookies + - pattern: request.env + pattern-sinks: + - pattern: session[...] +- id: ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access + metadata: + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access + shortlink: https://sg.run/gYln + semgrep.dev: + rule: + rule_id: DbU1dr + version_id: 5PT60y + url: https://semgrep.dev/playground/r/5PT60y/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access + origin: community + message: Using user input when accessing files is potentially dangerous. A malicious + actor could use this to modify or access files they have no right to. + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - pattern: params + - pattern: cookies + - pattern: request.env + pattern-sinks: + - patterns: + - pattern-either: + - pattern: Dir.$X(...) + - pattern: File.$X(...) + - pattern: IO.$X(...) + - pattern: Kernel.$X(...) + - pattern: PStore.$X(...) + - pattern: Pathname.$X(...) + - metavariable-pattern: + metavariable: $X + patterns: + - pattern-either: + - pattern: chdir + - pattern: chroot + - pattern: delete + - pattern: entries + - pattern: foreach + - pattern: glob + - pattern: install + - pattern: lchmod + - pattern: lchown + - pattern: link + - pattern: load + - pattern: load_file + - pattern: makedirs + - pattern: move + - pattern: new + - pattern: open + - pattern: read + - pattern: readlines + - pattern: rename + - pattern: rmdir + - pattern: safe_unlink + - pattern: symlink + - pattern: syscopy + - pattern: sysopen + - pattern: truncate + - pattern: unlink +- id: ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call + metadata: + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call + shortlink: https://sg.run/Q9gP + semgrep.dev: + rule: + rule_id: WAUyzp + version_id: GxT25o + url: https://semgrep.dev/playground/r/GxT25o/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call + origin: community + message: Using user input when accessing files is potentially dangerous. A malicious + actor could use this to modify or access files they have no right to. + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - pattern: params + - pattern: cookies + - pattern: request.env + pattern-sinks: + - pattern-either: + - pattern: Net::FTP.$X(...) + - patterns: + - pattern-inside: | + $FTP = Net::FTP.$OPEN(...) + ... + $FTP.$METHOD(...) + - pattern: $FTP.$METHOD(...) +- id: ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request + shortlink: https://sg.run/3rLb + semgrep.dev: + rule: + rule_id: 0oU2x3 + version_id: RGTbYA + url: https://semgrep.dev/playground/r/RGTbYA/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request + origin: community + message: Using user input when accessing files is potentially dangerous. A malicious + actor could use this to modify or access files they have no right to. + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - pattern: params + - pattern: cookies + - pattern: request.env + pattern-sinks: + - pattern-either: + - patterns: + - pattern: Net::HTTP::$METHOD.new(...) + - metavariable-pattern: + metavariable: $METHOD + patterns: + - pattern-either: + - pattern: Copy + - pattern: Delete + - pattern: Get + - pattern: Head + - pattern: Lock + - pattern: Mkcol + - pattern: Move + - pattern: Options + - pattern: Patch + - pattern: Post + - pattern: Propfind + - pattern: Proppatch + - pattern: Put + - pattern: Trace + - pattern: Unlock + - patterns: + - pattern: Net::HTTP.$X(...) + - metavariable-pattern: + metavariable: $X + patterns: + - pattern-either: + - pattern: get + - pattern: get2 + - pattern: head + - pattern: head2 + - pattern: options + - pattern: patch + - pattern: post + - pattern: post2 + - pattern: post_form + - pattern: put + - pattern: request + - pattern: request_get + - pattern: request_head + - pattern: request_post + - pattern: send_request + - pattern: trace + - pattern: get_print + - pattern: get_response + - pattern: start +- id: ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call + shortlink: https://sg.run/4e8E + semgrep.dev: + rule: + rule_id: KxU72k + version_id: A8TR15 + url: https://semgrep.dev/playground/r/A8TR15/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call + origin: community + message: Using user input when accessing files is potentially dangerous. A malicious + actor could use this to modify or access files they have no right to. + languages: + - ruby + severity: ERROR + mode: taint + pattern-sources: + - pattern-either: + - pattern: params[...] + - pattern: cookies + - pattern: request.env + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: Kernel.$X(...) + - patterns: + - pattern-either: + - pattern: Shell.$X(...) + - patterns: + - pattern-inside: | + $SHELL = Shell.$ANY(...) + ... + $SHELL.$X(...) + - pattern: $SHELL.$X(...) + - metavariable-pattern: + metavariable: $X + patterns: + - pattern-either: + - pattern: cat + - pattern: chdir + - pattern: chroot + - pattern: delete + - pattern: entries + - pattern: exec + - pattern: foreach + - pattern: glob + - pattern: install + - pattern: lchmod + - pattern: lchown + - pattern: link + - pattern: load + - pattern: load_file + - pattern: makedirs + - pattern: move + - pattern: new + - pattern: open + - pattern: read + - pattern: readlines + - pattern: rename + - pattern: rmdir + - pattern: safe_unlink + - pattern: symlink + - pattern: syscopy + - pattern: sysopen + - pattern: system + - pattern: truncate + - pattern: unlink +- id: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes + metadata: + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-276: Incorrect Default Permissions' + references: + - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes + shortlink: https://sg.run/Pbrq + semgrep.dev: + rule: + rule_id: qNUXYy + version_id: K3TlBE + url: https://semgrep.dev/playground/r/K3TlBE/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes + origin: community + message: Default routes are enabled in this routes file. This means any public method + on a controller can be called as an action. It is very easy to accidentally expose + a method you didn't mean to. Instead, remove this line and explicitly include + all routes you intend external users to follow. + languages: + - ruby + severity: WARNING + patterns: + - pattern-either: + - pattern: map.connect ":controller/:action/:id" + - pattern: match ':controller(/:action(/:id(.:format)))' + paths: + include: + - '*routes.rb' +- id: ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_link_to.rb + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://brakemanscanner.org/docs/warning_types/link_to/ + - https://brakemanscanner.org/docs/warning_types/link_to_href/ + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to + shortlink: https://sg.run/JxXQ + semgrep.dev: + rule: + rule_id: lBU8Qj + version_id: l4T5wG + url: https://semgrep.dev/playground/r/l4T5wG/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to + origin: community + message: This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` + is not escaped. This means that user input which reaches the body will be executed + when the HTML is rendered. Even in other versions, values starting with `javascript:` + or `data:` are not escaped. It is better to create and use a safer function which + checks the body argument. + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - pattern: params + - pattern: cookies + - pattern: request.env + - pattern-either: + - pattern: $MODEL.url(...) + - pattern: $MODEL.uri(...) + - pattern: $MODEL.link(...) + - pattern: $MODEL.page(...) + - pattern: $MODEL.site(...) + pattern-sinks: + - pattern: link_to(...) + pattern-sanitizers: + - patterns: + - pattern: | + "...#{...}..." + - pattern-not: | + "#{...}..." +- id: ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect + metadata: + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + references: + - https://brakemanscanner.org/docs/warning_types/redirect/ + category: security + technology: + - rails + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect + shortlink: https://sg.run/5DY3 + semgrep.dev: + rule: + rule_id: YGUDqJ + version_id: 6xTeOg + url: https://semgrep.dev/playground/r/6xTeOg/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect + origin: community + message: When a redirect uses user input, a malicious user can spoof a website under + a trusted URL or access restricted parts of a site. When using user-supplied values, + sanitize the value before using it for the redirect. + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - pattern: params + - pattern: cookies + - pattern: request.env + - patterns: + - pattern: $MODEL.$X(...) + - pattern-not: $MODEL.$X("...") + - metavariable-pattern: + metavariable: $X + pattern-either: + - pattern: all + - pattern: create + - pattern: create! + - pattern: find + - pattern: find_by_sql + - pattern: first + - pattern: last + - pattern: new + - pattern: from + - pattern: group + - pattern: having + - pattern: joins + - pattern: lock + - pattern: order + - pattern: reorder + - pattern: select + - pattern: where + - pattern: find_by + - pattern: find_by! + - pattern: take + pattern-sinks: + - pattern: redirect_to(...) + pattern-sanitizers: + - pattern: params.merge(:only_path => true) + - pattern: params.merge(:host => ...) +- id: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path + metadata: + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + references: + - https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/ + category: security + technology: + - rails + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path + shortlink: https://sg.run/GO2n + semgrep.dev: + rule: + rule_id: 6JU1bL + version_id: o5Tnj1 + url: https://semgrep.dev/playground/r/o5Tnj1/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path + origin: community + message: Avoid rendering user input. It may be possible for a malicious user to + input a path that lets them access a template they shouldn't. To prevent this, + check dynamic template paths against a predefined allowlist to make sure it's + an allowed template. + languages: + - ruby + severity: WARNING + mode: taint + pattern-sources: + - pattern: params + - pattern: cookies + - pattern: request.env + pattern-sinks: + - patterns: + - pattern-inside: render($X => $INPUT, ...) + - pattern: $INPUT + - metavariable-pattern: + metavariable: $X + pattern-either: + - pattern: action + - pattern: template + - pattern: partial + - pattern: file +- id: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions + languages: + - python + severity: WARNING + metadata: + category: security + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-276: Incorrect Default Permissions' + technology: + - python + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions + shortlink: https://sg.run/AXY4 + semgrep.dev: + rule: + rule_id: zdUYqR + version_id: PkTYE6 + url: https://semgrep.dev/playground/r/PkTYE6/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions + origin: community + message: These permissions `$BITS` are widely permissive and grant access to more + people than may be necessary. A good default is `0o644` which gives read and write + access to yourself and read access to everyone else. + patterns: + - pattern-inside: os.$METHOD(...) + - metavariable-pattern: + metavariable: $METHOD + patterns: + - pattern-either: + - pattern: chmod + - pattern: lchmod + - pattern: fchmod + - pattern-either: + - patterns: + - pattern: os.$METHOD($FILE, $BITS, ...) + - metavariable-comparison: + metavariable: $BITS + comparison: $BITS >= 0o650 and $BITS < 0o100000 + - patterns: + - pattern: os.$METHOD($FILE, $BITS) + - metavariable-comparison: + metavariable: $BITS + comparison: $BITS >= 0o100650 + - patterns: + - pattern: os.$METHOD($FILE, $BITS, ...) + - metavariable-pattern: + metavariable: $BITS + patterns: + - pattern-either: + - pattern: <... stat.S_IWGRP ...> + - pattern: <... stat.S_IXGRP ...> + - pattern: <... stat.S_IWOTH ...> + - pattern: <... stat.S_IXOTH ...> + - pattern: <... stat.S_IRWXO ...> + - pattern: <... stat.S_IRWXG ...> + - patterns: + - pattern: os.$METHOD($FILE, $EXPR | $MOD, ...) + - metavariable-comparison: + metavariable: $MOD + comparison: $MOD == 0o111 +- id: csharp.lang.security.ssrf.http-client.ssrf + severity: ERROR + languages: + - csharp + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf + shortlink: https://sg.run/4eB9 + semgrep.dev: + rule: + rule_id: 10UdbE + version_id: X0TPQ1 + url: https://semgrep.dev/playground/r/X0TPQ1/csharp.lang.security.ssrf.http-client.ssrf + origin: community + message: SSRF is an attack vector that abuses an application to interact with the + internal/external network or the machine itself. + patterns: + - pattern-inside: | + using System.Net.Http; + ... + - pattern-either: + - pattern: | + $T $F(..., $X, ...) + { + ... + HttpClient $Y = new HttpClient(); + ... + ... $Y.GetAsync(<... $X ...>, ...); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + $A $B = <... $X ...>; + ... + HttpClient $Y = new HttpClient(); + ... + ... $Y.GetAsync($B, ...); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + HttpClient $Y = new HttpClient(); + ... + ... $Y.GetStringAsync(<... $X ...>); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + $A $B = <... $X ...>; + ... + HttpClient $Y = new HttpClient(); + ... + ... $Y.GetStringAsync($B); + } +- id: csharp.lang.security.ssrf.rest-client.ssrf + severity: ERROR + languages: + - csharp + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf + shortlink: https://sg.run/Pb9v + semgrep.dev: + rule: + rule_id: 9AURoq + version_id: jQTKgW + url: https://semgrep.dev/playground/r/jQTKgW/csharp.lang.security.ssrf.rest-client.ssrf + origin: community + message: SSRF is an attack vector that abuses an application to interact with the + internal/external network or the machine itself. + patterns: + - pattern-inside: | + using RestSharp; + ... + - pattern-either: + - pattern: | + $T $F(..., $X, ...) + { + ... + ... new RestClient(<... $X ...>); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + $A $B = <... $X ...>; + ... + ... new RestClient($B); + } +- id: csharp.lang.security.ssrf.web-client.ssrf + severity: ERROR + languages: + - csharp + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf + shortlink: https://sg.run/JxqP + semgrep.dev: + rule: + rule_id: yyUPBe + version_id: 1QTjO6 + url: https://semgrep.dev/playground/r/1QTjO6/csharp.lang.security.ssrf.web-client.ssrf + origin: community + message: SSRF is an attack vector that abuses an application to interact with the + internal/external network or the machine itself. + patterns: + - pattern-inside: | + using System.Net; + ... + - pattern-either: + - pattern: | + $T $F(..., $X, ...) + { + ... + WebClient $Y = new WebClient(); + ... + ... $Y.OpenRead(<... $X ...>); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + $A $B = <... $X ...>; + ... + WebClient $Y = new WebClient(); + ... + ... $Y.OpenRead($B); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + WebClient $Y = new WebClient(); + ... + ... $Y.OpenReadAsync(<... $X ...>, ...); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + $A $B = <... $X ...>; + ... + WebClient $Y = new WebClient(); + ... + ... $Y.OpenReadAsync($B, ...); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + WebClient $Y = new WebClient(); + ... + ... $Y.DownloadString(<... $X ...>); + } + - pattern: | + $T $F(..., $X, ...) + { + ... + $A $B = <... $X ...>; + ... + WebClient $Y = new WebClient(); + ... + ... $Y.DownloadString($B); + } +- id: csharp.lang.security.ssrf.web-request.ssrf + severity: ERROR + languages: + - csharp + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cwe.mitre.org/data/definitions/918.html + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf + shortlink: https://sg.run/5DWj + semgrep.dev: + rule: + rule_id: r6UwoG + version_id: 9lTzdp + url: https://semgrep.dev/playground/r/9lTzdp/csharp.lang.security.ssrf.web-request.ssrf + origin: community + message: The web server receives a URL or similar request from an upstream component + and retrieves the contents of this URL, but it does not sufficiently ensure that + the request is being sent to the expected destination. Many different options + exist to fix this issue depending the use case (Application can send request only + to identified and trusted applications, Application can send requests to ANY external + IP address or domain name). + patterns: + - pattern-inside: | + using System.Net; + ... + - pattern-either: + - pattern: | + $T $F(..., $X, ...) + { + ... + ... WebRequest.Create(<... $X ...>); + } + - pattern: | + $T $F($X) + { + ... + $A $B = <... $X ...>; + ... + ... WebRequest.Create($B); + } + - pattern: | + $T $F($X) + { + ... + $A $B = <... $X ...>; + ... + $C $D = <... $B ...>; + ... + ... WebRequest.Create($D); + } +- id: html.security.audit.missing-integrity.missing-integrity + metadata: + category: security + technology: + - html + cwe: + - 'CWE-353: Missing Support for Integrity Check' + owasp: + - A08:2021 - Software and Data Integrity Failures + confidence: LOW + references: + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity + shortlink: https://sg.run/krXA + semgrep.dev: + rule: + rule_id: AbUQzj + version_id: jQTKQe + url: https://semgrep.dev/playground/r/jQTKQe/html.security.audit.missing-integrity.missing-integrity + origin: community + patterns: + - pattern-either: + - pattern: + - pattern: + - metavariable-pattern: + metavariable: $...A + patterns: + - pattern-either: + - pattern: src='... :// ...' + - pattern: src="... :// ..." + - pattern: href='... :// ...' + - pattern: href="... :// ..." + - pattern: src='//...' + - pattern: src="//..." + - pattern: href='//...' + - pattern: href="//..." + - pattern-not-regex: (?is).*integrity= + - pattern-not-regex: (google-analytics.com|fonts.googleapis.com|googletagmanager.com) + - pattern-not-regex: .*rel\s*=\s*['"]?preconnect.* + paths: + include: + - '*.html' + message: "This tag is missing an 'integrity' subresource integrity attribute. The + 'integrity' attribute allows for the browser to verify that externally hosted + files (for example from a CDN) are delivered without unexpected manipulation. + Without this attribute, if an attacker can modify the externally hosted resource, + this could lead to XSS and other types of attacks. To prevent this, include the + base64-encoded cryptographic hash of the resource (file) you\u2019re telling the + browser to fetch in the 'integrity' attribute for all externally hosted files." + severity: WARNING + languages: + - generic +- id: php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query + languages: + - php + message: Detected string concatenation with a non-literal variable in a Doctrine + DBAL query method. This could lead to SQL injection if the variable is user-controlled + and not properly sanitized. In order to prevent SQL injection, use parameterized + queries or prepared statements instead. + metadata: + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html + - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + technology: + - doctrine + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query + shortlink: https://sg.run/KXWn + semgrep.dev: + rule: + rule_id: X5UdZj + version_id: 44To93 + url: https://semgrep.dev/playground/r/44To93/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query + origin: community + patterns: + - pattern-either: + - pattern: $CONNECTION->prepare($QUERY,...) + - pattern: $CONNECTION->createQuery($QUERY,...) + - pattern: $CONNECTION->executeQuery($QUERY,...) + - pattern-either: + - pattern-inside: | + use Doctrine\DBAL\Connection; + ... + - pattern-inside: | + $CONNECTION = $SMTH->getConnection(...); + ... + - pattern-not: $CONNECTION->prepare("...",...) + - pattern-not: $CONNECTION->createQuery("...",...) + - pattern-not: $CONNECTION->executeQuery("...",...) + severity: WARNING +- id: php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect + patterns: + - pattern: $this->redirect(...) + - pattern-not: $this->redirect("...") + - pattern-not: $this->redirect() + message: The `redirect()` method does not check its destination in any way. If you + redirect to a URL provided by end-users, your application may be open to the unvalidated + redirects security vulnerability. Consider using literal values or an allowlist + to validate URLs. + languages: + - php + metadata: + references: + - https://symfony.com/doc/current/controller.html#redirecting + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + category: security + technology: + - symfony + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect + shortlink: https://sg.run/4ey5 + semgrep.dev: + rule: + rule_id: j2U3q8 + version_id: O9TyQ0 + url: https://semgrep.dev/playground/r/O9TyQ0/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect + origin: community + severity: WARNING +- id: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query + languages: + - php + message: '`$QUERY` Detected string concatenation with a non-literal variable in + a Doctrine QueryBuilder method. This could lead to SQL injection if the variable + is user-controlled and not properly sanitized. In order to prevent SQL injection, + use parameterized queries or prepared statements instead.' + metadata: + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection + - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + technology: + - doctrine + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query + shortlink: https://sg.run/jwDJ + semgrep.dev: + rule: + rule_id: kxUw23 + version_id: PkTYzA + url: https://semgrep.dev/playground/r/PkTYzA/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query + origin: community + mode: taint + pattern-sinks: + - patterns: + - focus-metavariable: $SINK + - pattern-either: + - pattern: $QUERY->add(...,$SINK,...) + - pattern: $QUERY->select(...,$SINK,...) + - pattern: $QUERY->addSelect(...,$SINK,...) + - pattern: $QUERY->delete(...,$SINK,...) + - pattern: $QUERY->update(...,$SINK,...) + - pattern: $QUERY->insert(...,$SINK,...) + - pattern: $QUERY->from(...,$SINK,...) + - pattern: $QUERY->join(...,$SINK,...) + - pattern: $QUERY->innerJoin(...,$SINK,...) + - pattern: $QUERY->leftJoin(...,$SINK,...) + - pattern: $QUERY->rightJoin(...,$SINK,...) + - pattern: $QUERY->where(...,$SINK,...) + - pattern: $QUERY->andWhere(...,$SINK,...) + - pattern: $QUERY->orWhere(...,$SINK,...) + - pattern: $QUERY->groupBy(...,$SINK,...) + - pattern: $QUERY->addGroupBy(...,$SINK,...) + - pattern: $QUERY->having(...,$SINK,...) + - pattern: $QUERY->andHaving(...,$SINK,...) + - pattern: $QUERY->orHaving(...,$SINK,...) + - pattern: $QUERY->orderBy(...,$SINK,...) + - pattern: $QUERY->addOrderBy(...,$SINK,...) + - pattern: $QUERY->set($SINK,...) + - pattern: $QUERY->setValue($SINK,...) + - pattern-either: + - pattern-inside: | + $Q = $X->createQueryBuilder(); + ... + - pattern-inside: | + $Q = new QueryBuilder(...); + ... + pattern-sources: + - patterns: + - pattern-either: + - pattern: sprintf(...) + - pattern: | + "...".$SMTH + severity: WARNING +- id: php.lang.security.ldap-bind-without-password.ldap-bind-without-password + patterns: + - pattern-either: + - pattern: ldap_bind($LDAP, $DN, NULL) + - pattern: ldap_bind($LDAP, $DN, '') + - patterns: + - pattern: ldap_bind(...) + - pattern-not: ldap_bind($LDAP, $DN, $PASSWORD) + message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP + statements. Consider enforcing authentication for LDAP. + metadata: + references: + - https://www.php.net/manual/en/function.ldap-bind.php + cwe: + - 'CWE-287: Improper Authentication' + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + category: security + technology: + - php + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password + shortlink: https://sg.run/18Rv + semgrep.dev: + rule: + rule_id: wdUjA5 + version_id: zyTKjzJ + url: https://semgrep.dev/playground/r/zyTKjzJ/php.lang.security.ldap-bind-without-password.ldap-bind-without-password + origin: community + languages: + - php + severity: WARNING +- id: php.lang.security.non-literal-header.non-literal-header + patterns: + - pattern: header(...) + - pattern-not: header("...",...) + message: 'Using user input when setting headers with `header()` is potentially dangerous. + This could allow an attacker to inject a new line and add a new header into the + response. This is called HTTP response splitting. To fix, do not allow whitespace + inside `header()`: ''[^\s]+''.' + metadata: + references: + - https://www.php.net/manual/en/function.header.php + - https://owasp.org/www-community/attacks/HTTP_Response_Splitting + category: security + technology: + - php + cwe: + - 'CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (''HTTP + Request/Response Splitting'')' + owasp: + - A03:2021 - Injection + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/php.lang.security.non-literal-header.non-literal-header + shortlink: https://sg.run/9rL8 + semgrep.dev: + rule: + rule_id: x8UxNQ + version_id: WrTb76 + url: https://semgrep.dev/playground/r/WrTb76/php.lang.security.non-literal-header.non-literal-header + origin: community + languages: + - php + severity: WARNING +- id: php.lang.security.php-permissive-cors.php-permissive-cors + patterns: + - pattern: header($VALUE,...) + - pattern-either: + - pattern: header("...",...) + - pattern-inside: | + $VALUE = "..."; + ... + - metavariable-regex: + metavariable: $VALUE + regex: (\'|\")\s*(Access-Control-Allow-Origin|access-control-allow-origin)\s*:\s*(\*)\s*(\'|\") + message: Access-Control-Allow-Origin response header is set to "*". This will disable + CORS Same Origin Policy restrictions. + metadata: + references: + - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin + owasp: + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-346: Origin Validation Error' + category: security + technology: + - php + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors + shortlink: https://sg.run/y1XR + semgrep.dev: + rule: + rule_id: OrU6JZ + version_id: pZT1kED + url: https://semgrep.dev/playground/r/pZT1kED/php.lang.security.php-permissive-cors.php-permissive-cors + origin: community + languages: + - php + severity: WARNING +- id: php.lang.security.unlink-use.unlink-use + patterns: + - pattern: unlink(...) + - pattern-not: unlink("...",...) + message: Using user input when deleting files with `unlink()` is potentially dangerous. + A malicious actor could use this to modify or access files they have no right + to. + metadata: + references: + - https://www.php.net/manual/en/function.unlink + - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html + category: security + technology: + - php + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use + shortlink: https://sg.run/rYeR + semgrep.dev: + rule: + rule_id: eqUzDE + version_id: o5TnL3 + url: https://semgrep.dev/playground/r/o5TnL3/php.lang.security.unlink-use.unlink-use + origin: community + languages: + - php + severity: WARNING +- id: php.lang.security.unserialize-use.unserialize-use + patterns: + - pattern: unserialize(...) + - pattern-not: unserialize("...",...) + message: Calling `unserialize()` with user input in the pattern can lead to arbitrary + code execution. Consider using JSON or structured data approaches (e.g. Google + Protocol Buffers). + metadata: + references: + - https://www.php.net/manual/en/function.unserialize.php + - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html + category: security + technology: + - php + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use + shortlink: https://sg.run/b24E + semgrep.dev: + rule: + rule_id: v8U9OJ + version_id: zyT5BO + url: https://semgrep.dev/playground/r/zyT5BO/php.lang.security.unserialize-use.unserialize-use + origin: community + languages: + - php + severity: WARNING +- id: php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled + patterns: + - pattern-either: + - pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => false, ...], + ...) + - pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' => + false, ...], ...) + - pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => false, + ...], ...) + - pattern: $X->setDefaults([..., 'csrf_protection' => false, ...], ...) + - patterns: + - pattern-either: + - pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => $VAL, ...], + ...) + - pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' + => $VAL, ...], ...) + - pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => $VAL, + ...], ...) + - pattern: $X->setDefaults([..., 'csrf_protection' => $VAL, ...], ...) + - pattern-inside: | + $VAL = false; + ... + message: CSRF protection is disabled for this configuration. This is a security + risk. Make sure that it is safe or consider setting `csrf_protection` property + to `true`. + metadata: + references: + - https://symfony.com/doc/current/security/csrf.html + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + category: security + technology: + - symfony + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled + shortlink: https://sg.run/N1gz + semgrep.dev: + rule: + rule_id: d8UeKO + version_id: xyT4R4 + url: https://semgrep.dev/playground/r/xyT4R4/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled + origin: community + languages: + - php + severity: WARNING +- id: php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors + patterns: + - pattern-inside: | + use Symfony\Component\HttpFoundation\Response; + ... + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + new Symfony\Component\HttpFoundation\Response($X, $Y, $HEADERS, ...) + - pattern: new Response($X, $Y, $HEADERS, ...) + - pattern-either: + - pattern: new $R($X, $Y, [$KEY => $VALUE], ...) + - pattern-inside: | + $HEADERS = [$KEY => $VALUE]; + ... + - patterns: + - pattern: $RES->headers->set($KEY, $VALUE) + - metavariable-regex: + metavariable: $KEY + regex: (\'|\")\s*(Access-Control-Allow-Origin|access-control-allow-origin)\s*(\'|\") + - metavariable-regex: + metavariable: $VALUE + regex: (\'|\")\s*(\*)\s*(\'|\") + message: Access-Control-Allow-Origin response header is set to "*". This will disable + CORS Same Origin Policy restrictions. + metadata: + references: + - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin + owasp: + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-346: Origin Validation Error' + category: security + technology: + - symfony + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors + shortlink: https://sg.run/kr92 + semgrep.dev: + rule: + rule_id: ZqUOlR + version_id: 2KTzG82 + url: https://semgrep.dev/playground/r/2KTzG82/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors + origin: community + languages: + - php + severity: WARNING +- id: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return + message: Missing mutex unlock before returning from a function. This could result + in panics resulting from double lock operations + languages: + - go + severity: ERROR + metadata: + category: security + cwe: 'CWE-667: Improper Locking' + subcategory: + - vuln + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: + - --no-technology-- + description: Missing `mutex` unlock before returning from a function + references: + - https://pkg.go.dev/sync#Mutex + - https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/ + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return + shortlink: https://sg.run/18Bk + semgrep.dev: + rule: + rule_id: L1U5Gz + version_id: GxTG4v + url: https://semgrep.dev/playground/r/GxTG4v/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return + origin: community + patterns: + - pattern-either: + - pattern: panic(...) + - pattern: return ... + - pattern-inside: | + $T.Lock() + ... + - pattern-not-inside: | + $T.Unlock() + ... + - pattern-not-inside: | + defer $T.Unlock() + ... + - pattern-not-inside: "$FOO(..., ..., func(...) { \n ... \n})\n" +- id: trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex + message: Missing `RUnlock` on an `RWMutex` lock before returning from a function + languages: + - go + severity: ERROR + metadata: + category: security + cwe: 'CWE-667: Improper Locking' + subcategory: + - vuln + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: + - --no-technology-- + description: Missing `RUnlock` on an `RWMutex` lock before returning from a function + references: + - https://pkg.go.dev/sync#RWMutex + - https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/ + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex + shortlink: https://sg.run/9r40 + semgrep.dev: + rule: + rule_id: 8GUzNK + version_id: 5PTvBJ + url: https://semgrep.dev/playground/r/5PTvBJ/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex + origin: community + patterns: + - pattern-either: + - pattern: panic(...) + - pattern: return ... + - pattern-inside: | + $T.RLock() + ... + - pattern-not-inside: | + $T.RUnlock() + ... + - pattern-not-inside: | + defer $T.RUnlock() + ... + - pattern-not-inside: "$FOO(..., ..., func(...) { \n ... \n})\n" +- id: python.django.security.injection.raw-html-format.raw-html-format + languages: + - python + severity: WARNING + message: Detected user input flowing into a manually constructed HTML string. You + may be accidentally bypassing secure methods of rendering HTML by manually constructing + HTML and this could create a cross-site scripting vulnerability, which could let + attackers steal sensitive user data. To be sure this is safe, check that the HTML + is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which + will safely render HTML instead. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - django + references: + - https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render + - https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format + shortlink: https://sg.run/oYj1 + semgrep.dev: + rule: + rule_id: 2ZUPER + version_id: 0bTv9b + url: https://semgrep.dev/playground/r/0bTv9b/python.django.security.injection.raw-html-format.raw-html-format + origin: community + mode: taint + pattern-sanitizers: + - pattern: django.utils.html.escape(...) + pattern-sources: + - patterns: + - pattern: request.$ANYTHING + - pattern-not: request.build_absolute_uri + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: '"$HTMLSTR" % ...' + - pattern: '"$HTMLSTR".format(...)' + - pattern: '"$HTMLSTR" + ...' + - pattern: f"$HTMLSTR{...}..." + - patterns: + - pattern-inside: | + $HTML = "$HTMLSTR" + ... + - pattern-either: + - pattern: $HTML % ... + - pattern: $HTML.format(...) + - pattern: $HTML + ... + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... +- id: python.flask.security.injection.raw-html-concat.raw-html-format + languages: + - python + severity: WARNING + message: Detected user input flowing into a manually constructed HTML string. You + may be accidentally bypassing secure methods of rendering HTML by manually constructing + HTML and this could create a cross-site scripting vulnerability, which could let + attackers steal sensitive user data. To be sure this is safe, check that the HTML + is rendered safely. Otherwise, use templates (`flask.render_template`) which will + safely render HTML instead. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - flask + references: + - https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format + shortlink: https://sg.run/Pb7e + semgrep.dev: + rule: + rule_id: GdUrJv + version_id: 5PT6YR + url: https://semgrep.dev/playground/r/5PT6YR/python.flask.security.injection.raw-html-concat.raw-html-format + origin: community + mode: taint + pattern-sanitizers: + - pattern: jinja2.escape(...) + - pattern: flask.escape(...) + - pattern: flask.render_template("~=/.*\.html", ...) + pattern-sources: + - patterns: + - pattern-either: + - pattern: flask.request.$ANYTHING + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: '"$HTMLSTR" % ...' + - pattern: '"$HTMLSTR".format(...)' + - pattern: '"$HTMLSTR" + ...' + - pattern: f"$HTMLSTR{...}..." + - patterns: + - pattern-inside: | + $HTML = "$HTMLSTR" + ... + - pattern-either: + - pattern: $HTML % ... + - pattern: $HTML.format(...) + - pattern: $HTML + ... + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... +- id: go.lang.security.injection.tainted-url-host.tainted-url-host + languages: + - go + message: A request was found to be crafted from user-input `$REQUEST`. This can + lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing + sensitive data. It is recommend where possible to not allow user-input to craft + the base request, but to be treated as part of the path or query parameter. When + user-input is necessary to craft the request, it is recommended to follow OWASP + best practices to prevent abuse, including using an allowlist. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://goteleport.com/blog/ssrf-attacks/ + category: security + technology: + - go + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + interfile: true + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host + shortlink: https://sg.run/5DjW + semgrep.dev: + rule: + rule_id: AbUQLr + version_id: o5Tn2R + url: https://semgrep.dev/playground/r/o5Tn2R/go.lang.security.injection.tainted-url-host.tainted-url-host + origin: community + mode: taint + pattern-sources: + - label: INPUT + patterns: + - pattern-either: + - pattern: | + ($REQUEST : *http.Request).$ANYTHING + - pattern: | + ($REQUEST : http.Request).$ANYTHING + - metavariable-regex: + metavariable: $ANYTHING + regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ + - label: CLEAN + requires: INPUT + patterns: + - pattern-either: + - pattern: | + "$URLSTR" + $INPUT + - patterns: + - pattern-either: + - pattern: fmt.Fprintf($F, "$URLSTR", $INPUT, ...) + - pattern: fmt.Sprintf("$URLSTR", $INPUT, ...) + - pattern: fmt.Printf("$URLSTR", $INPUT, ...) + - metavariable-regex: + metavariable: $URLSTR + regex: .*//[a-zA-Z0-10]+\..* + pattern-sinks: + - requires: INPUT and not CLEAN + patterns: + - pattern-either: + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $CLIENT := &http.Client{...} + ... + - pattern: $CLIENT.$METHOD($URL, ...) + - pattern: http.$METHOD($URL, ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(Get|Head|Post|PostForm)$ + - pattern: http.Redirect($W, $REQ, $URL, ...) + - patterns: + - pattern: | + http.NewRequest("$METHOD", $URL, ...) + - metavariable-regex: + metavariable: $METHOD + regex: ^(GET|HEAD|POST|POSTFORM)$ + - focus-metavariable: $URL + severity: WARNING +- id: javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport + message: If user input reaches `HoverProvider` while `supportHml` is set to `true` + it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically + generated input. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://github.com/microsoft/monaco-editor/issues/801 + category: security + technology: + - monaco + - monaco-editor + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport + shortlink: https://sg.run/Jx7R + semgrep.dev: + rule: + rule_id: zdUYQb + version_id: LjT0k3 + url: https://semgrep.dev/playground/r/LjT0k3/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport + origin: community + languages: + - typescript + - javascript + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + import "monaco-editor" + ... + - pattern-inside: | + require("monaco-editor") + ... + - pattern-either: + - pattern: | + {value: $VAL, supportHtml: true} + - pattern: | + {value: $VAL, isTrusted: true} + - pattern-inside: | + {range: $R, contents: [...]} + - pattern-not: | + {..., value: "...", ...} +- id: go.lang.security.injection.raw-html-format.raw-html-format + languages: + - go + severity: WARNING + message: Detected user input flowing into a manually constructed HTML string. You + may be accidentally bypassing secure methods of rendering HTML by manually constructing + HTML and this could create a cross-site scripting vulnerability, which could let + attackers steal sensitive user data. Use the `html/template` package which will + safely render HTML instead, or inspect that the HTML is rendered safely. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - go + references: + - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format + shortlink: https://sg.run/3r1G + semgrep.dev: + rule: + rule_id: PeUonQ + version_id: YDToAk + url: https://semgrep.dev/playground/r/YDToAk/go.lang.security.injection.raw-html-format.raw-html-format + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + ($REQUEST : *http.Request).$ANYTHING + - pattern: | + ($REQUEST : http.Request).$ANYTHING + - metavariable-regex: + metavariable: $ANYTHING + regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ + pattern-sanitizers: + - pattern: html.EscapeString(...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: fmt.Printf("$HTMLSTR", ...) + - pattern: fmt.Sprintf("$HTMLSTR", ...) + - pattern: fmt.Fprintf($W, "$HTMLSTR", ...) + - pattern: '"$HTMLSTR" + ...' + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... +- id: ruby.rails.security.injection.raw-html-format.raw-html-format + languages: + - ruby + severity: WARNING + message: Detected user input flowing into a manually constructed HTML string. You + may be accidentally bypassing secure methods of rendering HTML by manually constructing + HTML and this could create a cross-site scripting vulnerability, which could let + attackers steal sensitive user data. Use the `render template` and make template + files which will safely render HTML instead, or inspect that the HTML is absolutely + rendered safely with a function like `sanitize`. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - rails + references: + - https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/ + - https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format + shortlink: https://sg.run/b2JQ + semgrep.dev: + rule: + rule_id: kxUwZX + version_id: A8TRZ1 + url: https://semgrep.dev/playground/r/A8TRZ1/ruby.rails.security.injection.raw-html-format.raw-html-format + origin: community + mode: taint + pattern-sanitizers: + - pattern-either: + - pattern: sanitize(...) + - pattern: strip_tags(...) + pattern-sources: + - patterns: + - pattern-either: + - pattern: params + - pattern: request + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: | + $HTMLSTR + - pattern-regex: <\w+.* + - patterns: + - pattern-either: + - pattern: Kernel::sprintf("$HTMLSTR", ...) + - pattern: | + "$HTMLSTR" + $EXPR + - pattern: | + "$HTMLSTR" % $EXPR + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... +- id: bash.curl.security.curl-eval.curl-eval + severity: WARNING + languages: + - bash + message: Data is being eval'd from a `curl` command. An attacker with control of + the server in the `curl` command could inject malicious code into the `eval`, + resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If + you must do this, consider checking the SHA sum of the content returned by the + server to verify its integrity. + metadata: + owasp: + - A03:2021 - Injection + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + category: security + technology: + - bash + - curl + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval + shortlink: https://sg.run/0yqJ + semgrep.dev: + rule: + rule_id: KxU7Rq + version_id: bZTYGz + url: https://semgrep.dev/playground/r/bZTYGz/bash.curl.security.curl-eval.curl-eval + origin: community + mode: taint + pattern-sources: + - pattern: | + $(curl ...) + - pattern: | + `curl ...` + pattern-sinks: + - pattern: eval ... +- id: bash.curl.security.curl-pipe-bash.curl-pipe-bash + languages: + - bash + severity: WARNING + message: Data is being piped into `bash` from a `curl` command. An attacker with + control of the server in the `curl` command could inject malicious code into the + pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` + or any other shell if you can. If you must do this, consider checking the SHA + sum of the content returned by the server to verify its integrity. + metadata: + owasp: + - A03:2021 - Injection + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + category: security + technology: + - bash + - curl + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash + shortlink: https://sg.run/KXz6 + semgrep.dev: + rule: + rule_id: qNUXrw + version_id: vdTWQA + url: https://semgrep.dev/playground/r/vdTWQA/bash.curl.security.curl-pipe-bash.curl-pipe-bash + origin: community + patterns: + - pattern-either: + - pattern: curl ... | ... bash ... + - pattern: curl ... | ... /bin/bash ... + - pattern: '... bash <(curl ...)' + - pattern: '... /bin/bash <(curl ...)' + - pattern: '... bash -c "$(curl ...)"' + - pattern: '... /bin/bash -c "$(curl ...)"' +- id: python.flask.security.injection.tainted-url-host.tainted-url-host + languages: + - python + message: User data flows into the host portion of this manually-constructed URL. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data such as cookies or authorization information sent with this request. + They could also probe internal servers or other resources that the server runnig + this code can access. (This is called server-side request forgery, or SSRF.) Do + not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode + the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host + shortlink: https://sg.run/RXpK + semgrep.dev: + rule: + rule_id: ReU3Wb + version_id: BjTEGR + url: https://semgrep.dev/playground/r/BjTEGR/python.flask.security.injection.tainted-url-host.tainted-url-host + origin: community + mode: taint + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: '"$URLSTR" % ...' + - metavariable-pattern: + metavariable: $URLSTR + language: generic + patterns: + - pattern-either: + - pattern: $SCHEME://%s + - pattern: $SCHEME://%r + - patterns: + - pattern: '"$URLSTR".format(...)' + - metavariable-pattern: + metavariable: $URLSTR + language: generic + pattern: $SCHEME:// { ... } + - patterns: + - pattern: '"$URLSTR" + ...' + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + - patterns: + - pattern: f"$URLSTR{...}..." + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + - patterns: + - pattern-inside: | + $URL = "$URLSTR" + ... + - pattern: $URL += ... + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + pattern-sources: + - patterns: + - pattern-either: + - pattern: flask.request.$ANYTHING + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + severity: WARNING +- id: go.lang.security.audit.md5-used-as-password.md5-used-as-password + languages: + - go + severity: WARNING + message: It looks like MD5 is used as a password hash. MD5 is not considered a secure + password hash because it can be cracked by an attacker in a short amount of time. + Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` + package. + metadata: + category: security + technology: + - md5 + references: + - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html + - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords + - https://github.com/returntocorp/semgrep-rules/issues/1609 + - https://pkg.go.dev/golang.org/x/crypto/bcrypt + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + confidence: MEDIUM + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + interfile: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password + shortlink: https://sg.run/4eOE + semgrep.dev: + rule: + rule_id: 4bU1Wj + version_id: bZTG8r + url: https://semgrep.dev/playground/r/bZTG8r/go.lang.security.audit.md5-used-as-password.md5-used-as-password + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: md5.New + - pattern: md5.Sum + pattern-sinks: + - patterns: + - pattern: $FUNCTION(...) + - metavariable-regex: + metavariable: $FUNCTION + regex: (?i)(.*password.*) +- id: go.lang.security.injection.tainted-sql-string.tainted-sql-string + languages: + - go + message: User data flows into this manually-constructed SQL string. User data can + be safely inserted into SQL strings using prepared statements or an object-relational + mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL + injection, which could let an attacker steal or manipulate data from the database. + Instead, use prepared statements (`db.Query("SELECT * FROM t WHERE id = ?", id)`) + or a safe library. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://golang.org/doc/database/sql-injection + - https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/ + category: security + technology: + - go + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + interfile: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/PbEq + semgrep.dev: + rule: + rule_id: PeUoqy + version_id: 6xTeEW + url: https://semgrep.dev/playground/r/6xTeEW/go.lang.security.injection.tainted-sql-string.tainted-sql-string + origin: community + mode: taint + severity: ERROR + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + ($REQUEST : *http.Request).$ANYTHING + - pattern: | + ($REQUEST : http.Request).$ANYTHING + - metavariable-regex: + metavariable: $ANYTHING + regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - patterns: + - pattern-inside: | + $VAR = "$SQLSTR"; + ... + - pattern: $VAR += ... + - patterns: + - pattern-inside: | + var $SB strings.Builder + ... + - pattern-inside: | + $SB.WriteString("$SQLSTR") + ... + $SB.String(...) + - pattern: | + $SB.WriteString(...) + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(select|delete|insert|create|update|alter|drop).* + - patterns: + - pattern-either: + - pattern: fmt.Fprintf($F, "$SQLSTR", ...) + - pattern: fmt.Sprintf("$SQLSTR", ...) + - pattern: fmt.Printf("$SQLSTR", ...) + - metavariable-regex: + metavariable: $SQLSTR + regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.*%(v|s|q).* + pattern-sanitizers: + - pattern-either: + - pattern: strconv.Atoi(...) + - pattern: | + ($X: bool) +- id: java.lang.security.audit.md5-used-as-password.md5-used-as-password + languages: + - java + severity: WARNING + message: It looks like MD5 is used as a password hash. MD5 is not considered a secure + password hash because it can be cracked by an attacker in a short amount of time. + Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use + `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")` + or, if using Spring, `org.springframework.security.crypto.bcrypt`. + metadata: + category: security + technology: + - java + - md5 + references: + - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html + - https://github.com/returntocorp/semgrep-rules/issues/1609 + - https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory + - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password + shortlink: https://sg.run/JxEQ + semgrep.dev: + rule: + rule_id: JDULAW + version_id: 9lTzJg + url: https://semgrep.dev/playground/r/9lTzJg/java.lang.security.audit.md5-used-as-password.md5-used-as-password + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + $TYPE $MD = MessageDigest.getInstance("MD5"); + ... + - pattern: $MD.digest(...); + pattern-sinks: + - patterns: + - pattern: $MODEL.$METHOD(...); + - metavariable-regex: + metavariable: $METHOD + regex: (?i)(.*password.*) +- id: javascript.express.security.injection.raw-html-format.raw-html-format + message: User data flows into the host portion of this manually-constructed HTML. + This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from + user-provided input. Consider using a sanitization library such as DOMPurify to + sanitize the HTML within. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + category: security + technology: + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format + shortlink: https://sg.run/5DO3 + semgrep.dev: + rule: + rule_id: 5rUL0X + version_id: ZRTwpy + url: https://semgrep.dev/playground/r/ZRTwpy/javascript.express.security.injection.raw-html-format.raw-html-format + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - label: EXPRESS + patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - label: EXPRESSTS + patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + - label: CLEAN + by-side-effect: true + patterns: + - pattern-either: + - pattern: $A($SOURCE) + - pattern: $SANITIZE. ... .$A($SOURCE) + - pattern: $A. ... .$SANITIZE($SOURCE) + - focus-metavariable: $SOURCE + - metavariable-regex: + metavariable: $A + regex: (?i)(.*valid|.*sanitiz) + pattern-sinks: + - requires: (EXPRESS and not CLEAN) or (EXPRESSTS and not CLEAN) + patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: '"$HTMLSTR" + $EXPR' + - pattern: '"$HTMLSTR".concat(...)' + - pattern: util.format($HTMLSTR, ...) + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... + - patterns: + - pattern: | + `...` + - pattern-regex: | + .*<\w+.* +- id: javascript.lang.security.audit.md5-used-as-password.md5-used-as-password + message: It looks like MD5 is used as a password hash. MD5 is not considered a secure + password hash because it can be cracked by an attacker in a short amount of time. + Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` + node.js package. + metadata: + category: security + technology: + - crypto + - md5 + references: + - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html + - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords + - https://github.com/returntocorp/semgrep-rules/issues/1609 + - https://www.npmjs.com/package/bcrypt + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password + shortlink: https://sg.run/GOEn + semgrep.dev: + rule: + rule_id: GdUr5G + version_id: RGTb0Q + url: https://semgrep.dev/playground/r/RGTb0Q/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password + origin: community + languages: + - javascript + severity: WARNING + mode: taint + pattern-sources: + - pattern: $CRYPTO.createHash("md5") + pattern-sinks: + - patterns: + - pattern: $FUNCTION(...); + - metavariable-regex: + metavariable: $FUNCTION + regex: (?i)(.*password.*) +- id: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT + asvs: + section: V9 Communications Verification Requirements + control_id: 9.1.3 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements + version: '4' + category: security + technology: + - kotlin + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + shortlink: https://sg.run/RXEK + semgrep.dev: + rule: + rule_id: ReU3Yb + version_id: nWT794 + url: https://semgrep.dev/playground/r/nWT794/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + origin: community + message: DefaultHttpClient is deprecated. Further, it does not support connections + using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient + instead, which supports TLS1.2. + severity: WARNING + languages: + - kt + pattern: DefaultHttpClient(...) + fix-regex: + regex: DefaultHttpClient + replacement: SystemDefaultHttpClient +- id: kotlin.lang.security.ecb-cipher.ecb-cipher + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#ECB_MODE + category: security + technology: + - kotlin + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher + shortlink: https://sg.run/DzLj + semgrep.dev: + rule: + rule_id: DbU1Zd + version_id: ExTnoW + url: https://semgrep.dev/playground/r/ExTnoW/kotlin.lang.security.ecb-cipher.ecb-cipher + origin: community + message: Cipher in ECB mode is detected. ECB mode produces the same output for the + same input each time which allows an attacker to intercept and replay the data. + Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. + severity: WARNING + languages: + - kt + patterns: + - pattern-either: + - pattern: | + val $VAR : Cipher = $CIPHER.getInstance($MODE) + - pattern: | + var $VAR : Cipher = $CIPHER.getInstance($MODE) + - pattern: | + val $VAR = $CIPHER.getInstance($MODE) + - pattern: | + var $VAR = $CIPHER.getInstance($MODE) + - metavariable-regex: + metavariable: $MODE + regex: .*ECB.* +- id: kotlin.lang.security.gcm-detection.gcm-detection + metadata: + category: security + cwe: + - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' + references: + - https://cwe.mitre.org/data/definitions/323.html + technology: + - kotlin + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + owasp: + - A02:2021 - Cryptographic Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection + shortlink: https://sg.run/WpPA + semgrep.dev: + rule: + rule_id: WAUyAW + version_id: 7ZTOB3 + url: https://semgrep.dev/playground/r/7ZTOB3/kotlin.lang.security.gcm-detection.gcm-detection + origin: community + languages: + - kt + message: GCM detected, please check that IV/nonce is not reused, an Initialization + Vector (IV) is a nonce used to randomize the encryption, so that even if multiple + messages with identical plaintext are encrypted, the generated corresponding ciphertexts + are different.Unlike the Key, the IV usually does not need to be secret, rather + it is important that it is random and unique. Certain encryption schemes the IV + is exchanged in public as part of the ciphertext. Reusing same Initialization + Vector with the same Key to encrypt multiple plaintext blocks allows an attacker + to compare the ciphertexts and then, with some assumptions on the content of the + messages, to gain important information about the data being encrypted. + patterns: + - pattern-either: + - pattern: $METHOD.getInstance("AES/GCM/NoPadding",...) + - pattern: GCMParameterSpec(...) + severity: INFO +- id: kotlin.lang.security.no-null-cipher.no-null-cipher + pattern: NullCipher(...) + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - kotlin + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher + shortlink: https://sg.run/0ywb + semgrep.dev: + rule: + rule_id: 0oU2Yy + version_id: LjT0G3 + url: https://semgrep.dev/playground/r/LjT0G3/kotlin.lang.security.no-null-cipher.no-null-cipher + origin: community + message: 'NullCipher was detected. This will not encrypt anything; the cipher text + will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). + See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for + more information.' + severity: WARNING + languages: + - kt + - scala +- id: kotlin.lang.security.unencrypted-socket.unencrypted-socket + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - kotlin + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket + shortlink: https://sg.run/KXZd + semgrep.dev: + rule: + rule_id: KxU76z + version_id: 8KTbN1 + url: https://semgrep.dev/playground/r/8KTbN1/kotlin.lang.security.unencrypted-socket.unencrypted-socket + origin: community + message: This socket is not encrypted. The traffic could be read by an attacker + intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' + or 'SSLServerSocketFactory' instead + severity: WARNING + languages: + - kt + pattern-either: + - pattern: ServerSocket(...) + - pattern: Socket(...) +- id: kotlin.lang.security.use-of-md5.use-of-md5 + message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use SHA256 + or SHA3 instead. + languages: + - kt + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 + category: security + technology: + - kotlin + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5 + shortlink: https://sg.run/4eQx + semgrep.dev: + rule: + rule_id: qNUXPj + version_id: gETqPw + url: https://semgrep.dev/playground/r/gETqPw/kotlin.lang.security.use-of-md5.use-of-md5 + origin: community + pattern-either: + - pattern: | + $VAR = $MD.getInstance("MD5") + - pattern: | + $DU.getMd5Digest().digest(...) +- id: python.django.security.injection.tainted-sql-string.tainted-sql-string + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using the Django object-relational mappers (ORM) + instead of raw SQL queries. + metadata: + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + owasp: + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection + category: security + technology: + - django + subcategory: + - audit + impact: LOW + likelihood: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/PbZp + semgrep.dev: + rule: + rule_id: lBU8Ad + version_id: jQTK9g + url: https://semgrep.dev/playground/r/jQTK9g/python.django.security.injection.tainted-sql-string.tainted-sql-string + origin: community + severity: ERROR + languages: + - python + mode: taint + pattern-sources: + - patterns: + - pattern: request.$ANYTHING + - pattern-not: request.build_absolute_uri + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - pattern: | + "$SQLSTR" % ... + - pattern: | + "$SQLSTR".format(...) + - pattern: | + f"$SQLSTR{...}..." + - metavariable-regex: + metavariable: $SQLSTR + regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.* +- id: python.flask.security.injection.tainted-sql-string.tainted-sql-string + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as SQLAlchemy which will protect your queries. + metadata: + cwe: + - 'CWE-704: Incorrect Type Conversion or Cast' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql + - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm + - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column + category: security + technology: + - sqlalchemy + - flask + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/JxZj + semgrep.dev: + rule: + rule_id: YGUDKQ + version_id: A8TRnD + url: https://semgrep.dev/playground/r/A8TRnD/python.flask.security.injection.tainted-sql-string.tainted-sql-string + origin: community + severity: ERROR + languages: + - python + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: flask.request.$ANYTHING + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - pattern: | + "$SQLSTR" % ... + - pattern: | + "$SQLSTR".format(...) + - pattern: | + f"$SQLSTR{...}..." + - metavariable-regex: + metavariable: $SQLSTR + regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.* +- id: python.lang.security.audit.md5-used-as-password.md5-used-as-password + severity: WARNING + message: It looks like MD5 is used as a password hash. MD5 is not considered a secure + password hash because it can be cracked by an attacker in a short amount of time. + Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`. + languages: + - python + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://tools.ietf.org/html/rfc6151 + - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords + - https://github.com/returntocorp/semgrep-rules/issues/1609 + - https://docs.python.org/3/library/hashlib.html#hashlib.scrypt + category: security + technology: + - pycryptodome + - hashlib + - md5 + subcategory: + - vuln + likelihood: HIGH + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password + shortlink: https://sg.run/5DwD + semgrep.dev: + rule: + rule_id: 6JU1w1 + version_id: 9lTzL3 + url: https://semgrep.dev/playground/r/9lTzL3/python.lang.security.audit.md5-used-as-password.md5-used-as-password + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: hashlib.md5 + - pattern: hashlib.new(..., name="MD5", ...) + - pattern: Cryptodome.Hash.MD5 + - pattern: Crypto.Hash.MD5 + - pattern: cryptography.hazmat.primitives.hashes.MD5 + pattern-sinks: + - patterns: + - pattern: $FUNCTION(...) + - metavariable-regex: + metavariable: $FUNCTION + regex: (?i)(.*password.*) +- id: ruby.lang.security.md5-used-as-password.md5-used-as-password + languages: + - ruby + severity: WARNING + message: It looks like MD5 is used as a password hash. MD5 is not considered a secure + password hash because it can be cracked by an attacker in a short amount of time. + Instead, use a suitable password hashing function such as bcrypt. You can use + the `bcrypt` gem. + metadata: + category: security + technology: + - md5 + references: + - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html + - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords + - https://github.com/returntocorp/semgrep-rules/issues/1609 + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password + shortlink: https://sg.run/GOZy + semgrep.dev: + rule: + rule_id: oqU4p2 + version_id: O9TyLb + url: https://semgrep.dev/playground/r/O9TyLb/ruby.lang.security.md5-used-as-password.md5-used-as-password + origin: community + mode: taint + pattern-sources: + - pattern: Digest::MD5 + pattern-sinks: + - patterns: + - pattern: $FUNCTION(...); + - metavariable-regex: + metavariable: $FUNCTION + regex: (?i)(.*password.*) +- id: ruby.rails.security.injection.tainted-url-host.tainted-url-host + languages: + - ruby + severity: WARNING + message: User data flows into the host portion of this manually-constructed URL. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data such as cookies or authorization information sent with this request. + They could also probe internal servers or other resources that the server runnig + this code can access. (This is called server-side request forgery, or SSRF.) Do + not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction + with `SsrfFilter(...)`, or create an allowlist for approved hosts. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - rails + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + - https://github.com/arkadiyt/ssrf_filter + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host + shortlink: https://sg.run/RX3g + semgrep.dev: + rule: + rule_id: zdUY0W + version_id: DkTQZP + url: https://semgrep.dev/playground/r/DkTQZP/ruby.rails.security.injection.tainted-url-host.tainted-url-host + origin: community + mode: taint + pattern-sanitizers: + - pattern: SsrfFilter + pattern-sources: + - patterns: + - pattern-either: + - pattern: params + - pattern: request + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: | + $URLSTR + - pattern-regex: \w+:\/\/#{.*} + - patterns: + - pattern-either: + - pattern: Kernel::sprintf("$URLSTR", ...) + - pattern: | + "$URLSTR" + $EXPR + - pattern: | + "$URLSTR" % $EXPR + - metavariable-pattern: + metavariable: $URLSTR + language: generic + pattern: $SCHEME:// ... +- id: ruby.rails.security.injection.tainted-sql-string.tainted-sql-string + languages: + - ruby + severity: ERROR + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as ActiveRecord which will protect your queries. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - rails + references: + - https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/Y85o + semgrep.dev: + rule: + rule_id: bwU8gl + version_id: BjTEnn + url: https://semgrep.dev/playground/r/BjTEnn/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: params + - pattern: request + pattern-sanitizers: + - pattern: | + $PARAMS.slice(...) + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - patterns: + - pattern: | + $RECORD.where($X,...) + - pattern: | + $RECORD.find(..., :conditions => $X,...) + - focus-metavariable: $X + - patterns: + - pattern: | + "$SQLVERB#{$EXPR}..." + - pattern-not-inside: | + $FUNC("...", "...#{$EXPR}...",...) + - focus-metavariable: $SQLVERB + - pattern-regex: (?i)(select|delete|insert|create|update|alter|drop)\b + - patterns: + - pattern-either: + - pattern: Kernel::sprintf("$SQLSTR", $EXPR) + - pattern: | + "$SQLSTR" + $EXPR + - pattern: | + "$SQLSTR" % $EXPR + - pattern-not-inside: | + $FUNC("...", "...#{$EXPR}...",...) + - focus-metavariable: $EXPR + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(select|delete|insert|create|update|alter|drop)\b +- id: javascript.express.security.injection.tainted-sql-string.tainted-sql-string + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as Sequelize which will protect your queries. + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://owasp.org/www-community/attacks/SQL_Injection + category: security + technology: + - express + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.express.security.injection.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/66ZL + semgrep.dev: + rule: + rule_id: NbUNpr + version_id: nWT7od + url: https://semgrep.dev/playground/r/nWT7od/javascript.express.security.injection.tainted-sql-string.tainted-sql-string + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + "$SQLSTR" + $EXPR + - pattern-inside: | + "$SQLSTR".concat($EXPR) + - pattern: util.format($SQLSTR, $EXPR) + - pattern: | + `$SQLSTR${$EXPR}...` + - metavariable-regex: + metavariable: $SQLSTR + regex: .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* + - focus-metavariable: $EXPR +- id: generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key + pattern-regex: k2sk_v[0-9]_[0-9a-zA-Z]{24} + languages: + - regex + message: Kolide API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - secrets + - kolide + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key + shortlink: https://sg.run/d2YQ + semgrep.dev: + rule: + rule_id: JDULYW + version_id: yeTXyx + url: https://semgrep.dev/playground/r/yeTXyx/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key + origin: community +- id: php.lang.security.injection.tainted-sql-string.tainted-sql-string + languages: + - php + severity: ERROR + message: User data flows into this manually-constructed SQL string. User data can + be safely inserted into SQL strings using prepared statements or an object-relational + mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL + injection, which could let an attacker steal or manipulate data from the database. + Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id, label) + VALUES (?, ?)");`) or a safe library. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/www-community/attacks/SQL_Injection + category: security + technology: + - php + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/lZYG + semgrep.dev: + rule: + rule_id: qNUXdL + version_id: JdTqnv + url: https://semgrep.dev/playground/r/JdTqnv/php.lang.security.injection.tainted-sql-string.tainted-sql-string + origin: community + mode: taint + pattern-sanitizers: + - pattern-either: + - pattern: mysqli_real_escape_string(...) + - pattern: real_escape_string(...) + - pattern: $MYSQLI->real_escape_string(...) + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + pattern-sinks: + - pattern-either: + - patterns: + - pattern: | + sprintf($SQLSTR, ...) + - metavariable-regex: + metavariable: $SQLSTR + regex: .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* + - patterns: + - pattern: | + "...{$EXPR}..." + - pattern-regex: | + .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* + - patterns: + - pattern: | + "...$EXPR..." + - pattern-regex: | + .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* + - patterns: + - pattern: | + "...".$EXPR + - pattern-regex: | + .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* +- id: php.lang.security.injection.tainted-url-host.tainted-url-host + languages: + - php + severity: WARNING + message: User data flows into the host portion of this manually-constructed URL. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data such as cookies or authorization information sent with this request. + They could also probe internal servers or other resources that the server runnig + this code can access. (This is called server-side request forgery, or SSRF.) Do + not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode + the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - php + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host + shortlink: https://sg.run/Y8no + semgrep.dev: + rule: + rule_id: lBU8K1 + version_id: 5PT67o + url: https://semgrep.dev/playground/r/5PT67o/php.lang.security.injection.tainted-url-host.tainted-url-host + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + pattern-sinks: + - pattern-either: + - patterns: + - pattern: | + sprintf($URLSTR, ...) + - metavariable-pattern: + metavariable: $URLSTR + language: generic + pattern: $SCHEME://%s + - patterns: + - pattern: | + "...{$EXPR}..." + - pattern-regex: | + .*://\{.* + - patterns: + - pattern: | + "...$EXPR..." + - pattern-regex: | + .*://\$.* + - patterns: + - pattern: | + "...".$EXPR + - pattern-regex: | + .*://["'].* +- id: php.lang.security.md5-used-as-password.md5-used-as-password + severity: WARNING + message: It looks like MD5 is used as a password hash. MD5 is not considered a secure + password hash because it can be cracked by an attacker in a short amount of time. + Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, + PASSWORD_BCRYPT, $OPTIONS);`. + languages: + - php + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://tools.ietf.org/html/rfc6151 + - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision + - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords + - https://github.com/returntocorp/semgrep-rules/issues/1609 + - https://www.php.net/password_hash + category: security + technology: + - md5 + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password + shortlink: https://sg.run/66YL + semgrep.dev: + rule: + rule_id: YGUD1O + version_id: DkTQwv + url: https://semgrep.dev/playground/r/DkTQwv/php.lang.security.md5-used-as-password.md5-used-as-password + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: md5(...) + - pattern: hash('md5', ...) + pattern-sinks: + - patterns: + - pattern: $FUNCTION(...) + - metavariable-regex: + metavariable: $FUNCTION + regex: (?i)(.*password.*) +- id: python.django.security.injection.tainted-url-host.tainted-url-host + languages: + - python + message: User data flows into the host portion of this manually-constructed URL. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data such as cookies or authorization information sent with this request. + They could also probe internal servers or other resources that the server runnig + this code can access. (This is called server-side request forgery, or SSRF.) Do + not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode + the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + impact: MEDIUM + likelihood: LOW + confidence: LOW + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host + shortlink: https://sg.run/oYz6 + semgrep.dev: + rule: + rule_id: 6JU1l0 + version_id: 1QTjXz + url: https://semgrep.dev/playground/r/1QTjXz/python.django.security.injection.tainted-url-host.tainted-url-host + origin: community + mode: taint + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: '"$URLSTR" % ...' + - metavariable-pattern: + metavariable: $URLSTR + language: generic + patterns: + - pattern-either: + - pattern: $SCHEME://%s + - pattern: $SCHEME://%r + - patterns: + - pattern: '"$URLSTR".format(...)' + - metavariable-pattern: + metavariable: $URLSTR + language: generic + pattern: $SCHEME:// { ... } + - patterns: + - pattern: '"$URLSTR" + ...' + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + - patterns: + - pattern: f"$URLSTR{...}..." + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + - patterns: + - pattern-inside: | + $URL = "$URLSTR" + ... + - pattern: $URL += ... + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + pattern-sources: + - patterns: + - pattern: request.$ANYTHING + - pattern-not: request.build_absolute_uri + severity: WARNING +- id: java.spring.security.injection.tainted-sql-string.tainted-sql-string + languages: + - java + severity: ERROR + message: User data flows into this manually-constructed SQL string. User data can + be safely inserted into SQL strings using prepared statements or an object-relational + mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL + injection, which could let an attacker steal or manipulate data from the database. + Instead, use prepared statements (`connection.PreparedStatement`) or a safe library. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html + category: security + technology: + - spring + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + interfile: true + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/9rzz + semgrep.dev: + rule: + rule_id: 10UdRR + version_id: K3Tykq + url: https://semgrep.dev/playground/r/K3Tykq/java.spring.security.injection.tainted-sql-string.tainted-sql-string + origin: community + options: + taint_assume_safe_numbers: true + taint_assume_safe_booleans: true + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { + ... + } + - pattern-inside: | + $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { + ... + } + - metavariable-regex: + metavariable: $REQ + regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue) + - metavariable-regex: + metavariable: $TYPE + regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) + - focus-metavariable: $SOURCE + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - pattern: | + "$SQLSTR".concat(...) + - patterns: + - pattern-inside: | + StringBuilder $SB = new StringBuilder("$SQLSTR"); + ... + - pattern: $SB.append(...) + - patterns: + - pattern-inside: | + $VAR = "$SQLSTR"; + ... + - pattern: $VAR += ... + - pattern: String.format("$SQLSTR", ...) + - patterns: + - pattern-inside: | + String $VAR = "$SQLSTR"; + ... + - pattern: String.format($VAR, ...) + - pattern-not-inside: System.out.println(...) + - pattern-not-inside: $LOG.info(...) + - pattern-not-inside: $LOG.warn(...) + - pattern-not-inside: $LOG.warning(...) + - pattern-not-inside: $LOG.debug(...) + - pattern-not-inside: $LOG.debugging(...) + - pattern-not-inside: $LOG.error(...) + - pattern-not-inside: new Exception(...) + - pattern-not-inside: throw ...; + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(select|delete|insert|create|update|alter|drop)\b +- id: bash.lang.security.ifs-tampering.ifs-tampering + languages: + - bash + severity: WARNING + message: The special variable IFS affects how splitting takes place when expanding + unquoted variables. Don't set it globally. Prefer a dedicated utility such as + 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS + locally using e.g. 'IFS="," read -a my_array'. + pattern: IFS=... + metadata: + cwe: + - 'CWE-20: Improper Input Validation' + category: security + technology: + - bash + confidence: LOW + owasp: + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering + shortlink: https://sg.run/Q9pq + semgrep.dev: + rule: + rule_id: WAUy9q + version_id: kbTo7O + url: https://semgrep.dev/playground/r/kbTo7O/bash.lang.security.ifs-tampering.ifs-tampering + origin: community +- id: generic.unicode.security.bidi.contains-bidirectional-characters + patterns: + - pattern-either: + - pattern-regex: "\u202A" + - pattern-regex: "\u202B" + - pattern-regex: "\u202D" + - pattern-regex: "\u202E" + - pattern-regex: "\u2066" + - pattern-regex: "\u2067" + - pattern-regex: "\u2068" + - pattern-regex: "\u202C" + - pattern-regex: "\u2069" + message: This code contains bidirectional (bidi) characters. While this is useful + for support of right-to-left languages such as Arabic or Hebrew, it can also be + used to trick language parsers into executing code in a manner that is different + from how it is displayed in code editing and review tools. If this is not what + you were expecting, please review this code in an editor that can reveal hidden + Unicode characters. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - unicode + references: + - https://trojansource.codes/ + confidence: LOW + owasp: + - A03:2021 - Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters + shortlink: https://sg.run/nK4r + semgrep.dev: + rule: + rule_id: d8UeX4 + version_id: WrTbPr + url: https://semgrep.dev/playground/r/WrTbPr/generic.unicode.security.bidi.contains-bidirectional-characters + origin: community + languages: + - bash + - c + - csharp + - go + - java + - javascript + - json + - kotlin + - lua + - ocaml + - php + - python + - ruby + - rust + - scala + - sh + - typescript + - yaml + severity: WARNING +- id: terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version + patterns: + - pattern-either: + - patterns: + - pattern: ssl_policy = $ANYTHING + - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" + - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" + - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08" + - patterns: + - pattern: protocol = "HTTP" + - pattern-not-inside: | + resource $ANYTHING $NAME { + ... + default_action { + ... + redirect { + ... + protocol = "HTTPS" + ... + } + ... + } + ... + } + - pattern-inside: | + resource $RESOURCE $X { + ... + } + - metavariable-pattern: + metavariable: $RESOURCE + patterns: + - pattern-either: + - pattern: | + "aws_lb_listener" + - pattern: | + "aws_alb_listener" + message: Detected an AWS load balancer with an insecure TLS version. TLS versions + less than 1.2 are considered insecure because they can be broken. To fix this, + set your `ssl_policy` to `"ELBSecurityPolicy-FS-1-2-Res-2019-08"`, or include + a default action to redirect to HTTPS. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + references: + - https://www.ietf.org/rfc/rfc5246.txt + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version + shortlink: https://sg.run/187G + semgrep.dev: + rule: + rule_id: 2ZUP9K + version_id: jQTKWr + url: https://semgrep.dev/playground/r/jQTKWr/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version + origin: community + languages: + - hcl + severity: WARNING +- id: yaml.github-actions.security.curl-eval.curl-eval + languages: + - yaml + message: Data is being eval'd from a `curl` command. An attacker with control of + the server in the `curl` command could inject malicious code into the `eval`, + resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If + you must do this, consider checking the SHA sum of the content returned by the + server to verify its integrity. + metadata: + category: security + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections + technology: + - github-actions + - bash + - curl + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval + shortlink: https://sg.run/9r7r + semgrep.dev: + rule: + rule_id: X5Udrd + version_id: LjT0bE + url: https://semgrep.dev/playground/r/LjT0bE/yaml.github-actions.security.curl-eval.curl-eval + origin: community + patterns: + - pattern-inside: 'steps: [...]' + - pattern-inside: | + - run: ... + ... + - pattern: 'run: $SHELL' + - metavariable-pattern: + language: bash + metavariable: $SHELL + patterns: + - pattern: | + $DATA=<... curl ...> + ... + eval <... $DATA ...> + severity: ERROR +- id: csharp.lang.security.sqli.csharp-sqli.csharp-sqli + patterns: + - metavariable-regex: + metavariable: $PATTERN + regex: ^(SqlCommand|CommandText|OleDbCommand|OdbcCommand|OracleCommand)$ + - pattern-either: + - patterns: + - pattern-inside: | + StringBuilder $SB = new StringBuilder(...); + ... + $S.$PATTERN = $SB.ToString(); + - pattern: $S.$PATTERN = $SB.ToString(); + - patterns: + - pattern-inside: | + StringBuilder $SB = new StringBuilder(...); + ... + $PATTERN $X = new $PATTERN($SB.ToString(),...); + - pattern: $PATTERN $X = new $PATTERN($SB.ToString(),...); + - pattern: | + $S.$PATTERN = string.Format(...); + - pattern: | + $S.$PATTERN = string.Concat(...); + - pattern: | + $S.$PATTERN = String.Format(...); + - pattern: | + $S.$PATTERN = String.Concat(...); + - pattern: | + $S = string.Concat(...); + ... + $PATTERN $SQL = new $PATTERN($S,...); + - pattern: | + $S = String.Format(...); + ... + $PATTERN $SQL = new $PATTERN($S,...); + - pattern: | + $S = String.Concat(...); + ... + $PATTERN $SQL = new $PATTERN($S,...); + - pattern: | + $PATTERN $S = new $PATTERN(...); + - patterns: + - pattern-inside: | + $T $X(...,$SQL,...) + { + ... + $S.$PATTERN = $SQL; + ... + } + - pattern: $S.$PATTERN = $SQL; + - patterns: + - pattern-inside: | + $T $X(...,$SQL,...) + { + ... + $PATTERN $S = new $PATTERN($SQL,...); + ... + } + - pattern: $PATTERN $S = new $PATTERN($SQL,...); + - pattern-not: | + $S.$PATTERN = "..." + "..."; + - pattern-not-inside: | + ... + <... $S.Parameters ...>; + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' + and 'SqlParameter'. + metadata: + category: security + technology: + - csharp + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli + shortlink: https://sg.run/d2Xd + semgrep.dev: + rule: + rule_id: x8UxeP + version_id: RGTvL8 + url: https://semgrep.dev/playground/r/RGTvL8/csharp.lang.security.sqli.csharp-sqli.csharp-sqli + origin: community + languages: + - csharp + severity: ERROR +- id: scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret + languages: + - scala + message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently + Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html + Consider using an appropriate security mechanism to protect the credentials (e.g. + keeping secrets in environment variables)' + metadata: + category: security + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + technology: + - jwt + confidence: HIGH + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret + shortlink: https://sg.run/Z40o + semgrep.dev: + rule: + rule_id: OrU6W1 + version_id: QkTJYA + url: https://semgrep.dev/playground/r/QkTJYA/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret + origin: community + pattern-either: + - pattern: | + com.auth0.jwt.algorithms.Algorithm.HMAC256("..."); + - pattern: | + $SECRET = "..."; + ... + com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET); + - pattern: | + class $CLASS { + ... + $DECL $SECRET = "..."; + ... + def $FUNC (...): $RETURNTYPE = { + ... + com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET); + ... + } + ... + } + - pattern: | + com.auth0.jwt.algorithms.Algorithm.HMAC384("..."); + - pattern: | + $SECRET = "..."; + ... + com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET); + - pattern: | + class $CLASS { + ... + $DECL $SECRET = "..."; + ... + def $FUNC (...): $RETURNTYPE = { + ... + com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET); + ... + } + ... + } + - pattern: | + com.auth0.jwt.algorithms.Algorithm.HMAC512("..."); + - pattern: | + $SECRET = "..."; + ... + com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET); + - pattern: | + class $CLASS { + ... + $DECL $SECRET = "..."; + ... + def $FUNC (...): $RETURNTYPE = { + ... + com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET); + ... + } + ... + } + severity: ERROR +- id: terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered + message: Registering the identity used by an App with AD allows it to interact with + other services without using username and password. Set the `identity` block in + your appservice. + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_app_service" "..." { + ... + identity { + type = "..." + identity_ids = "..." + } + ... + } + - pattern-not-inside: | + resource "azurerm_app_service" "..." { + ... + identity { + type = "SystemAssigned" + } + ... + } + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + } + metadata: + category: security + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-287: Improper Authentication' + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered + shortlink: https://sg.run/PbXY + semgrep.dev: + rule: + rule_id: WAUynd + version_id: w8T3rN + url: https://semgrep.dev/playground/r/w8T3rN/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled + message: Enabling authentication ensures that all communications in the application + are authenticated. The `auth_settings` block needs to be filled out with the appropriate + auth backend settings + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_app_service" "..." { + ... + auth_settings { + ... + enabled = true + ... + } + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + } + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + auth_settings { + ... + enabled = false + ... + } + ... + } + metadata: + cwe: + - 'CWE-287: Improper Authentication' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled + shortlink: https://sg.run/JxYw + semgrep.dev: + rule: + rule_id: 0oU23p + version_id: xyT4Ow + url: https://semgrep.dev/playground/r/xyT4Ow/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 + message: Use the latest version of HTTP to ensure you are benefiting from security + fixes. Add `http2_enabled = true` to your appservice resource block + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_app_service" "..." { + ... + site_config { + ... + http2_enabled = true + ... + } + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + } + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + site_config { + ... + http2_enabled = false + ... + } + ... + } + metadata: + cwe: + - 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request/Response + Smuggling'')' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled + owasp: + - A04:2021 - Insecure Design + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 + shortlink: https://sg.run/5DkA + semgrep.dev: + rule: + rule_id: KxU7LJ + version_id: O9TyzR + url: https://semgrep.dev/playground/r/O9TyzR/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only + message: By default, clients can connect to App Service by using both HTTP or HTTPS. + HTTP should be disabled enabling the HTTPS Only setting. + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_app_service" "..." { + ... + https_only = true + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + } + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + https_only = false + ... + } + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only + - https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only + shortlink: https://sg.run/GOKp + semgrep.dev: + rule: + rule_id: qNUXwx + version_id: e1Tx5A + url: https://semgrep.dev/playground/r/e1Tx5A/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert + message: Detected an AppService that was not configured to use a client certificate. + Add `client_cert_enabled = true` in your resource block. + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_app_service" "..." { + ... + client_cert_enabled = true + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + } + - pattern-inside: | + resource "azurerm_app_service" "..." { + ... + client_cert_enabled = false + ... + } + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert + shortlink: https://sg.run/RX1O + semgrep.dev: + rule: + rule_id: lBU8D6 + version_id: vdT2gD + url: https://semgrep.dev/playground/r/vdT2gD/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy + message: Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version + = "1.2"` in your resource block. + patterns: + - pattern: min_tls_version = $ANYTHING + - pattern-inside: | + resource "azurerm_app_service" "$NAME" { + ... + } + - pattern-not-inside: min_tls_version = "1.2" + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy + shortlink: https://sg.run/AXRp + semgrep.dev: + rule: + rule_id: YGUDbZ + version_id: d6TD1E + url: https://semgrep.dev/playground/r/d6TD1E/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled + message: Enabling authentication ensures that all communications in the application + are authenticated. The `auth_settings` block needs to be filled out with the appropriate + auth backend settings + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_function_app" "..." { + ... + auth_settings { + ... + enabled = true + ... + } + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_function_app" "..." { + ... + } + - pattern-inside: | + resource "azurerm_function_app" "..." { + ... + auth_settings { + ... + enabled = false + ... + } + ... + } + metadata: + cwe: + - 'CWE-287: Improper Authentication' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled + shortlink: https://sg.run/B6AW + semgrep.dev: + rule: + rule_id: 6JU1X8 + version_id: e1TxQN + url: https://semgrep.dev/playground/r/e1TxQN/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 + message: Use the latest version of HTTP to ensure you are benefiting from security + fixes. Add `http2_enabled = true` to your function app resource block + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_function_app" "..." { + ... + site_config { + ... + http2_enabled = true + ... + } + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_function_app" "..." { + ... + } + - pattern-inside: | + resource "azurerm_function_app" "..." { + ... + site_config { + ... + http2_enabled = false + ... + } + ... + } + metadata: + cwe: + - 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request/Response + Smuggling'')' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 + shortlink: https://sg.run/DzDY + semgrep.dev: + rule: + rule_id: oqU41L + version_id: vdT2ez + url: https://semgrep.dev/playground/r/vdT2ez/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny + message: Detected a Storage that was not configured to deny action by default. Add + `default_action = "Deny"` in your resource block. + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_storage_account_network_rules" "..." { + ... + default_action = "Deny" + ... + } + - pattern-inside: | + resource "azurerm_storage_account_network_rules" "..." { + ... + default_action = "Allow" + ... + } + metadata: + cwe: + - 'CWE-16: CWE CATEGORY: Configuration' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action + - https://docs.microsoft.com/en-us/azure/firewall/rule-processing + owasp: + - A06:2017 - Security Misconfiguration + - A05:2021 - Security Misconfiguration + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny + shortlink: https://sg.run/WpN4 + semgrep.dev: + rule: + rule_id: zdUY3N + version_id: LjT0Z1 + url: https://semgrep.dev/playground/r/LjT0Z1/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.azure.security.storage.storage-enforce-https.storage-enforce-https + message: Detected a Storage that was not configured to deny action by default. Add + `enable_https_traffic_only = true` in your resource block. + patterns: + - pattern-not-inside: | + resource "azurerm_storage_account" "..." { + ... + enable_https_traffic_only = true + ... + } + - pattern-inside: | + resource "azurerm_storage_account" "..." { + ... + enable_https_traffic_only = false + ... + } + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only + - https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https + shortlink: https://sg.run/0y9v + semgrep.dev: + rule: + rule_id: pKUpDA + version_id: 8KTbRb + url: https://semgrep.dev/playground/r/8KTbRb/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted + patterns: + - pattern-not-inside: | + resource "aws_backup_vault" $BACKUP { + ... + kms_key_arn = ... + ... + } + - pattern: resource "aws_backup_vault" $BACKUP {...} + message: The AWS Backup vault is unencrypted. The AWS KMS encryption key protects + backups in the Backup vault. To create your own, create a aws_kms_key resource + or use the ARN string of a key in your account. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted + shortlink: https://sg.run/18yw + semgrep.dev: + rule: + rule_id: x8UxrP + version_id: A8TRO1 + url: https://semgrep.dev/playground/r/A8TRO1/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted + origin: community +- id: kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind + metadata: + cwe: + - 'CWE-287: Improper Authentication' + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS + category: security + technology: + - kotlin + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind + shortlink: https://sg.run/rY2n + semgrep.dev: + rule: + rule_id: v8U9Q7 + version_id: O9Ty8z + url: https://semgrep.dev/playground/r/O9Ty8z/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind + origin: community + message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP + statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html + for more information. + severity: WARNING + pattern: | + $ENV.put($CTX.SECURITY_AUTHENTICATION, "none") + ... + $DCTX = InitialDirContext($ENV, ...) + languages: + - kt +- id: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion + metadata: + cwe: + - 'CWE-704: Incorrect Type Conversion or Cast' + owasp: A03:2017 - Sensitive Data Exposure + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION + category: security + technology: + - kotlin + references: + - https://cwe.mitre.org/data/definitions/704.html + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion + shortlink: https://sg.run/b25p + semgrep.dev: + rule: + rule_id: d8UegG + version_id: e1TxeQ + url: https://semgrep.dev/playground/r/e1TxeQ/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion + origin: community + message: '''Integer.toHexString()'' strips leading zeroes from each byte if read + byte-by-byte. This mistake weakens the hash value computed since it introduces + more collisions. Use ''String.format("%02X", ...)'' instead.' + severity: WARNING + languages: + - kt + pattern: |- + fun $METHOD(...) { + ... + val $MD: MessageDigest = ... + ... + $MD.digest(...) + ... + Integer.toHexString(...) + } +- id: kotlin.lang.security.use-of-sha1.use-of-sha1 + message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic signature. + Use SHA256 or SHA3 instead. + languages: + - kt + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1 + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - kotlin + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1 + shortlink: https://sg.run/N1pp + semgrep.dev: + rule: + rule_id: ZqUOdd + version_id: QkTJX4 + url: https://semgrep.dev/playground/r/QkTJX4/kotlin.lang.security.use-of-sha1.use-of-sha1 + origin: community + pattern-either: + - pattern: | + $VAR = $MD.getInstance("SHA1") + - pattern: | + $DU.getSha1Digest().digest(...) +- id: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key + message: RSA keys should be at least 2048 bits based on NIST recommendation. + languages: + - kt + severity: WARNING + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms + category: security + technology: + - kotlin + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key + shortlink: https://sg.run/krq7 + semgrep.dev: + rule: + rule_id: nJUZNL + version_id: 3ZTdRd + url: https://semgrep.dev/playground/r/3ZTdRd/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key + origin: community + patterns: + - pattern-either: + - pattern: | + $KEY = $G.getInstance("RSA") + ... + $KEY.initialize($BITS) + - metavariable-comparison: + metavariable: $BITS + comparison: $BITS < 2048 +- id: terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret + message: Key vault Secret should have a content type set + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_key_vault_secret" "..." { + ... + content_type = "..." + ... + } + - pattern-inside: | + resource "azurerm_key_vault_secret" "..." { + ... + } + metadata: + category: correctness + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type + - https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret + shortlink: https://sg.run/eoAb + semgrep.dev: + rule: + rule_id: 8GUzld + version_id: 2KT8gD + url: https://semgrep.dev/playground/r/2KT8gD/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires + message: Ensure that the expiration date is set on all keys + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_key_vault_key" "..." { + ... + expiration_date = "..." + ... + } + - pattern-inside: | + resource "azurerm_key_vault_key" "..." { + ... + } + metadata: + cwe: + - 'CWE-262: Not Using Password Aging' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date + - https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires + shortlink: https://sg.run/vq9A + semgrep.dev: + rule: + rule_id: gxUgXq + version_id: d6TDXg + url: https://semgrep.dev/playground/r/d6TDXg/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires + message: Ensure that the expiration date is set on all secrets + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_key_vault_secret" "..." { + ... + expiration_date = "..." + ... + } + - pattern-inside: | + resource "azurerm_key_vault_secret" "..." { + ... + } + metadata: + cwe: + - 'CWE-262: Not Using Password Aging' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date + - https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires + shortlink: https://sg.run/d2RZ + semgrep.dev: + rule: + rule_id: QrUdNy + version_id: ZRTw0A + url: https://semgrep.dev/playground/r/ZRTw0A/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires + origin: community + languages: + - hcl + severity: INFO +- id: terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled + message: Key vault should have purge protection enabled + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_key_vault" "..." { + ... + purge_protection_enabled = true + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_key_vault" "..." { + ... + } + - pattern-inside: | + resource "azurerm_key_vault" "..." { + ... + purge_protection_enabled = false + ... + } + metadata: + cwe: + - 'CWE-693: Protection Mechanism Failure' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled + - https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled + shortlink: https://sg.run/Z4xD + semgrep.dev: + rule: + rule_id: 3qUjw9 + version_id: nWT7XR + url: https://semgrep.dev/playground/r/nWT7XR/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl + message: Network ACLs allow you to reduce your exposure to risk by limiting what + can access your key vault. The default action of the Network ACL should be set + to deny for when IPs are not matched. Azure services can be allowed to bypass. + patterns: + - pattern: resource + - pattern-not-inside: | + resource "azurerm_key_vault" "..." { + ... + network_acls { + ... + default_action = "Deny" + ... + } + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_key_vault" "..." { + ... + } + - pattern-inside: | + resource "azurerm_key_vault" "..." { + ... + network_acls { + ... + default_action = "Allow" + ... + } + ... + } + metadata: + cwe: + - 'CWE-284: Improper Access Control' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls + - https://docs.microsoft.com/en-us/azure/key-vault/general/network-security + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl + shortlink: https://sg.run/nKgX + semgrep.dev: + rule: + rule_id: 4bU1jy + version_id: ExTn7G + url: https://semgrep.dev/playground/r/ExTn7G/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl + origin: community + languages: + - hcl + severity: ERROR +- id: json.aws.security.wildcard-assume-role.wildcard-assume-role + patterns: + - pattern-inside: | + "Statement": [...] + - pattern-inside: | + {..., "Effect": "Allow", ..., "Action": "sts:AssumeRole", ...} + - pattern: | + "Principal": {..., "AWS": "*", ...} + message: 'Detected wildcard access granted to sts:AssumeRole. This means anyone + with your AWS account ID and the name of the role can assume the role. Instead, + limit to a specific identity in your account, like this: `arn:aws:iam:::root`.' + metadata: + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + category: security + technology: + - aws + references: + - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ + owasp: + - A06:2017 - Security Misconfiguration + - A05:2021 - Security Misconfiguration + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role + shortlink: https://sg.run/7YEZ + semgrep.dev: + rule: + rule_id: JDULx5 + version_id: w8T3pP + url: https://semgrep.dev/playground/r/w8T3pP/json.aws.security.wildcard-assume-role.wildcard-assume-role + origin: community + languages: + - json + severity: ERROR +- id: terraform.aws.security.wildcard-assume-role.wildcard-assume-role + patterns: + - pattern-inside: | + resource "aws_iam_role" $NAME { + ... + } + - pattern: assume_role_policy = "$STATEMENT" + - metavariable-pattern: + metavariable: $STATEMENT + language: json + patterns: + - pattern-inside: | + {..., "Effect": "Allow", ..., "Action": "sts:AssumeRole", ...} + - pattern: | + "Principal": {..., "AWS": "*", ...} + message: 'Detected wildcard access granted to sts:AssumeRole. This means anyone + with your AWS account ID and the name of the role can assume the role. Instead, + limit to a specific identity in your account, like this: `arn:aws:iam:::root`.' + metadata: + cwe: + - 'CWE-250: Execution with Unnecessary Privileges' + category: security + technology: + - aws + references: + - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ + owasp: + - A06:2017 - Security Misconfiguration + - A05:2021 - Security Misconfiguration + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role + shortlink: https://sg.run/LXWr + semgrep.dev: + rule: + rule_id: 5rUL1P + version_id: 9lTz2y + url: https://semgrep.dev/playground/r/9lTz2y/terraform.aws.security.wildcard-assume-role.wildcard-assume-role + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass + message: Some Microsoft services that interact with storage accounts operate from + networks that can't be granted access through network rules. To help this type + of service work as intended, allow the set of trusted Microsoft services to bypass + the network rules + patterns: + - pattern-not-inside: | + resource "azurerm_storage_account" "..." { + ... + network_rules { + ... + bypass = ["...", "AzureServices"] + ... + } + ... + } + - pattern-not-inside: | + resource "azurerm_storage_account_network_rules" "..." { + ... + bypass = ["...", "AzureServices"] + ... + } + - pattern-either: + - pattern-inside: | + resource "azurerm_storage_account_network_rules" "..." { + ... + bypass = [$ANYTHING] + ... + } + - pattern-inside: | + resource "azurerm_storage_account" "..." { + ... + network_rules { + ... + bypass = [$ANYTHING] + ... + } + ... + } + metadata: + cwe: + - 'CWE-284: Improper Access Control' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass + - https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass + shortlink: https://sg.run/WpX4 + semgrep.dev: + rule: + rule_id: GdUreY + version_id: 7ZTO02 + url: https://semgrep.dev/playground/r/7ZTO02/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging + message: Storage Analytics logs detailed information about successful and failed + requests to a storage service. This information can be used to monitor individual + requests and to diagnose issues with a storage service. Requests are logged on + a best-effort basis. + patterns: + - pattern-either: + - pattern-inside: | + resource "azurerm_storage_account" "..." { + ... + queue_properties { + ... + } + ... + } + - pattern-inside: | + resource "azurerm_storage_account" "..." { + ... + } + - pattern-not-inside: | + resource "azurerm_storage_account" "..." { + ... + queue_properties { + ... + logging { + ... + } + ... + } + ... + } + metadata: + cwe: + - 'CWE-778: Insufficient Logging' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging + - https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet + owasp: + - A10:2017 - Insufficient Logging & Monitoring + - A09:2021 - Security Logging and Monitoring Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insufficient Logging + source: https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging + shortlink: https://sg.run/0yEv + semgrep.dev: + rule: + rule_id: ReU3L9 + version_id: gETqd4 + url: https://semgrep.dev/playground/r/gETqd4/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy + message: 'Azure Storage currently supports three versions of the TLS protocol: 1.0, + 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 + and TLS 1.1 are still supported for backward compatibility. This check will warn + if the minimum TLS is not set to TLS1_2.' + patterns: + - pattern-either: + - pattern-inside: | + resource "azurerm_storage_account" "..." { + ... + min_tls_version = "$ANYTHING" + ... + } + - pattern-inside: | + resource "azurerm_storage_account" "..." { + ... + } + - pattern-not-inside: | + resource "azurerm_storage_account" "..." { + ... + min_tls_version = "TLS1_2" + ... + } + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + category: security + technology: + - terraform + - azure + references: + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version + - https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy + shortlink: https://sg.run/KXD7 + semgrep.dev: + rule: + rule_id: AbUQdL + version_id: QkTJPK + url: https://semgrep.dev/playground/r/QkTJPK/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy + origin: community + languages: + - hcl + severity: ERROR +- id: python.lang.security.audit.python-reverse-shell.python-reverse-shell + patterns: + - pattern-either: + - pattern: pty.spawn("$BINPATH",...) + - pattern: subprocess.call(["$BINPATH",...],...) + - metavariable-regex: + metavariable: $BINPATH + regex: /bin/.*?sh\b + - pattern-inside: | + import socket + ... + $S = socket.socket(...) + ... + $S.connect(($IP,$PORT),...) + ... + message: Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT + metadata: + cwe: + - 'CWE-553: Command Shell in Externally Accessible Directory' + category: security + technology: + - python + references: + - https://cwe.mitre.org/data/definitions/553.html + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell + shortlink: https://sg.run/gYZJ + semgrep.dev: + rule: + rule_id: nJUZRY + version_id: xyT41l + url: https://semgrep.dev/playground/r/xyT41l/python.lang.security.audit.python-reverse-shell.python-reverse-shell + origin: community + languages: + - python + severity: WARNING +- id: scala.lang.security.audit.insecure-random.insecure-random + metadata: + cwe: + - 'CWE-330: Use of Insufficiently Random Values' + owasp: + - A02:2021 - Cryptographic Failures + category: security + technology: + - scala + - cryptography + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + resources: + - https://find-sec-bugs.github.io/bugs.htm + confidence: LOW + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random + shortlink: https://sg.run/JxAw + semgrep.dev: + rule: + rule_id: gxUgDk + version_id: yeTXWw + url: https://semgrep.dev/playground/r/yeTXWw/scala.lang.security.audit.insecure-random.insecure-random + origin: community + message: Flags the use of a predictable random value from `scala.util.Random`. This + can lead to vulnerabilities when used in security contexts, such as in a CSRF + token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom + instead. + severity: WARNING + languages: + - scala + patterns: + - pattern: | + import scala.util.Random +- id: scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + category: security + technology: + - scala + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + resources: + - https://find-sec-bugs.github.io/bugs.htm + confidence: LOW + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile + shortlink: https://sg.run/5D1A + semgrep.dev: + rule: + rule_id: QrUdOZ + version_id: bZTG7b + url: https://semgrep.dev/playground/r/bZTG7b/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile + origin: community + message: Flags cases of possible path traversal. If an unfiltered parameter is passed + into 'fromFile', file from an arbitrary filesystem location could be read. This + could lead to sensitive data exposure and other provles. Instead, sanitize the + user input instead of performing direct string concatenation. + severity: WARNING + languages: + - scala + patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + $FILENAME = "..." + $VAR + ... + - pattern-inside: | + $FILENAME = $VAR + "..." + ... + - pattern-inside: | + $FILENAME = $STR.concat($VAR) + ... + - pattern-inside: | + $FILENAME = "...".format(..., $VAR, ...) + ... + - pattern: Source.fromFile($FILENAME, ...) + - patterns: + - pattern-either: + - pattern: Source.fromFile("..." + $VAR, ...) + - pattern: Source.fromFile($VAR + "...", ...) + - pattern: Source.fromFile($STR.concat($VAR), ...) + - pattern: Source.fromFile("...".format(..., $VAR, ...), ...) + - pattern-inside: | + def $FUNC(..., $VAR: $TYPE, ...) = Action { + ... + } +- id: scala.lang.security.audit.rsa-padding-set.rsa-padding-set + metadata: + cwe: + - 'CWE-780: Use of RSA Algorithm without OAEP' + owasp: + - A02:2021 - Cryptographic Failures + category: security + technology: + - scala + - cryptography + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + resources: + - https://blog.codacy.com/9-scala-security-issues/ + confidence: HIGH + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set + shortlink: https://sg.run/GO5p + semgrep.dev: + rule: + rule_id: 3qUj1Q + version_id: NdT1Kg + url: https://semgrep.dev/playground/r/NdT1Kg/scala.lang.security.audit.rsa-padding-set.rsa-padding-set + origin: community + message: Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken + encryption. This could lead to sensitive data exposure. Instead, use RSA with + `OAEPWithMD5AndMGF1Padding` instead. + severity: WARNING + languages: + - scala + patterns: + - pattern: | + $VAR = $CIPHER.getInstance($MODE) + - metavariable-regex: + metavariable: $MODE + regex: .*RSA/.*/NoPadding.* +- id: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption + message: 'Add "encryption: $Y.BucketEncryption.KMS_MANAGED" or "encryption: $Y.BucketEncryption.S3_MANAGED" + to the bucket props for Bucket construct $X' + metadata: + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + category: security + technology: + - AWS-CDK + references: + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption + shortlink: https://sg.run/eowX + semgrep.dev: + rule: + rule_id: bwU8qz + version_id: GxT2dB + url: https://semgrep.dev/playground/r/GxT2dB/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption + origin: community + languages: + - typescript + severity: ERROR + pattern-either: + - patterns: + - pattern-inside: | + import {Bucket} from '@aws-cdk/aws-s3' + ... + - pattern: const $X = new Bucket(...) + - pattern-not: | + const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS_MANAGED, ...}) + - pattern-not: | + const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS, ...}) + - pattern-not: | + const $X = new Bucket(..., {..., encryption: BucketEncryption.S3_MANAGED, ...}) + - patterns: + - pattern-inside: | + import * as $Y from '@aws-cdk/aws-s3' + ... + - pattern: const $X = new $Y.Bucket(...) + - pattern-not: | + const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS_MANAGED, ...}) + - pattern-not: | + const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS, ...}) + - pattern-not: | + const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.S3_MANAGED, ...}) +- id: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl + message: Bucket $X is not set to enforce encryption-in-transit, if not explictly + setting this on the bucket policy - the property "enforceSSL" should be set to + true + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + category: security + technology: + - AWS-CDK + references: + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl + shortlink: https://sg.run/vqBX + semgrep.dev: + rule: + rule_id: NbUN8B + version_id: RGTb4r + url: https://semgrep.dev/playground/r/RGTb4r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl + origin: community + languages: + - ts + severity: ERROR + pattern-either: + - patterns: + - pattern-inside: | + import {Bucket} from '@aws-cdk/aws-s3'; + ... + - pattern: const $X = new Bucket(...) + - pattern-not: | + const $X = new Bucket(..., {enforceSSL: true}, ...) + - patterns: + - pattern-inside: | + import * as $Y from '@aws-cdk/aws-s3'; + ... + - pattern: const $X = new $Y.Bucket(...) + - pattern-not: | + const $X = new $Y.Bucket(..., {..., enforceSSL: true, ...}) +- id: typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue + message: 'Queue $X is missing encryption at rest. Add "encryption: $Y.QueueEncryption.KMS" + or "encryption: $Y.QueueEncryption.KMS_MANAGED" to the queue props to enable encryption + at rest for the queue.' + metadata: + category: security + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + technology: + - AWS-CDK + references: + - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue + shortlink: https://sg.run/d23P + semgrep.dev: + rule: + rule_id: kxUwqO + version_id: A8TRon + url: https://semgrep.dev/playground/r/A8TRon/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue + origin: community + languages: + - ts + severity: WARNING + pattern-either: + - patterns: + - pattern-inside: | + import {Queue} from '@aws-cdk/aws-sqs' + ... + - pattern: const $X = new Queue(...) + - pattern-not: | + const $X = new Queue(..., {..., encryption: QueueEncryption.KMS_MANAGED, ...}) + - pattern-not: | + const $X = new Queue(..., {..., encryption: QueueEncryption.KMS, ...}) + - patterns: + - pattern-inside: | + import * as $Y from '@aws-cdk/aws-sqs' + ... + - pattern: const $X = new $Y.Queue(...) + - pattern-not: | + const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS_MANAGED, ...}) + - pattern-not: | + const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS, ...}) +- id: typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod + message: Using the GrantPublicAccess method on bucket contruct $X will make the + objects in the bucket world accessible. Verify if this is intentional. + metadata: + cwe: + - 'CWE-306: Missing Authentication for Critical Function' + category: security + technology: + - AWS-CDK + references: + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html + owasp: + - A07:2021 - Identification and Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod + shortlink: https://sg.run/Z4p7 + semgrep.dev: + rule: + rule_id: wdUjZK + version_id: BjTE3Q + url: https://semgrep.dev/playground/r/BjTE3Q/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod + origin: community + languages: + - ts + severity: WARNING + pattern-either: + - patterns: + - pattern-inside: | + import {Bucket} from '@aws-cdk/aws-s3' + ... + - pattern: | + const $X = new Bucket(...) + ... + $X.grantPublicAccess(...) + - patterns: + - pattern-inside: | + import * as $Y from '@aws-cdk/aws-s3' + ... + - pattern: | + const $X = new $Y.Bucket(...) + ... + $X.grantPublicAccess(...) +- id: typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public + message: CodeBuild Project $X is set to have a public URL. This will make the build + results, logs, artifacts publically accessible, including builds prior to the + project being public. Ensure this is acceptable for the project. + metadata: + category: security + cwe: + - 'CWE-306: Missing Authentication for Critical Function' + technology: + - AWS-CDK + references: + - https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html + owasp: + - A07:2021 - Identification and Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public + shortlink: https://sg.run/nK7G + semgrep.dev: + rule: + rule_id: x8UxXZ + version_id: DkTQrL + url: https://semgrep.dev/playground/r/DkTQrL/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public + origin: community + languages: + - ts + severity: WARNING + pattern-either: + - patterns: + - pattern-inside: | + import {Project} from '@aws-cdk/aws-codebuild' + ... + - pattern: | + const $X = new Project(..., {..., badge: true, ...}) + - patterns: + - pattern-inside: | + import * as $Y from '@aws-cdk/aws-codebuild' + ... + - pattern: | + const $X = new $Y.Project(..., {..., badge: true, ...}) +- id: java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection + metadata: + cwe: + - 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream + Component (''Injection'')' + owasp: + - A03:2021 - Injection + source-rule-url: https://www.lunasec.io/docs/blog/log4j-zero-day/ + references: + - https://issues.apache.org/jira/browse/LOG4J2-3198 + - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://logging.apache.org/log4j/2.x/manual/lookups.html + category: security + technology: + - java + confidence: LOW + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection + shortlink: https://sg.run/eX1Z + semgrep.dev: + rule: + rule_id: 9AUZeQ + version_id: jQTKw2 + url: https://semgrep.dev/playground/r/jQTKw2/java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection + origin: community + message: This rule is deprecated. + patterns: + - pattern: a() + - pattern: b() + severity: WARNING + languages: + - java +- id: python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text + patterns: + - pattern: sqlalchemy.text(...) + - pattern-not-inside: sqlalchemy.text("...") + message: sqlalchemy.text passes the constructed SQL statement to the database mostly + unchanged. This means that the usual SQL injection protections are not applied + and this function is vulnerable to SQL injection if user input can reach here. + Use normal SQLAlchemy operators (such as or_, and_, etc.) to construct SQL. + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - sqlalchemy + confidence: MEDIUM + references: + - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text + shortlink: https://sg.run/yP1O + semgrep.dev: + rule: + rule_id: r6U2wE + version_id: 8KTbo4 + url: https://semgrep.dev/playground/r/8KTbo4/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text + origin: community + languages: + - python + severity: ERROR +- id: terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption + patterns: + - pattern: resource "aws_athena_workgroup" $ANYTHING {...} + - pattern-not-inside: | + resource "aws_athena_workgroup" $ANYTHING { + ... + encryption_configuration {...} + ... + } + message: 'The AWS Athena Workgroup is unencrypted. Encryption protects query results + in your workgroup. To enable, add: `encryption_configuration { encryption_option + = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration + { }` in your resource block, where `encryption_option` is your chosen encryption + method and `kms_key_arn` is your KMS key ARN.' + languages: + - hcl + severity: WARNING + metadata: + technology: + - aws + - terraform + category: security + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption + shortlink: https://sg.run/kzro + semgrep.dev: + rule: + rule_id: wdUljO + version_id: 1QTjB4 + url: https://semgrep.dev/playground/r/1QTjB4/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption + origin: community +- id: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging + patterns: + - pattern: | + name = ... + - pattern-inside: | + resource "aws_eks_cluster" "..." { + ... + } + - pattern-not-inside: | + resource "aws_eks_cluster" "..." { + ... + enabled_cluster_log_types = [..., "api", ..., "audit", ...] + ... + } + - pattern-not-inside: | + resource "aws_eks_cluster" "..." { + ... + enabled_cluster_log_types = [..., "audit", ..., "api", ...] + ... + } + languages: + - hcl + message: Missing EKS control plane logging. It is recommended to enable at least + Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS + control plane through the enabled_cluster_log_types attribute. + severity: WARNING + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging + - https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + category: security + cwe: + - 'CWE-778: Insufficient Logging' + technology: + - terraform + - aws + owasp: + - A10:2017 - Insufficient Logging & Monitoring + - A09:2021 - Security Logging and Monitoring Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insufficient Logging + source: https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging + shortlink: https://sg.run/wZ3n + semgrep.dev: + rule: + rule_id: x8UGx7 + version_id: xyT47L + url: https://semgrep.dev/playground/r/xyT47L/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging + origin: community +- id: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code + pattern-either: + - patterns: + - pattern: password = "..." + - pattern-inside: | + resource "aws_db_instance" "..." { + ... + } + - patterns: + - pattern: master_password = "..." + - pattern-inside: | + resource "aws_rds_cluster" "..." { + ... + } + languages: + - hcl + severity: WARNING + message: RDS instance or cluster with hardcoded credentials in source code. It is + recommended to pass the credentials at runtime, or generate random credentials + using the random_password resource. + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password + - https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + category: security + technology: + - terraform + - aws + - secrets + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code + shortlink: https://sg.run/x4qA + semgrep.dev: + rule: + rule_id: OrUl6W + version_id: gETqQe + url: https://semgrep.dev/playground/r/gETqQe/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code + origin: community +- id: terraform.lang.security.rds-public-access.rds-public-access + patterns: + - pattern: publicly_accessible = true + - pattern-inside: | + resource "aws_db_instance" "..." { + ... + } + languages: + - hcl + severity: WARNING + message: RDS instance accessible from the Internet detected. + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding + cwe: + - 'CWE-284: Improper Access Control' + category: security + technology: + - terraform + - aws + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access + shortlink: https://sg.run/Oye2 + semgrep.dev: + rule: + rule_id: eqUrzK + version_id: QkTJe0 + url: https://semgrep.dev/playground/r/QkTJe0/terraform.lang.security.rds-public-access.rds-public-access + origin: community +- id: generic.ci.security.bash-reverse-shell.bash_reverse_shell + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - ci + confidence: HIGH + owasp: + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell + shortlink: https://sg.run/4l9l + semgrep.dev: + rule: + rule_id: gxUJrJ + version_id: d6TDrR + url: https://semgrep.dev/playground/r/d6TDrR/generic.ci.security.bash-reverse-shell.bash_reverse_shell + origin: community + message: Semgrep found a bash reverse shell + severity: ERROR + languages: + - generic + pattern-either: + - pattern: | + sh -i >& /dev/udp/.../... 0>&1 + - pattern: | + <...>/dev/tcp/.../...; sh <&... >&... 2>& + - pattern: | + <...>/dev/tcp/.../...; cat <&... | while read line; do $line 2>&... >&...;done + - pattern: | + sh -i ...<...> /dev/tcp/.../... ...<&... 1>&... 2>& +- id: ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection + pattern: skip_forgery_protection + message: This call turns off CSRF protection allowing CSRF attacks against the application + languages: + - ruby + severity: WARNING + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + category: security + technology: + - rails + references: + - https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection + owasp: + - A01:2021 - Broken Access Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection + shortlink: https://sg.run/PgwY + semgrep.dev: + rule: + rule_id: QrUnEk + version_id: DkTQ4P + url: https://semgrep.dev/playground/r/DkTQ4P/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection + origin: community +- id: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket + patterns: + - pattern: a + - pattern: b + languages: + - hcl + severity: INFO + message: This rule has been deprecated, as all s3 buckets are encrypted by default + with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration + for more info. + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + deprecated: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket + shortlink: https://sg.run/Jezw + semgrep.dev: + rule: + rule_id: 3qU62L + version_id: JdTq9n + url: https://semgrep.dev/playground/r/JdTq9n/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket + origin: community +- id: php.lang.security.injection.tainted-filename.tainted-filename + severity: WARNING + message: File name based on user input risks server-side request forgery. + metadata: + technology: + - php + category: security + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29 + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename + shortlink: https://sg.run/Ayqp + semgrep.dev: + rule: + rule_id: 5rUpro + version_id: l4T5px + url: https://semgrep.dev/playground/r/l4T5px/php.lang.security.injection.tainted-filename.tainted-filename + origin: community + languages: + - php + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: $_SERVER + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern-inside: basename($PATH, ...) + - pattern-inside: linkinfo($PATH, ...) + - pattern-inside: readlink($PATH, ...) + - pattern-inside: realpath($PATH, ...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: opcache_compile_file($FILENAME, ...) + - pattern-inside: opcache_invalidate($FILENAME, ...) + - pattern-inside: opcache_is_script_cached($FILENAME, ...) + - pattern-inside: runkit7_import($FILENAME, ...) + - pattern-inside: readline_read_history($FILENAME, ...) + - pattern-inside: readline_write_history($FILENAME, ...) + - pattern-inside: rar_open($FILENAME, ...) + - pattern-inside: zip_open($FILENAME, ...) + - pattern-inside: gzfile($FILENAME, ...) + - pattern-inside: gzopen($FILENAME, ...) + - pattern-inside: readgzfile($FILENAME, ...) + - pattern-inside: hash_file($ALGO, $FILENAME, ...) + - pattern-inside: hash_update_file($CONTEXT, $FILENAME, ...) + - pattern-inside: pg_trace($FILENAME, ...) + - pattern-inside: dio_open($FILENAME, ...) + - pattern-inside: finfo_file($FINFO, $FILENAME, ...) + - pattern-inside: mime_content_type($FILENAME, ...) + - pattern-inside: chgrp($FILENAME, ...) + - pattern-inside: chmod($FILENAME, ...) + - pattern-inside: chown($FILENAME, ...) + - pattern-inside: clearstatcache($CLEAR_REALPATH_CACHE, $FILENAME, ...) + - pattern-inside: file_exists($FILENAME, ...) + - pattern-inside: file_get_contents($FILENAME, ...) + - pattern-inside: file_put_contents($FILENAME, ...) + - pattern-inside: file($FILENAME, ...) + - pattern-inside: fileatime($FILENAME, ...) + - pattern-inside: filectime($FILENAME, ...) + - pattern-inside: filegroup($FILENAME, ...) + - pattern-inside: fileinode($FILENAME, ...) + - pattern-inside: filemtime($FILENAME, ...) + - pattern-inside: fileowner($FILENAME, ...) + - pattern-inside: fileperms($FILENAME, ...) + - pattern-inside: filesize($FILENAME, ...) + - pattern-inside: filetype($FILENAME, ...) + - pattern-inside: fnmatch($PATTERN, $FILENAME, ...) + - pattern-inside: fopen($FILENAME, ...) + - pattern-inside: is_dir($FILENAME, ...) + - pattern-inside: is_executable($FILENAME, ...) + - pattern-inside: is_file($FILENAME, ...) + - pattern-inside: is_link($FILENAME, ...) + - pattern-inside: is_readable($FILENAME, ...) + - pattern-inside: is_uploaded_file($FILENAME, ...) + - pattern-inside: is_writable($FILENAME, ...) + - pattern-inside: lchgrp($FILENAME, ...) + - pattern-inside: lchown($FILENAME, ...) + - pattern-inside: lstat($FILENAME, ...) + - pattern-inside: parse_ini_file($FILENAME, ...) + - pattern-inside: readfile($FILENAME, ...) + - pattern-inside: stat($FILENAME, ...) + - pattern-inside: touch($FILENAME, ...) + - pattern-inside: unlink($FILENAME, ...) + - pattern-inside: xattr_get($FILENAME, ...) + - pattern-inside: xattr_list($FILENAME, ...) + - pattern-inside: xattr_remove($FILENAME, ...) + - pattern-inside: xattr_set($FILENAME, ...) + - pattern-inside: xattr_supported($FILENAME, ...) + - pattern-inside: enchant_broker_request_pwl_dict($BROKER, $FILENAME, ...) + - pattern-inside: pspell_config_personal($CONFIG, $FILENAME, ...) + - pattern-inside: pspell_config_repl($CONFIG, $FILENAME, ...) + - pattern-inside: pspell_new_personal($FILENAME, ...) + - pattern-inside: exif_imagetype($FILENAME, ...) + - pattern-inside: getimagesize($FILENAME, ...) + - pattern-inside: image2wbmp($IMAGE, $FILENAME, ...) + - pattern-inside: imagecreatefromavif($FILENAME, ...) + - pattern-inside: imagecreatefrombmp($FILENAME, ...) + - pattern-inside: imagecreatefromgd2($FILENAME, ...) + - pattern-inside: imagecreatefromgd2part($FILENAME, ...) + - pattern-inside: imagecreatefromgd($FILENAME, ...) + - pattern-inside: imagecreatefromgif($FILENAME, ...) + - pattern-inside: imagecreatefromjpeg($FILENAME, ...) + - pattern-inside: imagecreatefrompng($FILENAME, ...) + - pattern-inside: imagecreatefromtga($FILENAME, ...) + - pattern-inside: imagecreatefromwbmp($FILENAME, ...) + - pattern-inside: imagecreatefromwebp($FILENAME, ...) + - pattern-inside: imagecreatefromxbm($FILENAME, ...) + - pattern-inside: imagecreatefromxpm($FILENAME, ...) + - pattern-inside: imageloadfont($FILENAME, ...) + - pattern-inside: imagexbm($IMAGE, $FILENAME, ...) + - pattern-inside: iptcembed($IPTC_DATA, $FILENAME, ...) + - pattern-inside: mailparse_msg_extract_part_file($MIMEMAIL, $FILENAME, ...) + - pattern-inside: mailparse_msg_extract_whole_part_file($MIMEMAIL, $FILENAME, + ...) + - pattern-inside: mailparse_msg_parse_file($FILENAME, ...) + - pattern-inside: fdf_add_template($FDF_DOCUMENT, $NEWPAGE, $FILENAME, ...) + - pattern-inside: fdf_get_ap($FDF_DOCUMENT, $FIELD, $FACE, $FILENAME, ...) + - pattern-inside: fdf_open($FILENAME, ...) + - pattern-inside: fdf_save($FDF_DOCUMENT, $FILENAME, ...) + - pattern-inside: fdf_set_ap($FDF_DOCUMENT, $FIELD_NAME, $FACE, $FILENAME, ...) + - pattern-inside: ps_add_launchlink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, + ...) + - pattern-inside: ps_add_pdflink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, + ...) + - pattern-inside: ps_open_file($PSDOC, $FILENAME, ...) + - pattern-inside: ps_open_image_file($PSDOC, $TYPE, $FILENAME, ...) + - pattern-inside: posix_access($FILENAME, ...) + - pattern-inside: posix_mkfifo($FILENAME, ...) + - pattern-inside: posix_mknod($FILENAME, ...) + - pattern-inside: ftok($FILENAME, ...) + - pattern-inside: fann_cascadetrain_on_file($ANN, $FILENAME, ...) + - pattern-inside: fann_read_train_from_file($FILENAME, ...) + - pattern-inside: fann_train_on_file($ANN, $FILENAME, ...) + - pattern-inside: highlight_file($FILENAME, ...) + - pattern-inside: php_strip_whitespace($FILENAME, ...) + - pattern-inside: stream_resolve_include_path($FILENAME, ...) + - pattern-inside: swoole_async_read($FILENAME, ...) + - pattern-inside: swoole_async_readfile($FILENAME, ...) + - pattern-inside: swoole_async_write($FILENAME, ...) + - pattern-inside: swoole_async_writefile($FILENAME, ...) + - pattern-inside: swoole_load_module($FILENAME, ...) + - pattern-inside: tidy_parse_file($FILENAME, ...) + - pattern-inside: tidy_repair_file($FILENAME, ...) + - pattern-inside: get_meta_tags($FILENAME, ...) + - pattern-inside: yaml_emit_file($FILENAME, ...) + - pattern-inside: yaml_parse_file($FILENAME, ...) + - pattern-inside: curl_file_create($FILENAME, ...) + - pattern-inside: ftp_chmod($FTP, $PERMISSIONS, $FILENAME, ...) + - pattern-inside: ftp_delete($FTP, $FILENAME, ...) + - pattern-inside: ftp_mdtm($FTP, $FILENAME, ...) + - pattern-inside: ftp_size($FTP, $FILENAME, ...) + - pattern-inside: rrd_create($FILENAME, ...) + - pattern-inside: rrd_fetch($FILENAME, ...) + - pattern-inside: rrd_graph($FILENAME, ...) + - pattern-inside: rrd_info($FILENAME, ...) + - pattern-inside: rrd_last($FILENAME, ...) + - pattern-inside: rrd_lastupdate($FILENAME, ...) + - pattern-inside: rrd_tune($FILENAME, ...) + - pattern-inside: rrd_update($FILENAME, ...) + - pattern-inside: snmp_read_mib($FILENAME, ...) + - pattern-inside: ssh2_sftp_chmod($SFTP, $FILENAME, ...) + - pattern-inside: ssh2_sftp_realpath($SFTP, $FILENAME, ...) + - pattern-inside: ssh2_sftp_unlink($SFTP, $FILENAME, ...) + - pattern-inside: apache_lookup_uri($FILENAME, ...) + - pattern-inside: md5_file($FILENAME, ...) + - pattern-inside: sha1_file($FILENAME, ...) + - pattern-inside: simplexml_load_file($FILENAME, ...) + - pattern: $FILENAME +- id: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation + languages: + - php + severity: WARNING + message: <- A new object is created where the class name is based on user input. + This could lead to remote code execution, as it allows to instantiate any class + in the application. + metadata: + cwe: + - 'CWE-470: Use of Externally-Controlled Input to Select Classes or Code (''Unsafe + Reflection'')' + category: security + technology: + - php + owasp: + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation + shortlink: https://sg.run/7ndw + semgrep.dev: + rule: + rule_id: v8U4DA + version_id: YDTow2 + url: https://semgrep.dev/playground/r/YDTow2/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: $_SERVER + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: new $SINK(...) + - pattern: $SINK +- id: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + patterns: + - pattern-inside: | + provider "aws" { + ... + secret_key = "$SECRET" + } + - focus-metavariable: $SECRET + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + languages: + - hcl + severity: WARNING + metadata: + technology: + - secrets + - aws + - terraform + category: security + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + shortlink: https://sg.run/L3kn + semgrep.dev: + rule: + rule_id: d8U4n0 + version_id: GxT23e + url: https://semgrep.dev/playground/r/GxT23e/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + origin: community +- id: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions + metadata: + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_detailed_exceptions.rb + category: security + technology: + - rails + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions + shortlink: https://sg.run/Je0d + semgrep.dev: + rule: + rule_id: 8GUAo4 + version_id: BjTEOp + url: https://semgrep.dev/playground/r/BjTEOp/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions + origin: community + message: Found that the setting for providing detailed exception reports in Rails + is set to true. This can lead to information exposure, where sensitive system + or internal information is displayed to the end user. Instead, turn this setting + off. + languages: + - ruby + severity: WARNING + patterns: + - pattern-either: + - patterns: + - pattern: | + config.consider_all_requests_local = true + - patterns: + - pattern-inside: | + class $CONTROLLER < ApplicationController + ... + end + - pattern: | + def show_detailed_exceptions? (...) + ... + return $RETURN + end + - metavariable-pattern: + metavariable: $RETURN + patterns: + - pattern-not: | + false +- id: ruby.rails.security.audit.dynamic-finders.dynamic-finders + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_dynamic_finders.rb + category: security + technology: + - rails + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.rails.security.audit.dynamic-finders.dynamic-finders + shortlink: https://sg.run/5yNW + semgrep.dev: + rule: + rule_id: gxUJ8A + version_id: 1QTxQB + url: https://semgrep.dev/playground/r/1QTxQB/ruby.rails.security.audit.dynamic-finders.dynamic-finders + origin: community + message: This rule is deprecated. + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.rails.security.audit.mail-to-erb.mail-to-erb + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mail_to.rb + category: security + technology: + - rails + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.mail-to-erb.mail-to-erb + shortlink: https://sg.run/GyBe + semgrep.dev: + rule: + rule_id: QrUn3z + version_id: WrTb28 + url: https://semgrep.dev/playground/r/WrTb28/ruby.rails.security.audit.mail-to-erb.mail-to-erb + origin: community + message: This rule is deprecated. + languages: + - generic + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.rails.security.audit.mail-to.mail-to + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mail_to.rb + category: security + technology: + - rails + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.mail-to.mail-to + shortlink: https://sg.run/Ryp8 + semgrep.dev: + rule: + rule_id: 3qU6KB + version_id: 0bTvRG + url: https://semgrep.dev/playground/r/0bTvRG/ruby.rails.security.audit.mail-to.mail-to + origin: community + message: This rule is deprecated. + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: php.laravel.security.laravel-sql-injection.laravel-sql-injection + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - laravel + references: + - https://laravel.com/docs/8.x/queries + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection + shortlink: https://sg.run/x40p + semgrep.dev: + rule: + rule_id: j2UQdp + version_id: kbT7Wq + url: https://semgrep.dev/playground/r/kbT7Wq/php.laravel.security.laravel-sql-injection.laravel-sql-injection + origin: community + severity: WARNING + message: Detected a SQL query based on user input. This could lead to SQL injection, + which could potentially result in sensitive data being exfiltrated by attackers. + Instead, use parameterized queries and prepared statements. + languages: + - php + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: $_SERVER + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: $SQL + - pattern-either: + - pattern-inside: DB::table(...)->whereRaw($SQL, ...) + - pattern-inside: DB::table(...)->orWhereRaw($SQL, ...) + - pattern-inside: DB::table(...)->groupByRaw($SQL, ...) + - pattern-inside: DB::table(...)->havingRaw($SQL, ...) + - pattern-inside: DB::table(...)->orHavingRaw($SQL, ...) + - pattern-inside: DB::table(...)->orderByRaw($SQL, ...) + - patterns: + - pattern: $EXPRESSION + - pattern-either: + - pattern-inside: DB::table(...)->selectRaw($EXPRESSION, ...) + - pattern-inside: DB::table(...)->fromRaw($EXPRESSION, ...) + - patterns: + - pattern: $COLUMNS + - pattern-either: + - pattern-inside: DB::table(...)->whereNull($COLUMNS, ...) + - pattern-inside: DB::table(...)->orWhereNull($COLUMN) + - pattern-inside: DB::table(...)->whereNotNull($COLUMNS, ...) + - pattern-inside: DB::table(...)->whereRowValues($COLUMNS, ...) + - pattern-inside: DB::table(...)->orWhereRowValues($COLUMNS, ...) + - pattern-inside: DB::table(...)->find($ID, $COLUMNS) + - pattern-inside: DB::table(...)->paginate($PERPAGE, $COLUMNS, ...) + - pattern-inside: DB::table(...)->simplePaginate($PERPAGE, $COLUMNS, ...) + - pattern-inside: DB::table(...)->cursorPaginate($PERPAGE, $COLUMNS, ...) + - pattern-inside: DB::table(...)->getCountForPagination($COLUMNS) + - pattern-inside: DB::table(...)->aggregate($FUNCTION, $COLUMNS) + - pattern-inside: DB::table(...)->numericAggregate($FUNCTION, $COLUMNS) + - pattern-inside: DB::table(...)->insertUsing($COLUMNS, ...) + - pattern-inside: DB::table(...)->select($COLUMNS) + - pattern-inside: DB::table(...)->get($COLUMNS) + - pattern-inside: DB::table(...)->count($COLUMNS) + - patterns: + - pattern: $COLUMN + - pattern-either: + - pattern-inside: DB::table(...)->whereIn($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereIn($COLUMN, ...) + - pattern-inside: DB::table(...)->whereNotIn($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotIn($COLUMN, ...) + - pattern-inside: DB::table(...)->whereIntegerInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereIntegerInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->whereIntegerNotInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereIntegerNotInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->whereBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->whereNotBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->whereNotBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotNull($COLUMN) + - pattern-inside: DB::table(...)->whereDate($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereDate($COLUMN, ...) + - pattern-inside: DB::table(...)->whereTime($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereTime($COLUMN, ...) + - pattern-inside: DB::table(...)->whereDay($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereDay($COLUMN, ...) + - pattern-inside: DB::table(...)->whereMonth($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereMonth($COLUMN, ...) + - pattern-inside: DB::table(...)->whereYear($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereYear($COLUMN, ...) + - pattern-inside: DB::table(...)->whereJsonContains($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereJsonContains($COLUMN, ...) + - pattern-inside: DB::table(...)->whereJsonDoesntContain($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereJsonDoesntContain($COLUMN, ...) + - pattern-inside: DB::table(...)->whereJsonLength($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereJsonLength($COLUMN, ...) + - pattern-inside: DB::table(...)->having($COLUMN, ...) + - pattern-inside: DB::table(...)->orHaving($COLUMN, ...) + - pattern-inside: DB::table(...)->havingBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->orderBy($COLUMN, ...) + - pattern-inside: DB::table(...)->orderByDesc($COLUMN) + - pattern-inside: DB::table(...)->latest($COLUMN) + - pattern-inside: DB::table(...)->oldest($COLUMN) + - pattern-inside: DB::table(...)->forPageBeforeId($PERPAGE, $LASTID, $COLUMN) + - pattern-inside: DB::table(...)->forPageAfterId($PERPAGE, $LASTID, $COLUMN) + - pattern-inside: DB::table(...)->value($COLUMN) + - pattern-inside: DB::table(...)->pluck($COLUMN, ...) + - pattern-inside: DB::table(...)->implode($COLUMN, ...) + - pattern-inside: DB::table(...)->min($COLUMN) + - pattern-inside: DB::table(...)->max($COLUMN) + - pattern-inside: DB::table(...)->sum($COLUMN) + - pattern-inside: DB::table(...)->avg($COLUMN) + - pattern-inside: DB::table(...)->average($COLUMN) + - pattern-inside: DB::table(...)->increment($COLUMN, ...) + - pattern-inside: DB::table(...)->decrement($COLUMN, ...) + - pattern-inside: DB::table(...)->where($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhere($COLUMN, ...) + - pattern-inside: DB::table(...)->addSelect($COLUMN) + - patterns: + - pattern: $QUERY + - pattern-inside: DB::unprepared($QUERY) +- id: ruby.rails.security.audit.mime-type-dos.mime-type-dos + metadata: + owasp: A05:2021 - Security Misconfiguration + cwe: + - 'CWE-400: Uncontrolled Resource Consumption' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mime_type_dos.rb + category: security + technology: + - rails + references: + - https://cwe.mitre.org/data/definitions/400.html + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/ruby.rails.security.audit.mime-type-dos.mime-type-dos + shortlink: https://sg.run/Oy3p + semgrep.dev: + rule: + rule_id: 10U56J + version_id: K3TlB8 + url: https://semgrep.dev/playground/r/K3TlB8/ruby.rails.security.audit.mime-type-dos.mime-type-dos + origin: community + message: This rule is deprecated. + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb + category: security + technology: + - rails + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb + shortlink: https://sg.run/eX7l + semgrep.dev: + rule: + rule_id: 9AUZrN + version_id: qkTNzJ + url: https://semgrep.dev/playground/r/qkTNzJ/ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb + origin: community + message: This rule is deprecated. + languages: + - generic + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.rails.security.audit.number-to-currency.number-to-currency + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb + category: security + technology: + - rails + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/ruby.rails.security.audit.number-to-currency.number-to-currency + shortlink: https://sg.run/veD4 + semgrep.dev: + rule: + rule_id: yyUAl9 + version_id: l4T5w2 + url: https://semgrep.dev/playground/r/l4T5w2/ruby.rails.security.audit.number-to-currency.number-to-currency + origin: community + message: This rule is deprecated. + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: ruby.rails.security.audit.quote-table-name.quote-table-name + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_quote_table_name.rb + category: security + technology: + - rails + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.rails.security.audit.quote-table-name.quote-table-name + shortlink: https://sg.run/d1dY + semgrep.dev: + rule: + rule_id: r6U2dJ + version_id: YDToj8 + url: https://semgrep.dev/playground/r/YDToj8/ruby.rails.security.audit.quote-table-name.quote-table-name + origin: community + message: This rule is deprecated. + languages: + - ruby + severity: WARNING + patterns: + - pattern: a() + - pattern: b() +- id: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning + message: 'If possible, it is better to rely on automatic pinning in PyTorch to avoid + undefined behavior and for efficiency ' + languages: + - python + severity: WARNING + metadata: + category: security + cwe: 'CWE-676: Use of Potentially Dangerous Function' + subcategory: + - audit + confidence: HIGH + likelihood: LOW + impact: LOW + technology: + - pytorch + description: '`PyTorch` memory not automatically pinned' + references: + - https://pytorch.org/docs/stable/data.html#memory-pinning + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning + shortlink: https://sg.run/jz5N + semgrep.dev: + rule: + rule_id: WAUN1Z + version_id: 0bT4Q6 + url: https://semgrep.dev/playground/r/0bT4Q6/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning + origin: community + pattern-either: + - patterns: + - pattern: torch.utils.data.DataLoader(...) + - pattern-not: torch.utils.data.DataLoader(..., pin_memory=$VALUE, ...) + - pattern: torch.utils.data.DataLoader(..., pin_memory=False, ...) +- id: trailofbits.python.lxml-in-pandas.lxml-in-pandas + message: Found usage of the `$FLAVOR` library, which is vulnerable to attacks such + as XML external entity (XXE) attacks + languages: + - python + severity: ERROR + metadata: + category: security + cwe: 'CWE-611: Improper Restriction of XML External Entity Reference' + subcategory: + - vuln + confidence: HIGH + likelihood: MEDIUM + impact: MEDIUM + technology: + - pandas + description: Potential XXE attacks from loading `lxml` in pandas + references: + - https://lxml.de/FAQ.html + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas + shortlink: https://sg.run/1z1G + semgrep.dev: + rule: + rule_id: 0oUrdJ + version_id: K3TpPP + url: https://semgrep.dev/playground/r/K3TpPP/trailofbits.python.lxml-in-pandas.lxml-in-pandas + origin: community + pattern-either: + - patterns: + - pattern: pandas.read_html($IO) + - pattern-not: pandas.read_html(**$KWARGS) + - patterns: + - metavariable-pattern: + metavariable: $FLAVOR + patterns: + - pattern: '...' + - pattern-not: | + "bs4" + - pattern-not: | + "html5lib" + - pattern-either: + - pattern: pandas.read_html(..., flavor=$FLAVOR, ...) + - patterns: + - pattern-inside: | + $KWARGS = {..., "flavor": $FLAVOR, ...} + ... + - pattern: | + pandas.read_html(**$KWARGS) +- id: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules + message: Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid + mixing these libraries for efficiency and proper ONNX loading + languages: + - python + severity: WARNING + metadata: + category: performance + subcategory: + - audit + confidence: MEDIUM + technology: + - pytorch + - numpy + description: Uses of `NumPy` functions inside `PyTorch` modules + references: + - https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects + license: CC-BY-NC-SA-4.0 + source: https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules + shortlink: https://sg.run/9vxr + semgrep.dev: + rule: + rule_id: KxU507 + version_id: NdTKpl + url: https://semgrep.dev/playground/r/NdTKpl/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules + origin: community + patterns: + - pattern: $RESULT = numpy.$FUNCTION(...) + - pattern-inside: | + class $MODULE(torch.nn.Module): + ... +- id: trailofbits.python.pickles-in-numpy.pickles-in-numpy + message: Functions reliant on pickle can result in arbitrary code execution. Consider + using fickling or switching to a safer serialization method + languages: + - python + severity: ERROR + metadata: + category: security + cwe: 'CWE-502: Deserialization of Untrusted Data' + subcategory: + - vuln + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: + - numpy + description: Potential arbitrary code execution from `NumPy` functions reliant + on pickling + references: + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy + shortlink: https://sg.run/ryKe + semgrep.dev: + rule: + rule_id: lBUWjy + version_id: zyTxXw + url: https://semgrep.dev/playground/r/zyTxXw/trailofbits.python.pickles-in-numpy.pickles-in-numpy + origin: community + patterns: + - pattern: numpy.load(..., allow_pickle=$VALUE, ...) + - pattern-not: numpy.load("...", ...) + - pattern-not: numpy.load(..., file="...", ...) + - metavariable-pattern: + metavariable: $VALUE + patterns: + - pattern-not: | + False + - pattern-not: | + [] + - pattern-not: | + None + - pattern-not: '""' +- id: trailofbits.python.pickles-in-pandas.pickles-in-pandas + message: Functions reliant on pickle can result in arbitrary code execution. Consider + using fickling or switching to a safer serialization method + languages: + - python + severity: ERROR + metadata: + category: security + cwe: 'CWE-502: Deserialization of Untrusted Data' + subcategory: + - vuln + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: + - pandas + description: Potential arbitrary code execution from `Pandas` functions reliant + on pickling + references: + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas + shortlink: https://sg.run/bXQW + semgrep.dev: + rule: + rule_id: PeU06j + version_id: pZTBq8 + url: https://semgrep.dev/playground/r/pZTBq8/trailofbits.python.pickles-in-pandas.pickles-in-pandas + origin: community + patterns: + - pattern-either: + - pattern: pandas.read_pickle(...) + - pattern: pandas.to_pickle(...) + - patterns: + - pattern-inside: | + import pandas + ... + - pattern: $SMTH.to_pickle(...) + - pattern-not: pandas.read_pickle("...") + - pattern-not: pandas.to_pickle(..., "...") + - pattern-not: $SMTH.to_pickle("...") +- id: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch + message: Functions reliant on pickle can result in arbitrary code execution. Consider + loading from `state_dict`, using fickling, or switching to a safer serialization + method like ONNX + languages: + - python + severity: ERROR + metadata: + category: security + cwe: 'CWE-502: Deserialization of Untrusted Data' + subcategory: + - vuln + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: + - pytorch + description: Potential arbitrary code execution from `PyTorch` functions reliant + on pickling + references: + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch + shortlink: https://sg.run/NwQy + semgrep.dev: + rule: + rule_id: JDU6WD + version_id: X0TvoD + url: https://semgrep.dev/playground/r/X0TvoD/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch + origin: community + patterns: + - pattern-either: + - pattern: torch.save(...) + - pattern: torch.load(...) + - pattern-not: torch.load("...") + - pattern-not: torch.save(..., "...") + - pattern-not: torch.save($M.state_dict(), ...) + - pattern-not-inside: $M.load_state_dict(torch.load(...)) +- id: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable + message: 'Variable `$X` is likely modified and later used on error. In some cases + this could result in panics due to a nil dereference ' + languages: + - go + severity: WARNING + metadata: + category: security + cwe: 'CWE-665: Improper Initialization' + subcategory: + - audit + confidence: HIGH + likelihood: MEDIUM + impact: MEDIUM + technology: + - --no-technology-- + description: Possible unintentional assignment when an error occurs + references: + - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable + shortlink: https://sg.run/WWQ2 + semgrep.dev: + rule: + rule_id: kxU6Xb + version_id: PkTpnL + url: https://semgrep.dev/playground/r/PkTpnL/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable + origin: community + patterns: + - pattern-either: + - pattern: | + $X, err = ... + if err != nil { + <... $X ...> + } + - pattern: | + $X, err := ... + if err != nil { + ... + <... $X.$Y ...> + } +- id: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map + message: Iteration over a possibly empty map `$C`. This is likely a bug or redundant + code + languages: + - go + severity: WARNING + metadata: + category: security + cwe: 'CWE-665: Improper Initialization' + subcategory: + - audit + confidence: MEDIUM + likelihood: LOW + impact: LOW + technology: + - --no-technology-- + description: Probably redundant iteration over an empty map + references: + - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ + license: CC-BY-NC-SA-4.0 + vulnerability_class: + - Other + source: https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map + shortlink: https://sg.run/08jj + semgrep.dev: + rule: + rule_id: wdUlww + version_id: JdTJZ7 + url: https://semgrep.dev/playground/r/JdTJZ7/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map + origin: community + patterns: + - pattern: | + $C = make(map[$T1] $T2, ...) + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $C[$X] = $V + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $C[$X]++ + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $C[$X]-- + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $CODEC.Unmarshal($BYTES, &$C) + ... + for $K := range $C { ... } +- id: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug + message: ASP.NET applications built with `debug` set to true in production may leak + debug information to attackers. Debug mode also affects performance and reliability. + Set `debug` to `false` or remove it from `` + severity: WARNING + metadata: + likelihood: LOW + impact: LOW + confidence: LOW + category: security + cwe: + - 'CWE-11: ASP.NET Misconfiguration: Creating Debug Binary' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/ + - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx + subcategory: + - audit + technology: + - .net + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug + shortlink: https://sg.run/yPWx + semgrep.dev: + rule: + rule_id: 0oUrvj + version_id: O9Tyje + url: https://semgrep.dev/playground/r/O9Tyje/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug + origin: community + languages: + - generic + paths: + include: + - '*web.config*' + patterns: + - pattern: | + + - pattern-inside: | + + ... + +- id: java.lang.security.audit.crypto.use-of-md5.use-of-md5 + message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use HMAC + instead. + languages: + - java + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-328: Use of Weak Hash' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5 + shortlink: https://sg.run/ryJn + semgrep.dev: + rule: + rule_id: KxU5lW + version_id: DkTQGo + url: https://semgrep.dev/playground/r/DkTQGo/java.lang.security.audit.crypto.use-of-md5.use-of-md5 + origin: community + patterns: + - pattern: | + java.security.MessageDigest.getInstance($ALGO, ...); + - metavariable-regex: + metavariable: $ALGO + regex: (.MD5.) + - focus-metavariable: $ALGO + fix: | + "SHA-512" +- id: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 + message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic signature. + Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function + applications. + languages: + - java + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-328: Use of Weak Hash' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1 + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 + shortlink: https://sg.run/bXNp + semgrep.dev: + rule: + rule_id: qNUWNn + version_id: K3TlrD + url: https://semgrep.dev/playground/r/K3TlrD/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 + origin: community + pattern-either: + - pattern: | + java.security.MessageDigest.getInstance("SHA1", ...); + - pattern: | + $DU.getSha1Digest().digest(...) +- id: java.lang.security.audit.crypto.weak-random.weak-random + message: Detected use of the functions `Math.random()` or `java.util.Random()`. + These are both not cryptographically strong random number generators (RNGs). If + you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` + instead. + languages: + - java + severity: WARNING + metadata: + owasp: + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-330: Use of Insufficiently Random Values' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random + shortlink: https://sg.run/NwBp + semgrep.dev: + rule: + rule_id: lBUW5D + version_id: qkTNQE + url: https://semgrep.dev/playground/r/qkTNQE/java.lang.security.audit.crypto.weak-random.weak-random + origin: community + pattern-either: + - pattern: | + new java.util.Random(...).$FUNC(...) + - pattern: | + java.lang.Math.random(...) +- id: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate + patterns: + - pattern: openssl_decrypt(...); + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + if($DECRYPTED_STRING === false){ + ... + } + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + if($DECRYPTED_STRING == false){ + ... + } + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + if(false === $DECRYPTED_STRING){ + ... + } + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + if(false == $DECRYPTED_STRING){ + ... + } + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + assertTrue(false !== $DECRYPTED_STRING,...); + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + assertTrue($DECRYPTED_STRING !== false,...); + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + $REFERENCE::assertTrue(false !== $DECRYPTED_STRING,...); + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + $REFERENCE::assertTrue($DECRYPTED_STRING !== false,...); + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + assert(false !== $DECRYPTED_STRING,...); + - pattern-not-inside: | + $DECRYPTED_STRING = openssl_decrypt(...); + ... + assert($DECRYPTED_STRING !== false,...); + message: The function `openssl_decrypt` returns either a string of the decrypted + data on success or `false` on failure. If the failure case is not handled, this + could lead to undefined behavior in your application. Please handle the case where + `openssl_decrypt` returns `false`. + languages: + - php + severity: WARNING + metadata: + references: + - https://www.php.net/manual/en/function.openssl-decrypt.php + cwe: + - 'CWE-252: Unchecked Return Value' + owasp: + - A02:2021 - Cryptographic Failures + technology: + - php + - openssl + category: security + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate + shortlink: https://sg.run/kzn7 + semgrep.dev: + rule: + rule_id: YGUAoe + version_id: GxT2lj + url: https://semgrep.dev/playground/r/GxT2lj/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate + origin: community +- id: scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run + patterns: + - pattern-either: + - pattern: $X.! + - pattern: $X.!! + - pattern: $X.lazyLines + - pattern-inside: | + import sys.process + ... + - pattern-not: | + "...".! + - pattern-not: | + "...".!! + - pattern-not: | + "...".lazyLines + - pattern-not: | + Seq(...).! + - pattern-not: | + Seq(...).!! + - pattern-not: | + Seq(...).lazyLines + - pattern-not-inside: | + val $X = "..." + ... + - pattern-not-inside: | + val $X = Seq(...) + ... + message: Found dynamic content used for the external process. This is dangerous + if arbitrary data can reach this function call because it allows a malicious actor + to execute commands. Use `Seq(...)` for dynamically generated commands. + languages: + - scala + severity: ERROR + metadata: + category: security + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + technology: + - scala + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run + shortlink: https://sg.run/wZBY + semgrep.dev: + rule: + rule_id: 6JUEeo + version_id: w8T3PJ + url: https://semgrep.dev/playground/r/w8T3PJ/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run + origin: community +- id: terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted + patterns: + - pattern: | + resource "aws_athena_workgroup" $ANYTHING { + ... + configuration { + ... + result_configuration { + ... + } + ... + } + ... + } + - pattern-not-inside: | + resource "aws_athena_workgroup" $ANYTHING { + ... + configuration { + ... + result_configuration { + ... + encryption_configuration { + ... + } + ... + } + ... + } + ... + } + message: The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects + backups in the work group. To create your own, create a aws_kms_key resource or + use the ARN string of a key in your account. + languages: + - hcl + severity: WARNING + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted + shortlink: https://sg.run/gX7J + semgrep.dev: + rule: + rule_id: NbUXOA + version_id: RGTb6W + url: https://semgrep.dev/playground/r/RGTb6W/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted + origin: community +- id: terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version + patterns: + - pattern: | + resource "aws_cloudfront_distribution" $ANYTHING { + ... + viewer_certificate { + ... + } + ... + } + - pattern-not-inside: | + resource "aws_cloudfront_distribution" $ANYTHING { + ... + viewer_certificate { + ... + minimum_protocol_version = "TLSv1.2_2018" + ... + } + ... + } + - pattern-not-inside: | + resource "aws_cloudfront_distribution" $ANYTHING { + ... + viewer_certificate { + ... + minimum_protocol_version = "TLSv1.2_2019" + ... + } + ... + } + - pattern-not-inside: | + resource "aws_cloudfront_distribution" $ANYTHING { + ... + viewer_certificate { + ... + minimum_protocol_version = "TLSv1.2_2021" + ... + } + ... + } + message: Detected an AWS CloudFront Distribution with an insecure TLS version. TLS + versions less than 1.2 are considered insecure because they can be broken. To + fix this, set your `minimum_protocol_version` to `"TLS1.2_2018", "TLS1.2_2019" + or "TLS1.2_2021"`. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version + shortlink: https://sg.run/Q6o4 + semgrep.dev: + rule: + rule_id: kxU6A8 + version_id: BjTEgn + url: https://semgrep.dev/playground/r/BjTEgn/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_cloudtrail" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_cloudtrail" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives + you control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk + shortlink: https://sg.run/38kr + semgrep.dev: + rule: + rule_id: wdUl2j + version_id: DkTQPP + url: https://semgrep.dev/playground/r/DkTQPP/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention + patterns: + - pattern: | + resource "aws_cloudwatch_log_group" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_cloudwatch_log_group" $ANYTHING { + ... + retention_in_days = ... + ... + } + message: The AWS CloudWatch Log Group has no retention. Missing retention in log + groups can cause losing important event information. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention + shortlink: https://sg.run/4lwl + semgrep.dev: + rule: + rule_id: x8UGBG + version_id: WrTbXD + url: https://semgrep.dev/playground/r/WrTbXD/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention + origin: community +- id: terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted + patterns: + - pattern: | + resource "aws_cloudwatch_log_group" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_cloudwatch_log_group" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. + However, for added security, it's recommended to configure your own AWS KMS encryption + key to protect your log group in CloudWatch. You can either create a new aws_kms_key + resource or use the ARN of an existing key in your AWS account to do so. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + technology: + - aws + - terraform + category: security + references: + - https://cwe.mitre.org/data/definitions/732.html + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted + shortlink: https://sg.run/Pg6Y + semgrep.dev: + rule: + rule_id: OrUl0J + version_id: 0bTv8B + url: https://semgrep.dev/playground/r/0bTv8B/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted + origin: community +- id: terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted + patterns: + - pattern: | + resource "aws_codebuild_project" $ANYTHING { + ... + artifacts { + ... + encryption_disabled = true + ... + } + ... + } + - pattern-not-inside: | + resource "aws_codebuild_project" $ANYTHING { + ... + artifacts { + type = "NO_ARTIFACTS" + encryption_disabled = true + } + ... + } + - pattern-not-inside: | + resource "aws_codebuild_project" $ANYTHING { + ... + artifacts { + type = "NO_ARTIFACTS" + } + ... + } + message: The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption + key protects artifacts in the CodeBuild Projects. To create your own, create a + aws_kms_key resource or use the ARN string of a key in your account. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted + shortlink: https://sg.run/JeWw + semgrep.dev: + rule: + rule_id: eqUrdZ + version_id: qkTNdD + url: https://semgrep.dev/playground/r/qkTNdD/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted + origin: community +- id: terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted + patterns: + - pattern: | + resource "aws_codebuild_project" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_codebuild_project" $ANYTHING { + ... + encryption_key = ... + ... + } + message: The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects + projects in the CodeBuild. To create your own, create a aws_kms_key resource or + use the ARN string of a key in your account. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted + shortlink: https://sg.run/5yxA + semgrep.dev: + rule: + rule_id: v8U4kG + version_id: l4T5KG + url: https://semgrep.dev/playground/r/l4T5KG/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted + origin: community +- id: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging + patterns: + - pattern: | + resource "aws_db_instance" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_db_instance" $ANYTHING { + ... + enabled_cloudwatch_logs_exports = [$SOMETHING, ...] + ... + } + message: Database instance has no logging. Missing logs can cause missing important + event information. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - vuln + likelihood: MEDIUM + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging + shortlink: https://sg.run/GyAp + semgrep.dev: + rule: + rule_id: d8U4RA + version_id: JdTqBr + url: https://semgrep.dev/playground/r/JdTqBr/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging + origin: community +- id: terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_docdb_cluster" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_docdb_cluster" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control + over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk + shortlink: https://sg.run/RyzO + semgrep.dev: + rule: + rule_id: ZqUGEp + version_id: 5PT6RG + url: https://semgrep.dev/playground/r/5PT6RG/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted + patterns: + - pattern: | + resource "aws_dynamodb_table" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_dynamodb_table" $ANYTHING { + ... + server_side_encryption { + enabled = true + kms_key_arn = ... + } + ... + } + message: By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, + for added security, it's recommended to configure your own AWS KMS encryption + key to protect your data in the DynamoDB table. You can either create a new aws_kms_key + resource or use the ARN of an existing key in your AWS account to do so. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted + shortlink: https://sg.run/Ay4p + semgrep.dev: + rule: + rule_id: nJUGe2 + version_id: BjTEgw + url: https://semgrep.dev/playground/r/BjTEgw/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted + origin: community +- id: terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_ebs_snapshot_copy" $ANYTHING { + ... + encrypted = true + ... + } + - pattern-not-inside: | + resource "aws_ebs_snapshot_copy" $ANYTHING { + ... + encrypted = true + kms_key_id = ... + ... + } + message: Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you + control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk + shortlink: https://sg.run/ByPW + semgrep.dev: + rule: + rule_id: EwUqko + version_id: DkTQPO + url: https://semgrep.dev/playground/r/DkTQPO/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted + patterns: + - pattern: | + resource "aws_ebs_encryption_by_default" $ANYTHING { + ... + enabled = false + ... + } + message: The AWS EBS is unencrypted. The AWS EBS encryption protects data in the + EBS. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted + shortlink: https://sg.run/Dy5Y + semgrep.dev: + rule: + rule_id: 7KUW7K + version_id: WrTbXb + url: https://semgrep.dev/playground/r/WrTbXb/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted + origin: community +- id: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_ebs_volume" $ANYTHING { + ... + encrypted = true + ... + } + - pattern-not-inside: | + resource "aws_ebs_volume" $ANYTHING { + ... + encrypted = true + kms_key_id = ... + ... + } + message: Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control + over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk + shortlink: https://sg.run/WW14 + semgrep.dev: + rule: + rule_id: L1UPY9 + version_id: 0bTv8O + url: https://semgrep.dev/playground/r/0bTv8O/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip + patterns: + - pattern-either: + - pattern: | + resource "aws_instance" $ANYTHING { + ... + associate_public_ip_address = true + ... + } + - pattern: | + resource "aws_launch_template" $ANYTHING { + ... + network_interfaces { + ... + associate_public_ip_address = true + ... + } + ... + } + message: EC2 instances should not have a public IP address attached in order to + block public access to the instances. To fix this, set your `associate_public_ip_address` + to `"false"`. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe: + - 'CWE-284: Improper Access Control' + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip + shortlink: https://sg.run/08rv + semgrep.dev: + rule: + rule_id: 8GUA2n + version_id: qkTNEY + url: https://semgrep.dev/playground/r/qkTNEY/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_efs_file_system" $ANYTHING { + ... + encrypted = true + ... + } + - pattern-not-inside: | + resource "aws_efs_file_system" $ANYTHING { + ... + encrypted = true + kms_key_id = ... + ... + } + message: Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you + control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk + shortlink: https://sg.run/Kk07 + semgrep.dev: + rule: + rule_id: gxUJ4n + version_id: jQTK8r + url: https://semgrep.dev/playground/r/jQTK8r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-elasticache-replication-group-encrypted-with-cmk.aws-elasticache-replication-group-encrypted-with-cmk + patterns: + - pattern: a() + - pattern: b() + message: This rule has been deprecated. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-elasticache-replication-group-encrypted-with-cmk.aws-elasticache-replication-group-encrypted-with-cmk + shortlink: https://sg.run/qyAz + semgrep.dev: + rule: + rule_id: QrUnyQ + version_id: 1QTjr4 + url: https://semgrep.dev/playground/r/1QTjr4/terraform.aws.security.aws-elasticache-replication-group-encrypted-with-cmk.aws-elasticache-replication-group-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled + patterns: + - pattern-either: + - pattern: | + resource "aws_elasticsearch_domain" $ANYTHING { + ... + node_to_node_encryption { + ... + enabled = false + ... + } + ... + } + - pattern: | + resource "aws_elasticsearch_domain" $ANYTHING { + ... + cluster_config { + ... + instance_count = $COUNT + ... + } + } + - pattern-not-inside: | + resource "aws_elasticsearch_domain" $ANYTHING { + ... + cluster_config { + ... + instance_count = $COUNT + ... + } + node_to_node_encryption { + ... + enabled = true + ... + } + } + - metavariable-comparison: + metavariable: $COUNT + comparison: $COUNT > 1 + message: "Ensure all Elasticsearch has node-to-node encryption enabled.\t" + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled + shortlink: https://sg.run/lp3y + semgrep.dev: + rule: + rule_id: 3qU6J7 + version_id: yeTXE2 + url: https://semgrep.dev/playground/r/yeTXE2/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled + patterns: + - pattern-either: + - pattern: | + resource "aws_lb" $ANYTHING { + ... + } + - pattern: | + resource "aws_alb" $ANYTHING { + ... + } + - pattern-not-inside: | + resource $ANYLB $ANYTHING { + ... + access_logs { + ... + enabled = true + ... + } + ... + } + - pattern-not-inside: "resource $ANYLB $ANYTHING {\n ...\n subnet_mapping {\n + \ ...\n }\n ...\n} \n" + message: ELB has no logging. Missing logs can cause missing important event information. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled + shortlink: https://sg.run/Yrye + semgrep.dev: + rule: + rule_id: 4bUg3J + version_id: rxTxE4 + url: https://semgrep.dev/playground/r/rxTxE4/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled + origin: community +- id: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk + patterns: + - pattern-inside: | + resource "aws_emr_security_configuration" $ANYTHING { + ... + } + - pattern: configuration = "$STATEMENT" + - metavariable-pattern: + metavariable: $STATEMENT + language: json + patterns: + - pattern-not-inside: | + "AwsKmsKey": ... + message: Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control + over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk + shortlink: https://sg.run/6gOo + semgrep.dev: + rule: + rule_id: PeU0L7 + version_id: bZTGn5 + url: https://semgrep.dev/playground/r/bZTGn5/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_fsx_lustre_file_system" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_fsx_lustre_file_system" $ANYTHING { + ... + kms_key_id = ... + ... + } + - pattern-regex: (^aws_kms_key\.(.*)) + message: Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs + gives you control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk + shortlink: https://sg.run/oNG9 + semgrep.dev: + rule: + rule_id: JDU6gw + version_id: NdT1bZ + url: https://semgrep.dev/playground/r/NdT1bZ/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_fsx_lustre_file_system" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_fsx_lustre_file_system" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs + gives you control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk + shortlink: https://sg.run/zJ6G + semgrep.dev: + rule: + rule_id: 5rUp50 + version_id: kbT7EW + url: https://semgrep.dev/playground/r/kbT7EW/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_fsx_ontap_file_system" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_fsx_ontap_file_system" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs + gives you control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk + shortlink: https://sg.run/pyRg + semgrep.dev: + rule: + rule_id: GdUzwK + version_id: w8T3EN + url: https://semgrep.dev/playground/r/w8T3EN/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_fsx_windows_file_system" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_fsx_windows_file_system" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs + gives you control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk + shortlink: https://sg.run/2pN0 + semgrep.dev: + rule: + rule_id: ReUqv6 + version_id: xyT4Ew + url: https://semgrep.dev/playground/r/xyT4Ew/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal + patterns: + - pattern-inside: | + resource "aws_glacier_vault" $ANYTHING { + ... + } + - pattern: access_policy = "$STATEMENT" + - metavariable-pattern: + metavariable: $STATEMENT + language: json + patterns: + - pattern-inside: | + {..., "Effect": "Allow", ...} + - pattern-either: + - pattern: | + "Principal": "*" + - pattern: | + "Principal": {..., "AWS": "*", ...} + - pattern-inside: | + "Principal": {..., "AWS": ..., ...} + - pattern-regex: | + (^\"arn:aws:iam::\*:(.*)\"$) + message: 'Detected wildcard access granted to Glacier Vault. This means anyone within + your AWS account ID can perform actions on Glacier resources. Instead, limit to + a specific identity in your account, like this: `arn:aws:iam:::`.' + metadata: + category: security + technology: + - aws + owasp: + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + references: + - https://cwe.mitre.org/data/definitions/732.html + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal + shortlink: https://sg.run/XN9K + semgrep.dev: + rule: + rule_id: AbUeYK + version_id: O9Ty9R + url: https://semgrep.dev/playground/r/O9Ty9R/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin + patterns: + - pattern-inside: | + resource "aws_ssoadmin_permission_set_inline_policy" $ANYTHING { + ... + } + - pattern: inline_policy = "$STATEMENT" + - metavariable-pattern: + metavariable: $STATEMENT + language: json + patterns: + - pattern-not-inside: | + {..., "Effect": "Deny", ...} + - pattern-either: + - pattern: | + {..., "Action": [..., "*", ...], "Resource": [..., "*", ...], ...} + - pattern: | + {..., "Action": "*", "Resource": "*", ...} + - pattern: | + {..., "Action": "*", "Resource": [...], ...} + - pattern: | + {..., "Action": [...], "Resource": "*", ...} + message: Detected admin access granted in your policy. This means anyone with this + policy can perform administrative actions. Instead, limit actions and resources + to what you need according to least privilege. + metadata: + category: security + technology: + - aws + owasp: + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + references: + - https://cwe.mitre.org/data/definitions/732.html + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin + shortlink: https://sg.run/jzgY + semgrep.dev: + rule: + rule_id: BYUzY5 + version_id: e1TxlA + url: https://semgrep.dev/playground/r/e1TxlA/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy + patterns: + - pattern-inside: | + resource "aws_iam_policy" $ANYTHING { + ... + } + - pattern: policy = "$STATEMENT" + - metavariable-pattern: + metavariable: $STATEMENT + language: json + patterns: + - pattern-not-inside: | + {..., "Effect": "Deny", ...} + - pattern-either: + - pattern: | + {..., "Action": [..., "*", ...], "Resource": [..., "*", ...], ...} + - pattern: | + {..., "Action": "*", "Resource": "*", ...} + - pattern: | + {..., "Action": "*", "Resource": [...], ...} + - pattern: | + {..., "Action": [...], "Resource": "*", ...} + message: Detected admin access granted in your policy. This means anyone with this + policy can perform administrative actions. Instead, limit actions and resources + to what you need according to least privilege. + metadata: + category: security + technology: + - aws + - terraform + owasp: + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + references: + - https://cwe.mitre.org/data/definitions/732.html + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy + shortlink: https://sg.run/1zbw + semgrep.dev: + rule: + rule_id: DbUx8l + version_id: vdT2ED + url: https://semgrep.dev/playground/r/vdT2ED/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_imagebuilder_component" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_imagebuilder_component" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs + gives you control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk + shortlink: https://sg.run/9vdY + semgrep.dev: + rule: + rule_id: WAUNxL + version_id: d6TDoE + url: https://semgrep.dev/playground/r/d6TDoE/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration + patterns: + - pattern: | + resource "aws_redshift_parameter_group" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_redshift_parameter_group" $ANYTHING { + ... + parameter { + name = "require_ssl" + value = "true" + } + ... + } + - pattern-not-inside: | + resource "aws_redshift_parameter_group" $ANYTHING { + ... + parameter { + name = "require_ssl" + value = true + } + ... + } + message: Detected an AWS Redshift configuration with a SSL disabled. To fix this, + set your `require_ssl` to `"true"`. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration + shortlink: https://sg.run/yPYx + semgrep.dev: + rule: + rule_id: 0oUrOj + version_id: nWT7ED + url: https://semgrep.dev/playground/r/nWT7ED/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_kinesis_stream" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_kinesis_stream" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you + control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk + shortlink: https://sg.run/ryBn + semgrep.dev: + rule: + rule_id: KxU5yW + version_id: ExTnlP + url: https://semgrep.dev/playground/r/ExTnlP/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk + patterns: + - pattern: | + resource "aws_kinesis_video_stream" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_kinesis_video_stream" $ANYTHING { + ... + kms_key_id = ... + ... + } + message: Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives + you control over the encryption key in terms of access and rotation. + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + cwe: + - 'CWE-320: CWE CATEGORY: Key Management Errors' + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk + shortlink: https://sg.run/bXvp + semgrep.dev: + rule: + rule_id: qNUWqn + version_id: LjT0nW + url: https://semgrep.dev/playground/r/LjT0nW/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal + patterns: + - pattern-inside: | + resource "aws_kms_key" $ANYTHING { + ... + } + - pattern: policy = "$STATEMENT" + - metavariable-pattern: + metavariable: $STATEMENT + language: json + patterns: + - pattern-not-inside: | + {..., "Effect": "Deny", ...} + - pattern-either: + - pattern: | + {..., "Principal": "*", "Action": "kms:*", "Resource": "*", ...} + - pattern: | + {..., "Principal": [..., "*", ...], "Action": "kms:*", "Resource": "*", ...} + - pattern: | + {..., "Principal": { "AWS": "*" }, "Action": "kms:*", "Resource": "*", ...} + - pattern: | + {..., "Principal": { "AWS": [..., "*", ...] }, "Action": "kms:*", "Resource": "*", ...} + message: Detected wildcard access granted in your KMS key. This means anyone with + this policy can perform administrative actions over the keys. Instead, limit principals, + actions and resources to what you need according to least privilege. + metadata: + category: security + technology: + - aws + - terraform + owasp: + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + references: + - https://cwe.mitre.org/data/definitions/732.html + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal + shortlink: https://sg.run/Nwlp + semgrep.dev: + rule: + rule_id: lBUWPD + version_id: 8KTb66 + url: https://semgrep.dev/playground/r/8KTb66/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation + patterns: + - pattern-either: + - pattern: | + resource "aws_kms_key" $ANYTHING { + ... + enable_key_rotation = false + ... + } + - pattern: | + resource "aws_kms_key" $ANYTHING { + ... + customer_master_key_spec = "SYMMETRIC_DEFAULT" + enable_key_rotation = false + ... + } + - pattern: | + resource "aws_kms_key" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_kms_key" $ANYTHING { + ... + enable_key_rotation = true + ... + } + - pattern-not-inside: | + resource "aws_kms_key" $ANYTHING { + ... + customer_master_key_spec = "RSA_2096" + ... + } + message: The AWS KMS has no rotation. Missing rotation can cause leaked key to be + used by attackers. To fix this, set a `enable_key_rotation`. + languages: + - hcl + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + technology: + - aws + - terraform + category: security + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation + shortlink: https://sg.run/kz47 + semgrep.dev: + rule: + rule_id: PeU0L3 + version_id: gETqzj + url: https://semgrep.dev/playground/r/gETqzj/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation + origin: community +- id: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials + patterns: + - pattern-inside: | + resource "$ANYTING" $ANYTHING { + ... + environment { + variables = { + ... + } + } + ... + } + - pattern-either: + - pattern-inside: | + AWS_ACCESS_KEY_ID = "$Y" + - pattern-regex: | + (? + - pattern-inside: | + + ... + +- id: csharp.dotnet.security.razor-template-injection.razor-template-injection + message: User-controllable string passed to Razor.Parse. This leads directly to + code execution in the context of the process. + severity: WARNING + metadata: + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + category: security + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + cwe2022-top25: true + owasp: + - A03:2021 - Injection + references: + - https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/ + subcategory: + - vuln + technology: + - .net + - razor + - asp + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection + shortlink: https://sg.run/oyj0 + semgrep.dev: + rule: + rule_id: EwUr68 + version_id: vdT2r2 + url: https://semgrep.dev/playground/r/vdT2r2/csharp.dotnet.security.razor-template-injection.razor-template-injection + origin: community + languages: + - csharp + mode: taint + pattern-sources: + - patterns: + - focus-metavariable: $ARG + - pattern-inside: | + public ActionResult $METHOD(..., string $ARG,...){...} + pattern-sinks: + - pattern: | + Razor.Parse(...) + pattern-sanitizers: + - not_conflicting: true + pattern: $F(...) +- id: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings + message: Cookie Secure flag is explicitly disabled. You should enforce this value + to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections. + severity: WARNING + metadata: + likelihood: LOW + impact: LOW + confidence: LOW + category: security + cwe: + - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies + - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL + - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL + subcategory: + - audit + technology: + - .net + - asp + - webforms + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings + shortlink: https://sg.run/z1jd + semgrep.dev: + rule: + rule_id: 7KUxPg + version_id: 7ZTOgD + url: https://semgrep.dev/playground/r/7ZTOgD/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings + origin: community + languages: + - generic + paths: + include: + - '*web.config' + patterns: + - pattern-either: + - pattern: | + requireSSL="false" + - pattern: | + cookieRequireSSL="false" + - pattern-either: + - pattern-inside: | + + - pattern-inside: | + + - pattern-inside: | + +- id: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation + severity: WARNING + languages: + - csharp + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8 + category: security + technology: + - .net + confidence: MEDIUM + subcategory: + - vuln + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation + shortlink: https://sg.run/XZ6B + semgrep.dev: + rule: + rule_id: gxUy01 + version_id: QkTJWp + url: https://semgrep.dev/playground/r/QkTJWp/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation + origin: community + message: Validating certificates based on subject name is bad practice. Use the + X509Certificate2.Verify() method instead. + patterns: + - pattern-inside: | + using System.IdentityModel.Tokens; + ... + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + X509SecurityToken $TOK = $RHS; + ... + - pattern-inside: | + $T $M(..., X509SecurityToken $TOK, ...) { + ... + } + - metavariable-pattern: + metavariable: $RHS + pattern-either: + - pattern: $T as X509SecurityToken + - pattern: new X509SecurityToken(...) + - patterns: + - pattern-either: + - pattern-inside: | + X509Certificate2 $CERT = new X509Certificate2(...); + ... + - pattern-inside: | + $T $M(..., X509Certificate2 $CERT, ...) { + ... + } + - pattern-inside: | + foreach (X509Certificate2 $CERT in $COLLECTION) { + ... + } + - patterns: + - pattern-either: + - pattern: String.Equals($NAME, "...") + - pattern: String.Equals("...", $NAME) + - pattern: $NAME.Equals("...") + - pattern: $NAME == "..." + - pattern: $NAME != "..." + - pattern: | + "..." == $NAME + - pattern: | + "..." != $NAME + - metavariable-pattern: + metavariable: $NAME + pattern-either: + - pattern: $TOK.Certificate.SubjectName.Name + - pattern: $CERT.SubjectName.Name + - pattern: $CERT.GetNameInfo(...) +- id: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine + mode: taint + pattern-sources: + - patterns: + - pattern: $A + - pattern-inside: | + Path.Combine(...,$A,...) + - pattern-inside: | + public $TYPE $M(...,$A,...){...} + - pattern-not-inside: | + <... Path.GetFileName($A) != $A ...> + pattern-sinks: + - patterns: + - focus-metavariable: $X + - pattern: | + File.$METHOD($X,...) + - metavariable-regex: + metavariable: $METHOD + regex: (?i)^(read|write) + pattern-sanitizers: + - pattern: | + Path.GetFileName(...) + - patterns: + - pattern-inside: | + $X = Path.GetFileName(...); + ... + - pattern: $X + - patterns: + - pattern: $X + - pattern-inside: | + if(<... Path.GetFileName($X) != $X ...>){ + ... + throw new $EXCEPTION(...); + } + ... + message: String argument $A is used to read or write data from a file via Path.Combine + without direct sanitization via Path.GetFileName. If the path is user-supplied + data this can lead to path traversal. + languages: + - csharp + severity: WARNING + metadata: + category: security + confidence: MEDIUM + references: + - https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/ + - https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks + technology: + - .net + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine + shortlink: https://sg.run/1RvG + semgrep.dev: + rule: + rule_id: 3qU3bE + version_id: PkTYJx + url: https://semgrep.dev/playground/r/PkTYJx/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine + origin: community +- id: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' + owasp: + - A01:2021 - Broken Access Control + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0 + category: security + technology: + - .net + confidence: MEDIUM + subcategory: + - vuln + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings + shortlink: https://sg.run/9LJr + semgrep.dev: + rule: + rule_id: 4bUQ81 + version_id: JdTqNo + url: https://semgrep.dev/playground/r/JdTqNo/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings + origin: community + message: The top level wildcard bindings $PREFIX leaves your application open to + security vulnerabilities and give attackers more control over where traffic is + routed. If you must use wildcards, consider using subdomain wildcard binding. + For example, you can use "*.asdf.gov" if you own all of "asdf.gov". + patterns: + - pattern-inside: | + using System.Net; + ... + - pattern: $LISTENER.Prefixes.Add("$PREFIX") + - metavariable-regex: + metavariable: $PREFIX + regex: (http|https)://(\*|\+)(.[a-zA-Z]{2,})?:[0-9]+ +- id: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver + shortlink: https://sg.run/yXjP + semgrep.dev: + rule: + rule_id: PeUxb0 + version_id: RGTbDR + url: https://semgrep.dev/playground/r/RGTbDR/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver + origin: community + message: Only use DataContractResolver if you are completely sure of what information + is being serialized. Malicious types can cause unexpected behavior. + patterns: + - pattern: | + class $MYDCR : DataContractResolver { ... } +- id: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0 + - https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full + shortlink: https://sg.run/rere + semgrep.dev: + rule: + rule_id: JDUlKl + version_id: GxTwen + url: https://semgrep.dev/playground/r/GxTwen/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full + origin: community + message: Using a .NET remoting service can lead to RCE, even if you try to configure + TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf + pattern-either: + - patterns: + - pattern-either: + - pattern: new BinaryServerFormatterSinkProvider { TypeFilterLevel = $LEVEL + } + - patterns: + - pattern-inside: | + $TYPE $SP = new BinaryServerFormatterSinkProvider(...); + ... + - pattern: | + $SP.TypeFilterLevel = $LEVEL + - metavariable-regex: + metavariable: $LEVEL + regex: (.*)TypeFilterLevel\.(Full|Low) + - patterns: + - pattern-inside: | + $DICT["typeFilterLevel"] = $VAL; + ... + - pattern: new BinaryServerFormatterSinkProvider(..., $DICT, ...) + - metavariable-regex: + metavariable: $VAL + regex: (\"Full\"|\"Low\") +- id: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-125: Out-of-bounds Read' + owasp: + - A04:2021 - Insecure Design + references: + - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0 + - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0 + category: security + technology: + - .net + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Memory Issues + source: https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span + shortlink: https://sg.run/b4eW + semgrep.dev: + rule: + rule_id: 5rUyEN + version_id: YDTopx + url: https://semgrep.dev/playground/r/YDTopx/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span + origin: community + message: MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be + used with caution, as the length argument is not checked. + pattern-either: + - pattern: MemoryMarshal.CreateSpan(...) + - pattern: MemoryMarshal.CreateReadOnlySpan(...) +- id: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout + severity: WARNING + languages: + - C# + metadata: + cwe: + - 'CWE-1333: Inefficient Regular Expression Complexity' + owasp: A01:2017 - Injection + references: + - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS + - https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout + - https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0 + category: security + technology: + - .net + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout + shortlink: https://sg.run/NgRy + semgrep.dev: + rule: + rule_id: GdUDBP + version_id: zyT5Kv + url: https://semgrep.dev/playground/r/zyT5Kv/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout + origin: community + message: 'Specifying the regex timeout leaves the system vulnerable to a regex-based + Denial of Service (DoS) attack. Consider setting the timeout to a short amount + of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double + check that your context meets the conditions outlined in the "Notes to Callers" + section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0' + patterns: + - pattern-inside: | + using System.Text.RegularExpressions; + ... + - pattern-either: + - pattern: new Regex(..., TimeSpan.InfiniteMatchTimeout) + - patterns: + - pattern: new Regex(..., TimeSpan.FromSeconds($TIME)) + - metavariable-comparison: + metavariable: $TIME + comparison: $TIME > 5 + - pattern: new Regex(..., TimeSpan.FromMinutes(...)) + - pattern: new Regex(..., TimeSpan.FromHours(...)) +- id: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override + mode: taint + pattern-sources: + - patterns: + - focus-metavariable: $ARG + - pattern-inside: | + public $T $M(...,string $ARG,...){...} + pattern-sinks: + - patterns: + - pattern: | + $XMLDOCUMENT.$METHOD(...) + - pattern-inside: "XmlDocument $XMLDOCUMENT = new XmlDocument(...);\n...\n$XMLDOCUMENT.XmlResolver + = new XmlUrlResolver(...);\n... \n" + message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling + a string argument from a public method. Enabling Document Type Definition (DTD) + parsing may cause XML External Entity (XXE) injection if supplied with user-controllable + data. + languages: + - csharp + severity: WARNING + metadata: + category: security + references: + - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/ + - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks + technology: + - .net + - xml + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override + shortlink: https://sg.run/k98P + semgrep.dev: + rule: + rule_id: ReUK9k + version_id: rxTxy7 + url: https://semgrep.dev/playground/r/rxTxy7/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override + origin: community +- id: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override + mode: taint + pattern-sources: + - patterns: + - focus-metavariable: $ARG + - pattern-inside: | + public $T $M(...,string $ARG,...){...} + pattern-sinks: + - patterns: + - pattern: | + XmlReader $READER = XmlReader.Create(...,$RS,...); + - pattern-inside: "XmlReaderSettings $RS = new XmlReaderSettings();\n...\n$RS.DtdProcessing + = DtdProcessing.Parse;\n... \n" + message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling + a string argument from a public method. Enabling Document Type Definition (DTD) + parsing may cause XML External Entity (XXE) injection if supplied with user-controllable + data. + languages: + - csharp + severity: WARNING + metadata: + category: security + references: + - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/ + - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks + technology: + - .net + - xml + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override + shortlink: https://sg.run/wXjA + semgrep.dev: + rule: + rule_id: AbU3pX + version_id: bZTGbe + url: https://semgrep.dev/playground/r/bZTGbe/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override + origin: community +- id: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults + mode: taint + pattern-sources: + - patterns: + - focus-metavariable: $ARG + - pattern-inside: | + public $T $M(...,string $ARG,...){...} + pattern-sinks: + - patterns: + - pattern: | + $READER.$METHOD(...) + - pattern-not-inside: | + $READER.DtdProcessing = DtdProcessing.Prohibit; + ... + - pattern-inside: | + XmlTextReader $READER = new XmlTextReader(...); + ... + message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling + a string argument from a public method. Enabling Document Type Definition (DTD) + parsing may cause XML External Entity (XXE) injection if supplied with user-controllable + data. + languages: + - csharp + severity: WARNING + metadata: + category: security + references: + - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/ + - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks + technology: + - .net + - xml + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults + shortlink: https://sg.run/xXjL + semgrep.dev: + rule: + rule_id: BYUevk + version_id: NdT13R + url: https://semgrep.dev/playground/r/NdT13R/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults + origin: community +- id: go.aws-lambda.security.database-sqli.database-sqli + languages: + - go + message: Detected SQL statement that is tainted by `$EVENT` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' + calls. + mode: taint + metadata: + references: + - https://pkg.go.dev/database/sql#DB.Query + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - database + - sql + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli + shortlink: https://sg.run/e5e8 + semgrep.dev: + rule: + rule_id: WAUdJ7 + version_id: 0bTv2x + url: https://semgrep.dev/playground/r/0bTv2x/go.aws-lambda.security.database-sqli.database-sqli + origin: community + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern: $DB.Exec($QUERY,...) + - pattern: $DB.ExecContent($QUERY,...) + - pattern: $DB.Query($QUERY,...) + - pattern: $DB.QueryContext($QUERY,...) + - pattern: $DB.QueryRow($QUERY,...) + - pattern: $DB.QueryRowContext($QUERY,...) + - pattern-inside: | + import "database/sql" + ... + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + func $HANDLER($CTX $CTXTYPE, $EVENT $TYPE, ...) {...} + ... + lambda.Start($HANDLER, ...) + - patterns: + - pattern-inside: | + func $HANDLER($EVENT $TYPE) {...} + ... + lambda.Start($HANDLER, ...) + - pattern-not-inside: | + func $HANDLER($EVENT context.Context) {...} + ... + lambda.Start($HANDLER, ...) + - focus-metavariable: $EVENT + severity: WARNING +- id: go.aws-lambda.security.tainted-sql-string.tainted-sql-string + languages: + - go + severity: ERROR + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as Sequelize which will protect your queries. + metadata: + references: + - https://owasp.org/www-community/attacks/SQL_Injection + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/vX3Y + semgrep.dev: + rule: + rule_id: 0oUwqg + version_id: K3Tl7v + url: https://semgrep.dev/playground/r/K3Tl7v/go.aws-lambda.security.tainted-sql-string.tainted-sql-string + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + func $HANDLER($CTX $CTXTYPE, $EVENT $TYPE, ...) {...} + ... + lambda.Start($HANDLER, ...) + - patterns: + - pattern-inside: | + func $HANDLER($EVENT $TYPE) {...} + ... + lambda.Start($HANDLER, ...) + - pattern-not-inside: | + func $HANDLER($EVENT context.Context) {...} + ... + lambda.Start($HANDLER, ...) + - focus-metavariable: $EVENT + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: | + "$SQLSTR" + ... + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(\s*select|\s*delete|\s*insert|\s*create|\s*update|\s*alter|\s*drop).* + - patterns: + - pattern-either: + - pattern: fmt.Fprintf($F, "$SQLSTR", ...) + - pattern: fmt.Sprintf("$SQLSTR", ...) + - pattern: fmt.Printf("$SQLSTR", ...) + - metavariable-regex: + metavariable: $SQLSTR + regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.*%(v|s|q).* + - pattern-not-inside: | + log.$PRINT(...) + pattern-sanitizers: + - pattern: strconv.Atoi(...) +- id: go.lang.security.filepath-clean-misuse.filepath-clean-misuse + message: '`Clean` is not intended to sanitize against path traversal attacks. This + function is for finding the shortest path name equivalent to the given input. + Using `Clean` to sanitize file reads may expose this application to path traversal + attacks, where an attacker could access arbitrary files on the server. To fix + this easily, write this: `filepath.FromSlash(path.Clean("/"+strings.Trim(req.URL.Path, + "/")))` However, a better solution is using the `SecureJoin` function in the package + `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.' + severity: ERROR + languages: + - go + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + ($REQUEST : *http.Request).$ANYTHING + - pattern: | + ($REQUEST : http.Request).$ANYTHING + - metavariable-regex: + metavariable: $ANYTHING + regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ + pattern-sinks: + - patterns: + - pattern-either: + - pattern: filepath.Clean($...INNER) + - pattern: path.Clean($...INNER) + pattern-sanitizers: + - pattern-either: + - pattern: | + "/" + ... + fix: filepath.FromSlash(filepath.Clean("/"+strings.Trim($...INNER, "/"))) + metadata: + references: + - https://pkg.go.dev/path#Clean + - http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html + - https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/ + - https://dzx.cz/2021/04/02/go_path_traversal/ + - https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + category: security + technology: + - go + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + interfile: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse + shortlink: https://sg.run/ZKzw + semgrep.dev: + rule: + rule_id: qNUQJe + version_id: l4T5Wp + url: https://semgrep.dev/playground/r/l4T5Wp/go.lang.security.filepath-clean-misuse.filepath-clean-misuse + origin: community +- id: go.template.security.ssti.go-ssti + patterns: + - pattern-inside: | + import ("html/template") + ... + - pattern: $TEMPLATE = fmt.Sprintf("...", $ARG, ...) + - patterns: + - pattern-either: + - pattern-inside: | + func $FN(..., $REQ *http.Request, ...){ + ... + } + - pattern-inside: | + func $FN(..., $REQ http.Request, ...){ + ... + } + - pattern-inside: | + func(..., $REQ *http.Request, ...){ + ... + } + - patterns: + - pattern-either: + - pattern-inside: | + $ARG := $REQ.URL.Query().Get(...) + ... + $T, $ERR := $TMPL.Parse($TEMPLATE) + - pattern-inside: | + $ARG := $REQ.Form.Get(...) + ... + $T, $ERR := $TMPL.Parse($TEMPLATE) + - pattern-inside: | + $ARG := $REQ.PostForm.Get(...) + ... + $T, $ERR := $TMPL.Parse($TEMPLATE) + message: A server-side template injection occurs when an attacker is able to use + native template syntax to inject a malicious payload into a template, which is + then executed server-side. When using "html/template" always check that user inputs + are validated and sanitized before included within the template. + languages: + - go + severity: ERROR + metadata: + category: security + cwe: + - 'CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine' + references: + - https://www.onsecurity.io/blog/go-ssti-method-research/ + - http://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html + technology: + - go + confidence: MEDIUM + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + source: https://semgrep.dev/r/go.template.security.ssti.go-ssti + shortlink: https://sg.run/n9jY + semgrep.dev: + rule: + rule_id: lBUy1N + version_id: pZTvkz + url: https://semgrep.dev/playground/r/pZTvkz/go.template.security.ssti.go-ssti + origin: community +- id: java.aws-lambda.security.tainted-sql-string.tainted-sql-string + languages: + - java + severity: ERROR + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as Sequelize which will protect your queries. + metadata: + references: + - https://owasp.org/www-community/attacks/SQL_Injection + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + interfile: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/EBYN + semgrep.dev: + rule: + rule_id: YGUl4z + version_id: NdT1XP + url: https://semgrep.dev/playground/r/NdT1XP/java.aws-lambda.security.tainted-sql-string.tainted-sql-string + origin: community + mode: taint + pattern-sources: + - patterns: + - focus-metavariable: $EVENT + - pattern-either: + - pattern: | + $HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { + ... + } + - pattern: | + $HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { + ... + } + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - pattern: | + "$SQLSTR".concat(...) + - patterns: + - pattern-inside: | + StringBuilder $SB = new StringBuilder("$SQLSTR"); + ... + - pattern: $SB.append(...) + - patterns: + - pattern-inside: | + $VAR = "$SQLSTR"; + ... + - pattern: $VAR += ... + - pattern: String.format("$SQLSTR", ...) + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(select|delete|insert|create|update|alter|drop)\b + - pattern-not-inside: | + System.out.$PRINTLN(...) +- id: java.aws-lambda.security.tainted-sqli.tainted-sqli + message: Detected SQL statement that is tainted by `$EVENT` object. This could lead + to SQL injection if variables in the SQL statement are not properly sanitized. + Use parameterized SQL queries or properly sanitize user input instead. + languages: + - java + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - focus-metavariable: $EVENT + - pattern-either: + - pattern: | + $HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { + ... + } + - pattern: | + $HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { + ... + } + pattern-sinks: + - patterns: + - pattern-either: + - pattern: "(java.sql.CallableStatement $STMT) = ...; \n" + - pattern: | + (java.sql.Statement $STMT) = ...; + - pattern: | + (java.sql.PreparedStatement $STMT) = ...; + - pattern: | + $VAR = $CONN.prepareStatement(...) + - pattern: | + $PATH.queryForObject(...); + - pattern: | + (java.util.Map $STMT) = $PATH.queryForMap(...); + - pattern: | + (org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...; + - patterns: + - pattern-inside: | + (String $SQL) = "$SQLSTR" + ...; + ... + - pattern: $PATH.$SQLCMD(..., $SQL, ...); + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*) + - metavariable-regex: + metavariable: $SQLCMD + regex: (execute|query|executeUpdate) + metadata: + category: security + technology: + - sql + - java + - aws-lambda + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + interfile: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli + shortlink: https://sg.run/7942 + semgrep.dev: + rule: + rule_id: 6JUDWk + version_id: kbT76J + url: https://semgrep.dev/playground/r/kbT76J/java.aws-lambda.security.tainted-sqli.tainted-sqli + origin: community +- id: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request + message: Detected input from a HTTPServletRequest going into a SQL sink or statement. + This could lead to SQL injection if variables in the SQL statement are not properly + sanitized. Use parameterized SQL queries or properly sanitize user input instead. + severity: WARNING + metadata: + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + - https://owasp.org/www-community/attacks/SQL_Injection + subcategory: + - vuln + technology: + - sql + - java + - servlets + - spring + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request + shortlink: https://sg.run/Lg56 + semgrep.dev: + rule: + rule_id: oqUBJG + version_id: vdT2v5 + url: https://semgrep.dev/playground/r/vdT2v5/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request + origin: community + languages: + - java + mode: taint + options: + taint_assume_safe_numbers: true + taint_assume_safe_booleans: true + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ).$REQFUNC(...) + - pattern: "(ServletRequest $REQ).$REQFUNC(...) \n" + - metavariable-regex: + metavariable: $REQFUNC + regex: (getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: "(java.sql.CallableStatement $STMT) = ...; \n" + - pattern: | + (java.sql.Statement $STMT) = ...; + ... + $OUTPUT = $STMT.$FUNC(...); + - pattern: | + (java.sql.PreparedStatement $STMT) = ...; + - pattern: | + $VAR = $CONN.prepareStatement(...) + - pattern: | + $PATH.queryForObject(...); + - pattern: | + (java.util.Map $STMT) = $PATH.queryForMap(...); + - pattern: | + (org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...; + - patterns: + - pattern-inside: | + (String $SQL) = "$SQLSTR" + ...; + ... + - pattern: $PATH.$SQLCMD(..., $SQL, ...); + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*) + - metavariable-regex: + metavariable: $SQLCMD + regex: (execute|query|executeUpdate) +- id: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request + message: Detected input from a HTTPServletRequest going into a 'ProcessBuilder' + or 'exec' command. This could lead to command injection if variables passed into + the exec commands are not properly sanitized. Instead, avoid using these OS commands + with user-supplied input, or, if you must use these commands, use a whitelist + of specific values. + languages: + - java + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ) + - patterns: + - pattern-inside: | + (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); + ... + for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { + ... + } + - pattern: | + $COOKIE.getValue(...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + (ProcessBuilder $PB) = ...; + - pattern: | + (Process $P) = ...; + - patterns: + - pattern-either: + - pattern-inside: "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder + $PB) = ...;\n...\n$PB.command($ARGLIST);\n" + - pattern-inside: "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder + $PB) = ...;\n" + - pattern-inside: "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(Process + $P) = ...;\n" + - pattern: | + $ARGLIST.add(...); + metadata: + category: security + technology: + - java + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request + shortlink: https://sg.run/8zPN + semgrep.dev: + rule: + rule_id: zdUWrg + version_id: nWT7nG + url: https://semgrep.dev/playground/r/nWT7nG/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request + origin: community +- id: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request + message: Detected input from a HTTPServletRequest going into an LDAP query. This + could lead to LDAP injection if the input is not properly sanitized, which could + result in attackers modifying objects in the LDAP tree structure. Ensure data + passed to an LDAP query is not controllable or properly sanitize the data. + metadata: + cwe: + - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP + Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection + category: security + technology: + - java + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - LDAP Injection + source: https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request + shortlink: https://sg.run/gRg0 + semgrep.dev: + rule: + rule_id: pKUXAv + version_id: ExTn1r + url: https://semgrep.dev/playground/r/ExTn1r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request + origin: community + severity: WARNING + languages: + - java + mode: taint + pattern-sources: + - patterns: + - pattern: (HttpServletRequest $REQ) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + (javax.naming.directory.InitialDirContext $IDC).search(...) + - pattern: | + (javax.naming.directory.DirContext $CTX).search(...) + - pattern-not: | + (javax.naming.directory.InitialDirContext $IDC).search($Y, "...", ...) + - pattern-not: | + (javax.naming.directory.DirContext $CTX).search($Y, "...", ...) +- id: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request + message: Detected input from a HTTPServletRequest going into a session command, + like `setAttribute`. User input into such a command could lead to an attacker + inputting malicious code into your session parameters, blurring the line between + what's trusted and untrusted, and therefore leading to a trust boundary violation. + This could lead to programmers trusting unvalidated data. Instead, thoroughly + sanitize user input before passing it into such function calls. + languages: + - java + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern: | + (HttpServletRequest $REQ).$FUNC(...) + - pattern-not: | + (HttpServletRequest $REQ).getSession() + - patterns: + - pattern-inside: | + (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); + ... + for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { + ... + } + - pattern: | + $COOKIE.getValue(...) + - patterns: + - pattern-inside: | + $TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(... ); + ... + - pattern: | + $PARAM = $VALS[$INDEX]; + - patterns: + - pattern-inside: | + $HEADERS = (HttpServletRequest $REQ).getHeaders(...); + ... + $PARAM = $HEADERS.$FUNC(...); + ... + - pattern: | + java.net.URLDecoder.decode($PARAM, ...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: (HttpServletRequest $REQ).getSession().$FUNC(...); + metadata: + category: security + technology: + - java + cwe: + - 'CWE-501: Trust Boundary Violation' + owasp: + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request + shortlink: https://sg.run/QbDZ + semgrep.dev: + rule: + rule_id: 2ZU7Eo + version_id: 7ZTObb + url: https://semgrep.dev/playground/r/7ZTObb/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request + origin: community +- id: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request + message: Detected input from a HTTPServletRequest going into a XPath evaluate or + compile command. This could lead to xpath injection if variables passed into the + evaluate or compile commands are not properly sanitized. Xpath injection could + lead to unauthorized access to sensitive information in XML documents. Instead, + thoroughly sanitize user input or use parameterized xpath queries if you can. + languages: + - java + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern: | + (HttpServletRequest $REQ).$FUNC(...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + (javax.xml.xpath.XPath $XP).evaluate(...) + - pattern: | + (javax.xml.xpath.XPath $XP).compile(...).evaluate(...) + metadata: + category: security + technology: + - java + cwe: + - 'CWE-643: Improper Neutralization of Data within XPath Expressions (''XPath + Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XPath Injection + source: https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request + shortlink: https://sg.run/3BvK + semgrep.dev: + rule: + rule_id: X5U5nj + version_id: LjT0zX + url: https://semgrep.dev/playground/r/LjT0zX/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request + origin: community +- id: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://blog.sonarsource.com/secure-xml-processor + - https://xerces.apache.org/xerces2-j/features.html + category: security + technology: + - java + - xml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false + shortlink: https://sg.run/4Dv5 + semgrep.dev: + rule: + rule_id: j2UrJ8 + version_id: BjTEK4 + url: https://semgrep.dev/playground/r/BjTEK4/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false + origin: community + message: DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external + entity declarations, this is vulnerable to XML external entity attacks. Disable + this by setting the feature "http://apache.org/xml/features/disallow-doctype-decl" + to true. Alternatively, allow DOCTYPE declarations and only prohibit external + entities declarations. This can be done by setting the features "http://xml.org/sax/features/external-general-entities" + and "http://xml.org/sax/features/external-parameter-entities" to false. + patterns: + - pattern: $DBFACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", + false); + - pattern-not-inside: | + $RETURNTYPE $METHOD(...){ + ... + $DBF.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + $DBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + } + - pattern-not-inside: | + $RETURNTYPE $METHOD(...){ + ... + $DBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + $DBF.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + } + - pattern-not-inside: | + $RETURNTYPE $METHOD(...){ + ... + $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + ... + $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + ... + } + - pattern-not-inside: | + $RETURNTYPE $METHOD(...){ + ... + $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + ... + $DBF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + ... + } + languages: + - java +- id: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://blog.sonarsource.com/secure-xml-processor + - https://xerces.apache.org/xerces2-j/features.html + category: security + technology: + - java + - xml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing + shortlink: https://sg.run/PYBz + semgrep.dev: + rule: + rule_id: 10UPQB + version_id: DkTQ2o + url: https://semgrep.dev/playground/r/DkTQ2o/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing + origin: community + message: DOCTYPE declarations are enabled for this DocumentBuilderFactory. This + is vulnerable to XML external entity attacks. Disable this by setting the feature + "http://apache.org/xml/features/disallow-doctype-decl" to true. Alternatively, + allow DOCTYPE declarations and only prohibit external entities declarations. This + can be done by setting the features "http://xml.org/sax/features/external-general-entities" + and "http://xml.org/sax/features/external-parameter-entities" to false. + mode: taint + pattern-sources: + - by-side-effect: true + patterns: + - pattern-either: + - pattern: | + $FACTORY = DocumentBuilderFactory.newInstance(); + - patterns: + - pattern: $FACTORY + - pattern-inside: | + class $C { + ... + $V $FACTORY = DocumentBuilderFactory.newInstance(); + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = DocumentBuilderFactory.newInstance(); + static { + ... + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + ... + } + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = DocumentBuilderFactory.newInstance(); + static { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + } + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = DocumentBuilderFactory.newInstance(); + static { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + } + ... + } + pattern-sinks: + - patterns: + - pattern: $FACTORY.newDocumentBuilder(); + pattern-sanitizers: + - by-side-effect: true + pattern-either: + - patterns: + - pattern-either: + - pattern: | + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + - pattern: | + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + - pattern: | + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + - focus-metavariable: $FACTORY + - patterns: + - pattern-either: + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", + true); + ... + } + ... + } + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + } + ... + } + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities",false); + ... + } + ... + } + - pattern: $M($X) + - focus-metavariable: $X + fix: | + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + $FACTORY.newDocumentBuilder(); + languages: + - java +- id: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://blog.sonarsource.com/secure-xml-processor + category: security + technology: + - java + - xml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true + shortlink: https://sg.run/JgPy + semgrep.dev: + rule: + rule_id: 9AUJ6r + version_id: WrTbY2 + url: https://semgrep.dev/playground/r/WrTbY2/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true + origin: community + message: External entities are allowed for $DBFACTORY. This is vulnerable to XML + external entity attacks. Disable this by setting the feature "http://xml.org/sax/features/external-general-entities" + to false. + pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities", + true); + fix: $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities", + false); + languages: + - java +- id: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://blog.sonarsource.com/secure-xml-processor + category: security + technology: + - java + - xml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true + shortlink: https://sg.run/5Lv0 + semgrep.dev: + rule: + rule_id: yyUNeo + version_id: 0bTvpY + url: https://semgrep.dev/playground/r/0bTvpY/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true + origin: community + message: External entities are allowed for $DBFACTORY. This is vulnerable to XML + external entity attacks. Disable this by setting the feature "http://xml.org/sax/features/external-parameter-entities" + to false. + pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", + true); + fix: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", + false); + languages: + - java +- id: javascript.aws-lambda.security.detect-child-process.detect-child-process + message: Allowing spawning arbitrary programs or running shell processes with arbitrary + arguments may end up in a command injection vulnerability. Try to avoid non-literal + values for the command string. If it is not possible, then do not let running + arbitrary commands, use a white list for inputs. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + category: security + technology: + - javascript + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process + shortlink: https://sg.run/Ggoq + semgrep.dev: + rule: + rule_id: r6UDNQ + version_id: YDTovW + url: https://semgrep.dev/playground/r/YDTovW/javascript.aws-lambda.security.detect-child-process.detect-child-process + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern: $EVENT + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + pattern-sinks: + - patterns: + - focus-metavariable: $CMD + - pattern-either: + - pattern: exec($CMD,...) + - pattern: execSync($CMD,...) + - pattern: spawn($CMD,...) + - pattern: spawnSync($CMD,...) + - pattern: $CP.exec($CMD,...) + - pattern: $CP.execSync($CMD,...) + - pattern: $CP.spawn($CMD,...) + - pattern: $CP.spawnSync($CMD,...) + - pattern-either: + - pattern-inside: | + require('child_process') + ... + - pattern-inside: | + import 'child_process' + ... +- id: javascript.aws-lambda.security.knex-sqli.knex-sqli + message: 'Detected SQL statement that is tainted by `$EVENT` object. This could + lead to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `knex.raw(''SELECT $1 from + table'', [userinput])`' + metadata: + references: + - https://knexjs.org/#Builder-fromRaw + - https://knexjs.org/#Builder-whereRaw + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - knex + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli + shortlink: https://sg.run/RgWq + semgrep.dev: + rule: + rule_id: bwUBlj + version_id: 5PT69b + url: https://semgrep.dev/playground/r/5PT69b/javascript.aws-lambda.security.knex-sqli.knex-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern: $EVENT + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern: $KNEX.fromRaw($QUERY, ...) + - pattern: $KNEX.whereRaw($QUERY, ...) + - pattern: $KNEX.raw($QUERY, ...) + - pattern-either: + - pattern-inside: | + require('knex') + ... + - pattern-inside: | + import 'knex' + ... +- id: javascript.aws-lambda.security.mysql-sqli.mysql-sqli + message: 'Detected SQL statement that is tainted by `$EVENT` object. This could + lead to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `connection.query(''SELECT + $1 from table'', [userinput])`' + metadata: + references: + - https://www.npmjs.com/package/mysql2 + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - mysql + - mysql2 + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli + shortlink: https://sg.run/A502 + semgrep.dev: + rule: + rule_id: NbUBJ2 + version_id: GxT2Pd + url: https://semgrep.dev/playground/r/GxT2Pd/javascript.aws-lambda.security.mysql-sqli.mysql-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern: $EVENT + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern: $POOL.query($QUERY, ...) + - pattern: $POOL.execute($QUERY, ...) + - pattern-either: + - pattern-inside: | + require('mysql') + ... + - pattern-inside: | + require('mysql2') + ... + - pattern-inside: | + require('mysql2/promise') + ... + - pattern-inside: | + import 'mysql' + ... + - pattern-inside: | + import 'mysql2' + ... + - pattern-inside: | + import 'mysql2/promise' + ... +- id: javascript.aws-lambda.security.pg-sqli.pg-sqli + message: 'Detected SQL statement that is tainted by `$EVENT` object. This could + lead to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `connection.query(''SELECT + $1 from table'', [userinput])`' + metadata: + references: + - https://node-postgres.com/features/queries + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - postgres + - pg + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli + shortlink: https://sg.run/BGKA + semgrep.dev: + rule: + rule_id: kxU25P + version_id: RGTbAG + url: https://semgrep.dev/playground/r/RGTbAG/javascript.aws-lambda.security.pg-sqli.pg-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern: $EVENT + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern: $DB.query($QUERY, ...) + - pattern-either: + - pattern-inside: | + require('pg') + ... + - pattern-inside: | + import 'pg' + ... +- id: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli + message: 'Detected SQL statement that is tainted by `$EVENT` object. This could + lead to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `sequelize.query(''SELECT + * FROM projects WHERE status = ?'', { replacements: [''active''], type: QueryTypes.SELECT + });`' + metadata: + references: + - https://sequelize.org/master/manual/raw-queries.html + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - sequelize + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli + shortlink: https://sg.run/DAlP + semgrep.dev: + rule: + rule_id: wdUA5o + version_id: A8TRJl + url: https://semgrep.dev/playground/r/A8TRJl/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern: $EVENT + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern: $DB.query($QUERY, ...) + - pattern-either: + - pattern-inside: | + require('sequelize') + ... + - pattern-inside: | + import 'sequelize' + ... +- id: javascript.aws-lambda.security.tainted-eval.tainted-eval + message: The `eval()` function evaluates JavaScript code represented as a string. + Executing JavaScript from a string is an enormous security risk. It is far too + easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated + content is not definable by external sources. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + category: security + technology: + - javascript + - aws-lambda + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval + shortlink: https://sg.run/WjY2 + semgrep.dev: + rule: + rule_id: x8UNw5 + version_id: BjTE1Z + url: https://semgrep.dev/playground/r/BjTE1Z/javascript.aws-lambda.security.tainted-eval.tainted-eval + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern: $EVENT + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + pattern-sinks: + - patterns: + - focus-metavariable: $CODE + - pattern-either: + - pattern: eval($CODE) + - pattern: Function(...,$CODE) + - pattern: new Function(...,$CODE) +- id: javascript.aws-lambda.security.tainted-html-response.tainted-html-response + message: Detected user input flowing into an HTML response. You may be accidentally + bypassing secure methods of rendering HTML by manually constructing HTML and this + could create a cross-site scripting vulnerability, which could let attackers steal + sensitive user data. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response + shortlink: https://sg.run/0Gvj + semgrep.dev: + rule: + rule_id: OrUJBY + version_id: DkTQNj + url: https://semgrep.dev/playground/r/DkTQNj/javascript.aws-lambda.security.tainted-html-response.tainted-html-response + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern: $EVENT + pattern-sinks: + - patterns: + - focus-metavariable: $BODY + - pattern-inside: | + {..., headers: {..., 'Content-Type': 'text/html', ...}, body: $BODY, ... } +- id: javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as Sequelize which will protect your queries. + metadata: + references: + - https://owasp.org/www-community/attacks/SQL_Injection + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/KgJ5 + semgrep.dev: + rule: + rule_id: eqUDqW + version_id: 0bTv1A + url: https://semgrep.dev/playground/r/0bTv1A/javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern: $EVENT + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + $EXPR + - pattern: | + "$SQLSTR".concat(...) + - pattern: util.format($SQLSTR, ...) + - metavariable-regex: + metavariable: $SQLSTR + regex: .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* + - patterns: + - pattern: | + `...${...}...` + - pattern-regex: | + .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* + - pattern-not-inside: | + console.$LOG(...) +- id: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection + message: The `vm` module enables compiling and running code within V8 Virtual Machine + contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted + code. If code passed to `vm` functions is controlled by user input it could result + in command injection. Do not let user input in `vm` functions. + metadata: + owasp: + - A03:2021 - Injection + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + category: security + technology: + - javascript + - aws-lambda + cwe2022-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection + shortlink: https://sg.run/q9w7 + semgrep.dev: + rule: + rule_id: v8UOdZ + version_id: K3TlJp + url: https://semgrep.dev/playground/r/K3TlJp/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern: $EVENT + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('vm'); + ... + - pattern-inside: | + import 'vm' + ... + - pattern-either: + - pattern: $VM.runInContext($X,...) + - pattern: $VM.runInNewContext($X,...) + - pattern: $VM.runInThisContext($X,...) + - pattern: $VM.compileFunction($X,...) + - pattern: new $VM.Script($X,...) + - pattern: new $VM.SourceTextModule($X,...) + - pattern: runInContext($X,...) + - pattern: runInNewContext($X,...) + - pattern: runInThisContext($X,...) + - pattern: compileFunction($X,...) + - pattern: new Script($X,...) + - pattern: new SourceTextModule($X,...) +- id: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli + message: 'Detected SQL statement that is tainted by `$REQ` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, it is recommended to use parameterized queries + or prepared statements. An example of parameterized queries like so: `knex.raw(''SELECT + $1 from table'', [userinput])` can help prevent SQLi.' + metadata: + confidence: MEDIUM + references: + - https://knexjs.org/#Builder-fromRaw + - https://knexjs.org/#Builder-whereRaw + - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - express + - nodejs + - knex + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli + shortlink: https://sg.run/l9eE + semgrep.dev: + rule: + rule_id: d8UKLD + version_id: qkTNRp + url: https://semgrep.dev/playground/r/qkTNRp/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options) + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - pattern: $REQ.files.$ANYTHING.data.toString('utf8') + - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + - pattern: files.$ANYTHING.data.toString('utf8') + - pattern: files.$ANYTHING['data'].toString('utf8') + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern-inside: $KNEX.fromRaw($QUERY, ...) + - pattern-inside: $KNEX.whereRaw($QUERY, ...) + - pattern-inside: $KNEX.raw($QUERY, ...) + - pattern-either: + - pattern-inside: | + require('knex') + ... + - pattern-inside: | + import 'knex' + ... + pattern-sanitizers: + - patterns: + - pattern: parseInt(...) +- id: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli + message: Detected a `$IMPORT` SQL statement that comes from a function argument. + This could lead to SQL injection if the variable is user-controlled and is not + properly sanitized. In order to prevent SQL injection, it is recommended to use + parameterized queries or prepared statements. + metadata: + references: + - https://www.npmjs.com/package/mysql2 + - https://www.npmjs.com/package/mysql + - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + confidence: LOW + technology: + - mysql + - mysql2 + - javascript + - nodejs + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli + shortlink: https://sg.run/Y0oy + semgrep.dev: + rule: + rule_id: ZqUlWE + version_id: YDToZ2 + url: https://semgrep.dev/playground/r/YDToZ2/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: function ... (..., $Y,...) {...} + - pattern: $Y + - pattern-not-inside: | + function ... (..., $Y: number,...) {...} + - pattern-not-inside: $Y.query + - pattern-not-inside: $Y.body + - pattern-not-inside: $Y.params + - pattern-not-inside: $Y.cookies + - pattern-not-inside: $Y.headers + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern-inside: $POOL.query($QUERY, ...) + - pattern-inside: $POOL.execute($QUERY, ...) + - pattern-either: + - pattern-inside: | + import $S from "$IMPORT" + ... + - pattern-inside: | + import { ... } from "$IMPORT" + ... + - pattern-inside: | + import * as $S from "$IMPORT" + ... + - pattern-inside: | + require("$IMPORT") + ... + - metavariable-regex: + metavariable: $IMPORT + regex: (mysql|mysql2) + pattern-sanitizers: + - patterns: + - pattern: parseInt(...) +- id: php.lang.security.deserialization.extract-user-data + mode: taint + pattern-sources: + - pattern-either: + - pattern: $_GET[...] + - pattern: $_FILES[...] + - pattern: $_POST[...] + pattern-sinks: + - pattern: extract(...) + pattern-sanitizers: + - pattern: extract($VAR, EXTR_SKIP,...) + message: Do not call 'extract()' on user-controllable data. If you must, then you + must also provide the EXTR_SKIP flag to prevent overwriting existing variables. + languages: + - php + metadata: + category: security + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + technology: + - php + references: + - https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data + shortlink: https://sg.run/6bv1 + semgrep.dev: + rule: + rule_id: nJUykq + version_id: BjTEyB + url: https://semgrep.dev/playground/r/BjTEyB/php.lang.security.deserialization.extract-user-data + origin: community + severity: ERROR +- id: python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - focus-metavariable: $CMD + - pattern-either: + - pattern: asyncio.create_subprocess_exec($PROG, $CMD, ...) + - pattern: asyncio.create_subprocess_exec($PROG, [$CMD, ...], ...) + - pattern: asyncio.subprocess.create_subprocess_exec($PROG, $CMD, ...) + - pattern: asyncio.subprocess.create_subprocess_exec($PROG, [$CMD, ...], ...) + - pattern: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", + "-c", $CMD, ...) + - pattern: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", + "-c", $CMD, ...], ...) + - pattern: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", + "-c", $CMD, ...) + - pattern: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", + "-c", $CMD, ...], ...) + message: Detected 'create_subprocess_exec' function with argument tainted by `event` + object. If this data can be controlled by a malicious actor, it may be an instance + of command injection. Audit the use of this call to ensure it is not controllable + by an external resource. You may consider using 'shlex.escape()'. + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec + - https://docs.python.org/3/library/shlex.html + category: security + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec + shortlink: https://sg.run/oyv0 + semgrep.dev: + rule: + rule_id: EwUrX8 + version_id: 7ZTOPe + url: https://semgrep.dev/playground/r/7ZTOPe/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec + origin: community + languages: + - python + severity: ERROR +- id: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - focus-metavariable: $CMD + - pattern-either: + - pattern: $LOOP.subprocess_exec($PROTOCOL, $CMD, ...) + - pattern: $LOOP.subprocess_exec($PROTOCOL, [$CMD, ...], ...) + - pattern: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", + "-c", $CMD, ...) + - pattern: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", + "-c", $CMD, ...], ...) + message: Detected subprocess function '$LOOP.subprocess_exec' with argument tainted + by `event` object. If this data can be controlled by a malicious actor, it may + be an instance of command injection. Audit the use of this call to ensure it is + not controllable by an external resource. You may consider using 'shlex.escape()'. + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec + - https://docs.python.org/3/library/shlex.html + category: security + technology: + - python + - aws-lambda + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec + shortlink: https://sg.run/z14d + semgrep.dev: + rule: + rule_id: 7KUxXg + version_id: LjT0Br + url: https://semgrep.dev/playground/r/LjT0Br/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec + origin: community + languages: + - python + severity: ERROR +- id: python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - focus-metavariable: $CMD + - pattern-either: + - pattern: $LOOP.subprocess_shell($PROTOCOL, $CMD) + - pattern: asyncio.subprocess.create_subprocess_shell($CMD, ...) + - pattern: asyncio.create_subprocess_shell($CMD, ...) + message: Detected asyncio subprocess function with argument tainted by `event` object. + If this data can be controlled by a malicious actor, it may be an instance of + command injection. Audit the use of this call to ensure it is not controllable + by an external resource. You may consider using 'shlex.escape()'. + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://docs.python.org/3/library/asyncio-subprocess.html + - https://docs.python.org/3/library/shlex.html + category: security + technology: + - python + - aws-lambda + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell + shortlink: https://sg.run/p9vZ + semgrep.dev: + rule: + rule_id: L1UEl7 + version_id: 8KTbnz + url: https://semgrep.dev/playground/r/8KTbnz/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell + origin: community + languages: + - python + severity: ERROR +- id: python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process + mode: taint + message: Detected `os` function with argument tainted by `event` object. This is + dangerous if external data can reach this function call because it allows a malicious + actor to execute commands. Ensure no external data reaches here. + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + category: security + technology: + - python + - aws-lambda + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process + shortlink: https://sg.run/2AjL + semgrep.dev: + rule: + rule_id: 8GUGBq + version_id: gETq0J + url: https://semgrep.dev/playground/r/gETq0J/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process + origin: community + languages: + - python + severity: ERROR + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - focus-metavariable: $CMD + - pattern-either: + - patterns: + - pattern: os.$METHOD($MODE, $CMD, ...) + - metavariable-regex: + metavariable: $METHOD + regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile) + - patterns: + - pattern-inside: os.$METHOD($MODE, $BASH, ["-c", $CMD,...],...) + - metavariable-regex: + metavariable: $METHOD + regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp) + - metavariable-regex: + metavariable: $BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + - patterns: + - pattern-inside: os.$METHOD($MODE, $BASH, "-c", $CMD,...) + - metavariable-regex: + metavariable: $METHOD + regex: (spawnl|spawnle|spawnlp|spawnlpe) + - metavariable-regex: + metavariable: $BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) +- id: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use + mode: taint + message: Detected subprocess function with argument tainted by `event` object. If + this data can be controlled by a malicious actor, it may be an instance of command + injection. Audit the use of this call to ensure it is not controllable by an external + resource. You may consider using 'shlex.escape()'. + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://docs.python.org/3/library/subprocess.html + - https://docs.python.org/3/library/shlex.html + category: security + technology: + - python + - aws-lambda + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use + shortlink: https://sg.run/XZ7B + semgrep.dev: + rule: + rule_id: gxUyn1 + version_id: QkTJ2k + url: https://semgrep.dev/playground/r/QkTJ2k/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use + origin: community + languages: + - python + severity: ERROR + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - focus-metavariable: $CMD + - pattern-either: + - pattern: subprocess.$FUNC($CMD, ...) + - pattern: subprocess.$FUNC([$CMD,...], ...) + - pattern: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...) + - pattern: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...], + ...) + - pattern: subprocess.$FUNC("=~/(python)/", $CMD, ...) + - pattern: subprocess.$FUNC(["=~/(python)/",$CMD,...],...) + pattern-sanitizers: + - pattern: shlex.escape(...) +- id: python.aws-lambda.security.dangerous-system-call.dangerous-system-call + mode: taint + message: Detected `os` function with argument tainted by `event` object. This is + dangerous if external data can reach this function call because it allows a malicious + actor to execute commands. Use the 'subprocess' module instead, which is easier + to use without accidentally exposing a command injection vulnerability. + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.2.4 Dyanmic Code Execution Features + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements + version: '4' + category: security + technology: + - python + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call + shortlink: https://sg.run/jDvN + semgrep.dev: + rule: + rule_id: QrUkg6 + version_id: 3ZTdbL + url: https://semgrep.dev/playground/r/3ZTdbL/python.aws-lambda.security.dangerous-system-call.dangerous-system-call + origin: community + languages: + - python + severity: ERROR + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - focus-metavariable: $CMD + - pattern-either: + - pattern: os.system($CMD,...) + - pattern: os.popen($CMD,...) + - pattern: os.popen2($CMD,...) + - pattern: os.popen3($CMD,...) + - pattern: os.popen4($CMD,...) +- id: python.aws-lambda.security.mysql-sqli.mysql-sqli + languages: + - python + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `cursor.execute(''SELECT + * FROM projects WHERE status = %s'', (''active''))`' + mode: taint + metadata: + references: + - https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html + - https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - mysql + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli + shortlink: https://sg.run/1RjG + semgrep.dev: + rule: + rule_id: 3qU3eE + version_id: PkTYb1 + url: https://semgrep.dev/playground/r/PkTYb1/python.aws-lambda.security.mysql-sqli.mysql-sqli + origin: community + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern: $CURSOR.execute($QUERY,...) + - pattern: $CURSOR.executemany($QUERY,...) + - pattern-either: + - pattern-inside: | + import mysql + ... + - pattern-inside: | + import mysql.cursors + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + severity: WARNING +- id: python.aws-lambda.security.psycopg-sqli.psycopg-sqli + languages: + - python + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `cursor.execute(''SELECT + * FROM projects WHERE status = %s'', ''active'')`' + mode: taint + metadata: + references: + - https://www.psycopg.org/docs/cursor.html#cursor.execute + - https://www.psycopg.org/docs/cursor.html#cursor.executemany + - https://www.psycopg.org/docs/cursor.html#cursor.mogrify + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - psycopg + - psycopg2 + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli + shortlink: https://sg.run/9L8r + semgrep.dev: + rule: + rule_id: 4bUQG1 + version_id: JdTqKv + url: https://semgrep.dev/playground/r/JdTqKv/python.aws-lambda.security.psycopg-sqli.psycopg-sqli + origin: community + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern-either: + - pattern: $CURSOR.execute($QUERY,...) + - pattern: $CURSOR.executemany($QUERY,...) + - pattern: $CURSOR.mogrify($QUERY,...) + - pattern-inside: | + import psycopg2 + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + severity: WARNING +- id: python.aws-lambda.security.pymssql-sqli.pymssql-sqli + languages: + - python + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `cursor.execute(''SELECT + * FROM projects WHERE status = %s'', ''active'')`' + mode: taint + metadata: + references: + - https://pypi.org/project/pymssql/ + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - pymssql + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli + shortlink: https://sg.run/yXvP + semgrep.dev: + rule: + rule_id: PeUxO0 + version_id: 5PT6Eo + url: https://semgrep.dev/playground/r/5PT6Eo/python.aws-lambda.security.pymssql-sqli.pymssql-sqli + origin: community + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern: $CURSOR.execute($QUERY,...) + - pattern-inside: | + import pymssql + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + severity: WARNING +- id: python.aws-lambda.security.pymysql-sqli.pymysql-sqli + languages: + - python + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `cursor.execute(''SELECT + * FROM projects WHERE status = %s'', (''active''))`' + mode: taint + metadata: + references: + - https://pypi.org/project/PyMySQL/#id4 + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - pymysql + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli + shortlink: https://sg.run/reve + semgrep.dev: + rule: + rule_id: JDUlel + version_id: GxT2Bq + url: https://semgrep.dev/playground/r/GxT2Bq/python.aws-lambda.security.pymysql-sqli.pymysql-sqli + origin: community + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern: $CURSOR.execute($QUERY,...) + - pattern-either: + - pattern-inside: | + import pymysql + ... + - pattern-inside: | + import pymysql.cursors + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + severity: WARNING +- id: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli + languages: + - python + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `cursor.execute(''SELECT + * FROM projects WHERE status = ?'', ''active'')`' + mode: taint + metadata: + references: + - https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - sqlalchemy + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli + shortlink: https://sg.run/b48W + semgrep.dev: + rule: + rule_id: 5rUy3N + version_id: RGTb9E + url: https://semgrep.dev/playground/r/RGTb9E/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli + origin: community + pattern-sinks: + - patterns: + - focus-metavariable: $QUERY + - pattern: $CURSOR.execute($QUERY,...) + - pattern-inside: | + import sqlalchemy + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + severity: WARNING +- id: python.aws-lambda.security.tainted-code-exec.tainted-code-exec + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - pattern-either: + - pattern: eval($CODE, ...) + - pattern: exec($CODE, ...) + message: Detected the use of `exec/eval`.This can be dangerous if used to evaluate + dynamic content. If this content can be input from outside the program, this may + be a code injection vulnerability. Ensure evaluated content is not definable by + external sources. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.2.4 Dyanmic Code Execution Features + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements + version: '4' + category: security + technology: + - python + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec + shortlink: https://sg.run/Ng7y + semgrep.dev: + rule: + rule_id: GdUDJP + version_id: A8TRp0 + url: https://semgrep.dev/playground/r/A8TRp0/python.aws-lambda.security.tainted-code-exec.tainted-code-exec + origin: community + languages: + - python + severity: WARNING +- id: python.aws-lambda.security.tainted-html-response.tainted-html-response + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - pattern: $BODY + - pattern-inside: | + {..., "headers": {..., "Content-Type": "text/html", ...}, "body": $BODY, ... } + message: Detected user input flowing into an HTML response. You may be accidentally + bypassing secure methods of rendering HTML by manually constructing HTML and this + could create a cross-site scripting vulnerability, which could let attackers steal + sensitive user data. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - aws-lambda + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response + shortlink: https://sg.run/k9vP + semgrep.dev: + rule: + rule_id: ReUKrk + version_id: BjTEvv + url: https://semgrep.dev/playground/r/BjTEvv/python.aws-lambda.security.tainted-html-response.tainted-html-response + origin: community + languages: + - python + severity: WARNING +- id: python.aws-lambda.security.tainted-sql-string.tainted-sql-string + languages: + - python + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as Sequelize which will protect your queries. + metadata: + references: + - https://owasp.org/www-community/attacks/SQL_Injection + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/wXvA + semgrep.dev: + rule: + rule_id: AbU3LX + version_id: 0bTvqQ + url: https://semgrep.dev/playground/r/0bTvqQ/python.aws-lambda.security.tainted-sql-string.tainted-sql-string + origin: community + mode: taint + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - pattern: | + "$SQLSTR" % ... + - pattern: | + "$SQLSTR".format(...) + - pattern: | + f"$SQLSTR{...}..." + - metavariable-regex: + metavariable: $SQLSTR + regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.*= + - pattern-not-inside: | + print(...) + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + severity: ERROR +- id: python.django.security.nan-injection.nan-injection + message: Found user input going directly into typecast for bool(), float(), or complex(). + This allows an attacker to inject Python's not-a-number (NaN) into the typecast. + This results in undefind behavior, particularly when doing comparisons. Either + cast to a different type, or add a guard checking for all capitalizations of the + string 'nan'. + languages: + - python + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + pattern-sinks: + - patterns: + - pattern-either: + - pattern: float(...) + - pattern: bool(...) + - pattern: complex(...) + - pattern-not-inside: | + if $COND: + ... + ... + pattern-sanitizers: + - pattern: $ANYTHING(...) + not_conflicting: true + metadata: + references: + - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868 + - https://blog.bitdiscovery.com/2021/12/python-nan-injection/ + category: security + cwe: + - 'CWE-704: Incorrect Type Conversion or Cast' + technology: + - django + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/python.django.security.nan-injection.nan-injection + shortlink: https://sg.run/Og7L + semgrep.dev: + rule: + rule_id: DbUGvk + version_id: yeTXdn + url: https://semgrep.dev/playground/r/yeTXdn/python.django.security.nan-injection.nan-injection + origin: community +- id: python.flask.security.injection.nan-injection.nan-injection + message: Found user input going directly into typecast for bool(), float(), or complex(). + This allows an attacker to inject Python's not-a-number (NaN) into the typecast. + This results in undefind behavior, particularly when doing comparisons. Either + cast to a different type, or add a guard checking for all capitalizations of the + string 'nan'. + languages: + - python + severity: ERROR + mode: taint + pattern-sources: + - pattern-either: + - pattern: flask.request.$SOMETHING.get(...) + - pattern: flask.request.$SOMETHING[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + pattern-sinks: + - pattern-either: + - pattern: float(...) + - pattern: bool(...) + - pattern: complex(...) + pattern-sanitizers: + - not_conflicting: true + pattern: $ANYTHING(...) + metadata: + references: + - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868 + - https://blog.bitdiscovery.com/2021/12/python-nan-injection/ + category: security + cwe: + - 'CWE-704: Incorrect Type Conversion or Cast' + technology: + - flask + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection + shortlink: https://sg.run/e598 + semgrep.dev: + rule: + rule_id: WAUdj7 + version_id: 44ToYN + url: https://semgrep.dev/playground/r/44ToYN/python.flask.security.injection.nan-injection.nan-injection + origin: community +- id: ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli + languages: + - ruby + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `Example.find_by_sql ["SELECT + title FROM posts WHERE author = ? AND created > ?", author_id, start_date]`' + mode: taint + metadata: + references: + - https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - active-record + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli + shortlink: https://sg.run/vXvY + semgrep.dev: + rule: + rule_id: 0oUw9g + version_id: 3ZTdKB + url: https://semgrep.dev/playground/r/3ZTdKB/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli + origin: community + pattern-sinks: + - patterns: + - pattern: $QUERY + - pattern-either: + - pattern: ActiveRecord::Base.connection.execute($QUERY,...) + - pattern: $MODEL.find_by_sql($QUERY,...) + - pattern: $MODEL.select_all($QUERY,...) + - pattern-inside: | + require 'active_record' + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context) + ... + end + severity: WARNING +- id: ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli + languages: + - ruby + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`' + mode: taint + metadata: + references: + - https://github.com/brianmario/mysql2 + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - mysql2 + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli + shortlink: https://sg.run/dJLE + semgrep.dev: + rule: + rule_id: KxUrQ3 + version_id: 44ToN2 + url: https://semgrep.dev/playground/r/44ToN2/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli + origin: community + pattern-sinks: + - patterns: + - pattern: $QUERY + - pattern-either: + - pattern: $CLIENT.query($QUERY,...) + - pattern: $CLIENT.prepare($QUERY,...) + - pattern-inside: | + require 'mysql2' + ... + pattern-sanitizers: + - pattern: $CLIENT.escape(...) + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context) + ... + end + severity: WARNING +- id: ruby.aws-lambda.security.pg-sqli.pg-sqli + languages: + - ruby + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `conn.exec_params(''SELECT + $1 AS a, $2 AS b, $3 AS c'', [1, 2, nil])`' + mode: taint + metadata: + references: + - https://www.rubydoc.info/gems/pg/PG/Connection + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - postgres + - pg + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli + shortlink: https://sg.run/ZKww + semgrep.dev: + rule: + rule_id: qNUQee + version_id: PkTYwo + url: https://semgrep.dev/playground/r/PkTYwo/ruby.aws-lambda.security.pg-sqli.pg-sqli + origin: community + pattern-sinks: + - patterns: + - pattern: $QUERY + - pattern-either: + - pattern: $CONN.exec($QUERY,...) + - pattern: $CONN.exec_params($QUERY,...) + - pattern: $CONN.exec_prepared($QUERY,...) + - pattern: $CONN.async_exec($QUERY,...) + - pattern: $CONN.async_exec_params($QUERY,...) + - pattern: $CONN.async_exec_prepared($QUERY,...) + - pattern-inside: | + require 'pg' + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context) + ... + end + severity: WARNING +- id: ruby.aws-lambda.security.sequel-sqli.sequel-sqli + languages: + - ruby + message: 'Detected SQL statement that is tainted by `event` object. This could lead + to SQL injection if the variable is user-controlled and not properly sanitized. + In order to prevent SQL injection, use parameterized queries or prepared statements + instead. You can use parameterized statements like so: `DB[''select * from items + where name = ?'', name]`' + mode: taint + metadata: + references: + - https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + - sequel + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli + shortlink: https://sg.run/n9vY + semgrep.dev: + rule: + rule_id: lBUy2N + version_id: JdTqw6 + url: https://semgrep.dev/playground/r/JdTqw6/ruby.aws-lambda.security.sequel-sqli.sequel-sqli + origin: community + pattern-sinks: + - patterns: + - pattern: $QUERY + - pattern-either: + - pattern: DB[$QUERY,...] + - pattern: DB.run($QUERY,...) + - pattern-inside: | + require 'sequel' + ... + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context) + ... + end + severity: WARNING +- id: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string + languages: + - ruby + severity: ERROR + message: Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL injection. + An attacker could use a SQL injection to steal or modify contents of the database. + Instead, use a parameterized query which is available by default in most database + engines. Alternatively, consider using an object-relational mapper (ORM) such + as Sequelize which will protect your queries. + metadata: + references: + - https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet + category: security + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + technology: + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string + shortlink: https://sg.run/EB7N + semgrep.dev: + rule: + rule_id: PeUxOE + version_id: GxT2Oo + url: https://semgrep.dev/playground/r/GxT2Oo/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context) + ... + end + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: | + "...#{...}..." + - pattern-regex: (?i)(select|delete|insert|create|update|alter|drop)\b|\w+\s*!?[<>=].* + - patterns: + - pattern-either: + - pattern: Kernel::sprintf("$SQLSTR", ...) + - pattern: | + "$SQLSTR" + $EXPR + - pattern: | + "$SQLSTR" % $EXPR + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(select|delete|insert|create|update|alter|drop)\b|\w+\s*!?[<>=].* + - pattern-not-inside: | + puts(...) +- id: scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run + patterns: + - pattern: Seq($CMD, ...) + - pattern-not: Seq("...", ...) + - pattern-inside: | + import sys.process + ... + - pattern-not-inside: | + $CMD = "..." + ... + - pattern-either: + - pattern-inside: Seq(...).! + - pattern-inside: Seq(...).!! + - pattern-inside: Seq(...).lazyLines + message: Found dynamic content used for the external process. This is dangerous + if arbitrary data can reach this function call because it allows a malicious actor + to execute commands. Ensure your variables are not controlled by users or sufficiently + sanitized. + languages: + - scala + severity: ERROR + metadata: + category: security + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + technology: + - scala + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run + shortlink: https://sg.run/79b2 + semgrep.dev: + rule: + rule_id: JDUle4 + version_id: X0TP0b + url: https://semgrep.dev/playground/r/X0TP0b/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run + origin: community +- id: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run + patterns: + - pattern: Seq($SH, "-c", $CMD, ...) + - pattern-not: Seq($SH, "-c", "...", ...) + - pattern-inside: | + import sys.process + ... + - pattern-not-inside: | + $CMD = "..." + ... + - pattern-either: + - pattern-inside: Seq(...).! + - pattern-inside: Seq(...).!! + - pattern-inside: Seq(...).lazyLines + - metavariable-regex: + metavariable: $SH + regex: '"(sh|bash|ksh|csh|tcsh|zsh)"' + message: Found dynamic content used for the external process. This is dangerous + if arbitrary data can reach this function call because it allows a malicious actor + to execute commands. Ensure your variables are not controlled by users or sufficiently + sanitized. + languages: + - scala + severity: ERROR + metadata: + category: security + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + technology: + - scala + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run + shortlink: https://sg.run/Lg76 + semgrep.dev: + rule: + rule_id: 5rUy3K + version_id: jQTK0E + url: https://semgrep.dev/playground/r/jQTK0E/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run + origin: community +- id: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings + patterns: + - pattern: secure = false + - pattern-inside: | + session = { + ... + } + message: Session cookie `Secure` flag is explicitly disabled. The `secure` flag + for cookies prevents the client from transmitting the cookie over insecure channels + such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration + file. + languages: + - generic + severity: WARNING + paths: + include: + - '*.conf' + metadata: + category: security + references: + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security + - https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration + technology: + - play + - scala + cwe: + - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' + owasp: + - A05:2021 - Security Misconfiguration + confidence: MEDIUM + subcategory: + - vuln + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings + shortlink: https://sg.run/8z8N + semgrep.dev: + rule: + rule_id: GdUDJO + version_id: nWT7bp + url: https://semgrep.dev/playground/r/nWT7bp/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings + origin: community +- id: scala.play.security.tainted-slick-sqli.tainted-slick-sqli + mode: taint + metadata: + references: + - https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values + - https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + technology: + - scala + - slick + - play + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli + shortlink: https://sg.run/k9K2 + semgrep.dev: + rule: + rule_id: GdUDWO + version_id: 7ZTOln + url: https://semgrep.dev/playground/r/7ZTOln/scala.play.security.tainted-slick-sqli.tainted-slick-sqli + origin: community + message: Detected a tainted SQL statement. This could lead to SQL injection if variables + in the SQL statement are not properly sanitized. Avoid using using user input + for generating SQL strings. + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern: $REQ + - pattern-either: + - pattern-inside: "Action {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" + - patterns: + - pattern: $PARAM + - pattern-either: + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action.async { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) { + ... + } + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $MODEL.overrideSql(...) + - pattern: sql"..." + - pattern-inside: | + import slick.$DEPS + ... + severity: ERROR + languages: + - scala +- id: scala.play.security.webservice-ssrf.webservice-ssrf + patterns: + - pattern: $WS.url($URL) + - pattern-either: + - pattern-inside: | + class $CLASS (..., $WS: WSClient, ...) { + ... + } + - pattern-inside: | + def $FUNC(..., $WS: WSClient, ...) = { + ... + } + - pattern-inside: | + $WS = AhcWSClient(...) + ... + - pattern-either: + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = $A { + ... + } + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = { + ... + } + message: A parameter being passed directly into `WSClient` most likely lead to SSRF. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data sent with this request. They could also probe internal servers + or other resources that the server runnig this code can access. Do not allow arbitrary + hosts. Instead, create an allowlist for approved hosts hardcode the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + - https://www.playframework.com/documentation/2.8.x/ScalaWS + category: security + technology: + - scala + - play + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf + shortlink: https://sg.run/reRR + semgrep.dev: + rule: + rule_id: PeUxEE + version_id: gETqRr + url: https://semgrep.dev/playground/r/gETqRr/scala.play.security.webservice-ssrf.webservice-ssrf + origin: community + languages: + - scala + severity: WARNING +- id: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check + patterns: + - pattern-inside: | + import ("github.com/gorilla/websocket") + ... + - patterns: + - pattern-not-inside: | + $UPGRADER = websocket.Upgrader{..., CheckOrigin: $FN ,...} + ... + - pattern-not-inside: | + $UPGRADER.CheckOrigin = $FN2 + ... + - pattern: | + $UPGRADER.Upgrade(...) + message: 'The Origin header in the HTTP WebSocket handshake is used to guarantee + that the connection accepted by the WebSocket is from a trusted origin domain. + Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per "gorilla/websocket" + documentation: "A CheckOrigin function should carefully validate the request origin + to prevent cross-site request forgery."' + languages: + - go + severity: WARNING + metadata: + category: security + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + references: + - https://pkg.go.dev/github.com/gorilla/websocket#Upgrader + technology: + - gorilla + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check + shortlink: https://sg.run/xXpz + semgrep.dev: + rule: + rule_id: ReUKdz + version_id: JdTqLP + url: https://semgrep.dev/playground/r/JdTqLP/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check + origin: community +- id: scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf + patterns: + - pattern: Http($URL) + - pattern-inside: | + import scalaj.http.$HTTP + ... + - pattern-either: + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = $A { + ... + } + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = { + ... + } + message: A parameter being passed directly into `Http` most likely lead to SSRF. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data sent with this request. They could also probe internal servers + or other resources that the server runnig this code can access. Do not allow arbitrary + hosts. Instead, create an allowlist for approved hosts hardcode the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + - https://github.com/scalaj/scalaj-http#simplified-http + category: security + technology: + - scala + - scalaj-http + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf + shortlink: https://sg.run/OgjB + semgrep.dev: + rule: + rule_id: AbU3xA + version_id: O9TyqD + url: https://semgrep.dev/playground/r/O9TyqD/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf + origin: community + languages: + - scala + severity: WARNING +- id: javascript.aws-lambda.security.tainted-html-string.tainted-html-string + message: Detected user input flowing into a manually constructed HTML string. You + may be accidentally bypassing secure methods of rendering HTML by manually constructing + HTML and this could create a cross-site scripting vulnerability, which could let + attackers steal sensitive user data. To be sure this is safe, check that the HTML + is rendered safely. Otherwise, use templates which will safely render HTML instead. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string + shortlink: https://sg.run/Lgqr + semgrep.dev: + rule: + rule_id: PeUxwW + version_id: WrTbE1 + url: https://semgrep.dev/playground/r/WrTbE1/javascript.aws-lambda.security.tainted-html-string.tainted-html-string + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern: $EVENT + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + "$HTMLSTR" + $EXPR + - pattern: | + "$HTMLSTR".concat(...) + - pattern: $UTIL.format($HTMLSTR, ...) + - pattern: format($HTMLSTR, ...) + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... + - patterns: + - pattern: | + `...${...}...` + - pattern-regex: | + .*<\w+.* + - pattern-not-inside: | + console.$LOG(...) +- id: python.aws-lambda.security.tainted-html-string.tainted-html-string + languages: + - python + severity: WARNING + message: Detected user input flowing into a manually constructed HTML string. You + may be accidentally bypassing secure methods of rendering HTML by manually constructing + HTML and this could create a cross-site scripting vulnerability, which could let + attackers steal sensitive user data. To be sure this is safe, check that the HTML + is rendered safely. Otherwise, use templates which will safely render HTML instead. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - aws-lambda + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string + shortlink: https://sg.run/8zNy + semgrep.dev: + rule: + rule_id: JDUlwy + version_id: DkTQ7v + url: https://semgrep.dev/playground/r/DkTQ7v/python.aws-lambda.security.tainted-html-string.tainted-html-string + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: '"$HTMLSTR" % ...' + - pattern: '"$HTMLSTR".format(...)' + - pattern: '"$HTMLSTR" + ...' + - pattern: f"$HTMLSTR{...}..." + - patterns: + - pattern-inside: | + $HTML = "$HTMLSTR" + ... + - pattern-either: + - pattern: $HTML % ... + - pattern: $HTML.format(...) + - pattern: $HTML + ... + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... + - pattern-not-inside: | + print(...) +- id: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf + patterns: + - pattern: url($URL) + - pattern-inside: | + import dispatch._ + ... + - pattern-either: + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = $A { + ... + } + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = { + ... + } + message: A parameter being passed directly into `url` most likely lead to SSRF. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data sent with this request. They could also probe internal servers + or other resources that the server runnig this code can access. Do not allow arbitrary + hosts. Instead, create an allowlist for approved hosts hardcode the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + - https://dispatchhttp.org/Dispatch.html + category: security + technology: + - scala + - dispatch + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf + shortlink: https://sg.run/gR6J + semgrep.dev: + rule: + rule_id: 5rUyl4 + version_id: 1QTjwj + url: https://semgrep.dev/playground/r/1QTjwj/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf + origin: community + languages: + - scala + severity: WARNING +- id: scala.lang.security.audit.io-source-ssrf.io-source-ssrf + patterns: + - pattern-either: + - pattern: Source.fromURL($URL,...) + - pattern: Source.fromURI($URL,...) + - pattern-inside: | + import scala.io.$SOURCE + ... + - pattern-either: + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = $A { + ... + } + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = { + ... + } + message: A parameter being passed directly into `fromURL` most likely lead to SSRF. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data sent with this request. They could also probe internal servers + or other resources that the server runnig this code can access. Do not allow arbitrary + hosts. Instead, create an allowlist for approved hosts hardcode the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + - https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource + category: security + technology: + - scala + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf + shortlink: https://sg.run/Qbz4 + semgrep.dev: + rule: + rule_id: GdUDOZ + version_id: rxTxpO + url: https://semgrep.dev/playground/r/rxTxpO/scala.lang.security.audit.io-source-ssrf.io-source-ssrf + origin: community + languages: + - scala + severity: WARNING +- id: scala.lang.security.audit.scalac-debug.scalac-debug + patterns: + - pattern-either: + - pattern: scalacOptions ... "-Vdebug" + - pattern: scalacOptions ... "-Ydebug" + message: Scala applications built with `debug` set to true in production may leak + debug information to attackers. Debug mode also affects performance and reliability. + Remove it from configuration. + languages: + - generic + severity: WARNING + paths: + include: + - '*.sbt*' + metadata: + category: security + cwe: + - 'CWE-489: Active Debug Code' + owasp: A05:2021 - Security Misconfiguration + technology: + - scala + - sbt + references: + - https://docs.scala-lang.org/overviews/compiler-options/index.html + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug + shortlink: https://sg.run/QbGd + semgrep.dev: + rule: + rule_id: JDUlE0 + version_id: xyT4gW + url: https://semgrep.dev/playground/r/xyT4gW/scala.lang.security.audit.scalac-debug.scalac-debug + origin: community +- id: scala.play.security.tainted-html-response.tainted-html-response + mode: taint + metadata: + category: security + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + technology: + - scala + - play + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response + shortlink: https://sg.run/BG96 + semgrep.dev: + rule: + rule_id: 0oUwn2 + version_id: ExTnLN + url: https://semgrep.dev/playground/r/ExTnLN/scala.play.security.tainted-html-response.tainted-html-response + origin: community + message: Detected a request with potential user-input going into an `Ok()` response. + This bypasses any view or template environments, including HTML escaping, which + may expose this application to cross-site scripting (XSS) vulnerabilities. Consider + using a view technology such as Twirl which automatically escapes HTML views. + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern: $REQ + - pattern-either: + - pattern-inside: "Action {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" + - patterns: + - pattern: $PARAM + - pattern-either: + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action.async { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) { + ... + } + pattern-sanitizers: + - pattern-either: + - pattern: org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(...) + - pattern: org.owasp.encoder.Encode.forHtml(...) + pattern-sinks: + - pattern-either: + - pattern: Html.apply(...) + - pattern: Ok(...).as(HTML) + - pattern: Ok(...).as(ContentTypes.HTML) + - patterns: + - pattern: Ok(...).as($CTYPE) + - metavariable-regex: + metavariable: $CTYPE + regex: '"[tT][eE][xX][tT]/[hH][tT][mM][lL]"' + - patterns: + - pattern: Ok(...).as($CTYPE) + - pattern-not: Ok(...).as("...") + - pattern-either: + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = $A { + ... + } + - pattern-inside: | + def $FUNC(..., $URL: $T, ...) = { + ... + } + severity: WARNING + languages: + - scala +- id: php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv + patterns: + - pattern-either: + - pattern: openssl_encrypt($D, $M, $K, $FLAGS, "...",...); + - pattern: openssl_decrypt($D, $M, $K, $FLAGS, "...",...); + - metavariable-comparison: + metavariable: $M + comparison: re.match(".*-CBC",$M) + message: Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext + attacks against encrypted data. + languages: + - php + severity: ERROR + metadata: + cwe: + - 'CWE-329: Generation of Predictable IV with CBC Mode' + references: + - https://csrc.nist.gov/publications/detail/sp/800-38a/final + owasp: + - A02:2021 - Cryptographic Failures + technology: + - php + - openssl + category: security + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv + shortlink: https://sg.run/LgWJ + semgrep.dev: + rule: + rule_id: DbUGbE + version_id: 0bTvGQ + url: https://semgrep.dev/playground/r/0bTvGQ/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv + origin: community +- id: scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode + patterns: + - pattern-inside: | + import pdi.jwt.$DEPS + ... + - pattern-either: + - pattern: $JWT.encode($X, "...", ...) + - pattern: $JWT.decode($X, "...", ...) + - pattern: $JWT.decodeRawAll($X, "...", ...) + - pattern: $JWT.decodeRaw($X, "...", ...) + - pattern: $JWT.decodeAll($X, "...", ...) + - pattern: $JWT.validate($X, "...", ...) + - pattern: $JWT.isValid($X, "...", ...) + - pattern: $JWT.decodeJson($X, "...", ...) + - pattern: $JWT.decodeJsonAll($X, "...", ...) + - patterns: + - pattern-either: + - pattern: $JWT.encode($X, $KEY, ...) + - pattern: $JWT.decode($X, $KEY, ...) + - pattern: $JWT.decodeRawAll($X, $KEY, ...) + - pattern: $JWT.decodeRaw($X, $KEY, ...) + - pattern: $JWT.decodeAll($X, $KEY, ...) + - pattern: $JWT.validate($X, $KEY, ...) + - pattern: $JWT.isValid($X, $KEY, ...) + - pattern: $JWT.decodeJson($X, $KEY, ...) + - pattern: $JWT.decodeJsonAll($X, $KEY, ...) + - pattern: $JWT.encode($X, this.$KEY, ...) + - pattern: $JWT.decode($X, this.$KEY, ...) + - pattern: $JWT.decodeRawAll($X, this.$KEY, ...) + - pattern: $JWT.decodeRaw($X, this.$KEY, ...) + - pattern: $JWT.decodeAll($X, this.$KEY, ...) + - pattern: $JWT.validate($X, this.$KEY, ...) + - pattern: $JWT.isValid($X, this.$KEY, ...) + - pattern: $JWT.decodeJson($X, this.$KEY, ...) + - pattern: $JWT.decodeJsonAll($X, this.$KEY, ...) + - pattern-either: + - pattern-inside: | + class $CL { + ... + $KEY = "..." + ... + } + - pattern-inside: | + object $CL { + ... + $KEY = "..." + ... + } + - metavariable-pattern: + metavariable: $JWT + patterns: + - pattern-either: + - pattern: Jwt + - pattern: JwtArgonaut + - pattern: JwtCirce + - pattern: JwtJson4s + - pattern: JwtJson + - pattern: JwtUpickle + message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently + Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html + Consider using an appropriate security mechanism to protect the credentials (e.g. + keeping secrets in environment variables)' + languages: + - scala + severity: WARNING + metadata: + references: + - https://jwt-scala.github.io/jwt-scala/ + category: security + cwe: + - 'CWE-522: Insufficiently Protected Credentials' + owasp: + - A02:2017 - Broken Authentication + - A04:2021 - Insecure Design + technology: + - scala + confidence: HIGH + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode + shortlink: https://sg.run/8zE7 + semgrep.dev: + rule: + rule_id: WAUdK0 + version_id: 2KT1oq + url: https://semgrep.dev/playground/r/2KT1oq/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode + origin: community +- id: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled + patterns: + - pattern-either: + - pattern: | + $DF = DocumentBuilderFactory.newInstance(...) + ... + $DB = $DF.newDocumentBuilder(...) + - patterns: + - pattern: $DB = DocumentBuilderFactory.newInstance(...) + - pattern-not-inside: | + ... + $X = $DB.newDocumentBuilder(...) + - pattern: $DB = DocumentBuilderFactory.newInstance(...).newDocumentBuilder(...) + - pattern-not-inside: | + ... + $DB.setXIncludeAware(true) + ... + $DB.setNamespaceAware(true) + ... + $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + ... + $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) + ... + $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + - pattern-not-inside: | + ... + $DB.setXIncludeAware(true) + ... + $DB.setNamespaceAware(true) + ... + $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + ... + $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + ... + $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) + - pattern-not-inside: | + ... + $DB.setXIncludeAware(true) + ... + $DB.setNamespaceAware(true) + ... + $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) + ... + $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + ... + $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + - pattern-not-inside: | + ... + $DB.setXIncludeAware(true) + ... + $DB.setNamespaceAware(true) + ... + $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) + ... + $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + ... + $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + message: Document Builder being instantiated without calling the `setFeature` functions + that are generally used for disabling entity processing. User controlled data + in XML Document builder can result in XML Internal Entity Processing vulnerabilities + like the disclosure of confidential data, denial of service, Server Side Request + Forgery (SSRF), port scanning. Make sure to disable entity processing functionality. + languages: + - scala + severity: WARNING + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + category: security + technology: + - scala + confidence: HIGH + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled + shortlink: https://sg.run/gRQn + semgrep.dev: + rule: + rule_id: 0oUwzP + version_id: 9lTz9K + url: https://semgrep.dev/playground/r/9lTz9K/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled + origin: community +- id: scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled + patterns: + - pattern-either: + - pattern: $SR = new SAXReader(...) + - pattern: | + $SF = SAXParserFactory.newInstance(...) + ... + $SR = $SF.newSAXParser(...) + - patterns: + - pattern: $SR = SAXParserFactory.newInstance(...) + - pattern-not-inside: | + ... + $X = $SR.newSAXParser(...) + - pattern: $SR = SAXParserFactory.newInstance(...).newSAXParser(...) + - pattern: $SR = new SAXBuilder(...) + - pattern-not-inside: | + ... + $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + ... + $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) + ... + $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + - pattern-not-inside: | + ... + $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + ... + $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + ... + $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) + - pattern-not-inside: | + ... + $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) + ... + $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + ... + $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + - pattern-not-inside: | + ... + $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) + ... + $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + ... + $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) + message: XML processor being instantiated without calling the `setFeature` functions + that are generally used for disabling entity processing. User controlled data + in XML Parsers can result in XML Internal Entity Processing vulnerabilities like + the disclosure of confidential data, denial of service, Server Side Request Forgery + (SSRF), port scanning. Make sure to disable entity processing functionality. + languages: + - scala + severity: WARNING + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + category: security + technology: + - scala + confidence: HIGH + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled + shortlink: https://sg.run/QbYP + semgrep.dev: + rule: + rule_id: KxUrkq + version_id: kbT7Bj + url: https://semgrep.dev/playground/r/kbT7Bj/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled + origin: community +- id: scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled + patterns: + - pattern-not-inside: | + ... + $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false) + - pattern-either: + - pattern: $XMLFACTORY = XMLInputFactory.newFactory(...) + - pattern: $XMLFACTORY = XMLInputFactory.newInstance(...) + - pattern: $XMLFACTORY = new XMLInputFactory(...) + message: XMLInputFactory being instantiated without calling the setProperty functions + that are generally used for disabling entity processing. User controlled data + in XML Document builder can result in XML Internal Entity Processing vulnerabilities + like the disclosure of confidential data, denial of service, Server Side Request + Forgery (SSRF), port scanning. Make sure to disable entity processing functionality. + languages: + - scala + severity: WARNING + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + category: security + technology: + - scala + confidence: HIGH + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled + shortlink: https://sg.run/3BEb + semgrep.dev: + rule: + rule_id: qNUQ7w + version_id: d6TD0K + url: https://semgrep.dev/playground/r/d6TD0K/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled + origin: community +- id: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version + pattern: | + resource "aws_elasticsearch_domain" $ANYTHING { + ... + domain_endpoint_options { + ... + enforce_https = true + tls_security_policy = "Policy-Min-TLS-1-0-2019-07" + ... + } + ... + } + message: Detected an AWS Elasticsearch domain using an insecure version of TLS. + To fix this, set "tls_security_policy" equal to "Policy-Min-TLS-1-2-2019-07". + languages: + - terraform + severity: WARNING + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + category: security + technology: + - aws + - terraform + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version + shortlink: https://sg.run/PYlq + semgrep.dev: + rule: + rule_id: YGUle7 + version_id: 9lTzvy + url: https://semgrep.dev/playground/r/9lTzvy/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version + origin: community +- id: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage + message: User data from `$REQ` is being compiled into the template, which can lead + to a Server Side Template Injection (SSTI) vulnerability. + metadata: + interfile: true + category: security + cwe: + - 'CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine' + owasp: + - A03:2021 - Injection + - A01:2017 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html + technology: + - javascript + - typescript + - express + - pug + - jade + - dot + - ejs + - nunjucks + - lodash + - handlbars + - mustache + - hogan.js + - eta + - squirrelly + source_rule_url: + - https://github.com/github/codeql/blob/2ba2642c7ab29b9eedef33bcc2b8cd1d203d0c10/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage + shortlink: https://sg.run/b49v + semgrep.dev: + rule: + rule_id: EwUr9k + version_id: rxTx4j + url: https://semgrep.dev/playground/r/rxTx4j/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-propagators: + - pattern: $MODEL.$FIND($E).then((...,$S,...)=>{...}) + from: $E + to: $S + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + $PUG = require('pug') + ... + - pattern-inside: | + import * as $PUG from 'pug' + ... + - pattern-inside: | + $PUG = require('jade') + ... + - pattern-inside: | + import * as $PUG from 'jade' + ... + - pattern-either: + - pattern: $PUG.compile(...) + - pattern: $PUG.compileClient(...) + - pattern: $PUG.compileClientWithDependenciesTracked(...) + - pattern: $PUG.render(...) + - patterns: + - pattern-either: + - pattern-inside: | + $PUG = require('dot') + ... + - pattern-inside: | + import * as $PUG from 'dot' + ... + - pattern-either: + - pattern: $PUG.template(...) + - pattern: $PUG.compile(...) + - patterns: + - pattern-either: + - pattern-inside: | + $PUG = require('ejs') + ... + - pattern-inside: | + import * as $PUG from 'ejs' + ... + - pattern-either: + - pattern: $PUG.render(...) + - patterns: + - pattern-either: + - pattern-inside: | + $PUG = require('nunjucks') + ... + - pattern-inside: | + import * as $PUG from 'nunjucks' + ... + - pattern-either: + - pattern: $PUG.renderString(...) + - patterns: + - pattern-either: + - pattern-inside: | + $PUG = require('lodash') + ... + - pattern-inside: | + import * as $PUG from 'lodash' + ... + - pattern-either: + - pattern: $PUG.template(...) + - patterns: + - pattern-either: + - pattern-inside: | + $PUG = require('mustache') + ... + - pattern-inside: | + import * as $PUG from 'mustache' + ... + - pattern-inside: | + $PUG = require('eta') + ... + - pattern-inside: | + import * as $PUG from 'eta' + ... + - pattern-inside: | + $PUG = require('squirrelly') + ... + - pattern-inside: | + import * as $PUG from 'squirrelly' + ... + - pattern-either: + - pattern: $PUG.render(...) + - patterns: + - pattern-either: + - pattern-inside: | + $PUG = require('hogan.js') + ... + - pattern-inside: | + import * as $PUG from 'hogan.js' + ... + - pattern-inside: | + $PUG = require('handlebars') + ... + - pattern-inside: | + import * as $PUG from 'handlebars' + ... + - pattern-either: + - pattern: $PUG.compile(...) +- id: ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include + mode: taint + pattern-sources: + - patterns: + - pattern: params[...] + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + render ..., file: ... + - pattern: | + render ..., inline: ... + - pattern: | + render ..., template: ... + - pattern: | + render ..., action: ... + - pattern: | + render $FILE, ... + pattern-sanitizers: + - patterns: + - pattern: $MAP[...] + - metavariable-pattern: + metavariable: $MAP + patterns: + - pattern-not-regex: params + message: Found request parameters in a call to `render`. This can allow end users + to request arbitrary local files which may result in leaking sensitive information + persisted on disk. Where possible, avoid letting users specify template paths + for `render`. If you must allow user input, use an allow-list of known templates + or normalize the user-supplied value with `File.basename(...)`. + languages: + - ruby + severity: WARNING + metadata: + technology: + - ruby + - rails + category: security + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb + references: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion + - https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60 + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include + shortlink: https://sg.run/Jw8Z + semgrep.dev: + rule: + rule_id: ReU2pZ + version_id: 8KTb7N + url: https://semgrep.dev/playground/r/8KTb7N/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include + origin: community +- id: ruby.rails.security.brakeman.check-send-file.check-send-file + mode: taint + pattern-sources: + - pattern-either: + - pattern: | + cookies[...] + - patterns: + - pattern: | + cookies. ... .$PROPERTY[...] + - metavariable-regex: + metavariable: $PROPERTY + regex: (?!signed|encrypted) + - pattern: | + params[...] + - pattern: | + request.env[...] + pattern-sinks: + - patterns: + - pattern: | + send_file ... + message: Allowing user input to `send_file` allows a malicious user to potentially + read arbitrary files from the server. Avoid accepting user input in `send_file` + or normalize with `File.basename(...)` + languages: + - ruby + severity: ERROR + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send_file.rb + category: security + cwe: + - 'CWE-73: External Control of File Name or Path' + owasp: + - A04:2021 - Insecure Design + technology: + - ruby + - rails + references: + - https://owasp.org/www-community/attacks/Path_Traversal + - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file + shortlink: https://sg.run/GbY1 + semgrep.dev: + rule: + rule_id: BYUKbl + version_id: 3ZTdzb + url: https://semgrep.dev/playground/r/3ZTdzb/ruby.rails.security.brakeman.check-send-file.check-send-file + origin: community +- id: scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request + languages: + - scala + severity: ERROR + mode: taint + message: User data flows into this manually-constructed SQL string. User data can + be safely inserted into SQL strings using prepared statements or an object-relational + mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL + injection, which could let an attacker steal or manipulate data from the database. + Instead, use prepared statements (`connection.PreparedStatement`) or a safe library. + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html + category: security + technology: + - scala + - play + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request + shortlink: https://sg.run/BeW9 + semgrep.dev: + rule: + rule_id: 0oUpon + version_id: LjT0Wk + url: https://semgrep.dev/playground/r/LjT0Wk/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request + origin: community + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern: $REQ + - pattern-either: + - pattern-inside: "Action {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" + - pattern-inside: "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" + - patterns: + - pattern: $PARAM + - pattern-either: + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action.async { + ... + } + - pattern-inside: | + def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) { + ... + } + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - pattern: | + "$SQLSTR".format(...) + - patterns: + - pattern-inside: | + $SB = new StringBuilder("$SQLSTR"); + ... + - pattern: $SB.append(...) + - patterns: + - pattern-inside: | + $VAR = "$SQLSTR" + ... + - pattern: $VAR += ... + - metavariable-regex: + metavariable: $SQLSTR + regex: (?i)(select|delete|insert|create|update|alter|drop)\b + - patterns: + - pattern: s"..." + - pattern-regex: | + .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* + - pattern-not-inside: println(...) +- id: dockerfile.security.last-user-is-root.last-user-is-root + patterns: + - pattern-inside: | + USER $F + ... + USER $X + - pattern-not-inside: | + ... + USER $X + ... + USER $F + - focus-metavariable: $X + - metavariable-regex: + metavariable: $X + regex: ^(root)$ + - metavariable-regex: + metavariable: $F + regex: (.*(?!root)) + message: The last user in the container is 'root'. This is a security hazard because + if an attacker gains control of the container they will have root access. Switch + back to another user after running commands as 'root'. + severity: ERROR + languages: + - dockerfile + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002 + references: + - https://github.com/hadolint/hadolint/wiki/DL3002 + category: security + technology: + - dockerfile + confidence: MEDIUM + owasp: + - A04:2021 - Insecure Design + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root + shortlink: https://sg.run/5Z43 + semgrep.dev: + rule: + rule_id: ReU2n5 + version_id: w8T39L + url: https://semgrep.dev/playground/r/w8T39L/dockerfile.security.last-user-is-root.last-user-is-root + origin: community +- id: dockerfile.security.missing-user.missing-user + patterns: + - pattern: | + CMD $...VARS + - pattern-not-inside: | + USER $USER + ... + fix: | + USER non-root + CMD $...VARS + message: By not specifying a USER, a program in the container may run as 'root'. + This is a security hazard. If an attacker can control a process running as root, + they may have control over the container. Ensure that the last USER in a Dockerfile + is a USER other than 'root'. + severity: ERROR + languages: + - dockerfile + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + category: security + technology: + - dockerfile + confidence: MEDIUM + owasp: + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/dockerfile.security.missing-user.missing-user + shortlink: https://sg.run/Gbvn + semgrep.dev: + rule: + rule_id: AbUN06 + version_id: O9TyNe + url: https://semgrep.dev/playground/r/O9TyNe/dockerfile.security.missing-user.missing-user + origin: community +- id: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config + message: Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends + selecting Argon2id unless you can guarantee an adversary has no direct access + to the computing environment. + metadata: + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + - https://eprint.iacr.org/2016/759.pdf + - https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf + - https://datatracker.ietf.org/doc/html/rfc9106#section-4 + category: security + cwe: + - 'CWE-916: Use of Password Hash With Insufficient Computational Effort' + technology: + - argon2 + - cryptography + owasp: + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + impact: LOW + likelihood: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config + shortlink: https://sg.run/ALq4 + semgrep.dev: + rule: + rule_id: DbU2X8 + version_id: qkTN4E + url: https://semgrep.dev/playground/r/qkTN4E/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + $ARGON = require('argon2'); + ... + - pattern: | + {type: ...} + pattern-sinks: + - patterns: + - pattern: | + $Y + - pattern-inside: | + $ARGON.hash(...,$Y) + pattern-sanitizers: + - patterns: + - pattern: | + {type: $ARGON.argon2id} + ... +- id: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + cookies[...] + - patterns: + - pattern: | + cookies. ... .$PROPERTY[...] + - metavariable-regex: + metavariable: $PROPERTY + regex: (?!signed|encrypted) + - pattern: | + params[...] + - pattern: | + request.env[...] + - patterns: + - pattern: $Y + - pattern-either: + - pattern-inside: | + $RECORD.read_attribute($Y) + - pattern-inside: | + $RECORD[$Y] + - metavariable-regex: + metavariable: $RECORD + regex: '[A-Z][a-z]+' + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: $Y + - pattern-inside: | + /...#{...}.../ + - patterns: + - pattern: $Y + - pattern-inside: | + Regexp.new(...) + message: Found a potentially user-controllable argument in the construction of a + regular expressions. This may result in excessive resource consumption when applied + to certain inputs, or when the user is allowed to control the match target. Avoid + allowing users to specify regular expressions processed by the server. If you + must support user-controllable input in a regular expression, use an allow-list + to restrict the expressions users may supply to limit catastrophic backtracking. + languages: + - ruby + severity: ERROR + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_regex_dos.rb + category: security + cwe: + - 'CWE-1333: Inefficient Regular Expression Complexity' + owasp: + - A03:2017 - Sensitive Data Exposure + technology: + - ruby + - rails + references: + - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos + shortlink: https://sg.run/qZwx + semgrep.dev: + rule: + rule_id: YGUY4R + version_id: LjT0ok + url: https://semgrep.dev/playground/r/LjT0ok/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos + origin: community +- id: ruby.rails.security.brakeman.check-sql.check-sql + mode: taint + pattern-sources: + - pattern-either: + - pattern: | + cookies[...] + - patterns: + - pattern: | + cookies. ... .$PROPERTY[...] + - metavariable-regex: + metavariable: $PROPERTY + regex: (?!signed|encrypted) + - pattern: | + params[...] + - pattern: | + request.env[...] + pattern-sanitizers: + - patterns: + - pattern-either: + - patterns: + - pattern: $X + - pattern-either: + - pattern-inside: | + :$KEY => $X + - pattern-inside: | + ["...",$X,...] + - pattern: | + params[...].to_i + - pattern: | + params[...].to_f + - patterns: + - pattern: | + params[...] ? $A : $B + - metavariable-pattern: + metavariable: $A + patterns: + - pattern-not: | + params[...] + - metavariable-pattern: + metavariable: $B + patterns: + - pattern-not: | + params[...] + pattern-sinks: + - patterns: + - pattern: $X + - pattern-not-inside: | + $P.where("...",...) + - pattern-not-inside: | + $P.where(:$KEY => $VAL,...) + - pattern-either: + - pattern-inside: | + $P.$M(...) + - pattern-inside: | + $P.$M("...",...) + - pattern-inside: | + class $P < ActiveRecord::Base + ... + end + - metavariable-regex: + metavariable: $M + regex: (where|find|first|last|select|minimum|maximum|calculate|sum|average) + message: Found potential SQL injection due to unsafe SQL query construction via + $X. Where possible, prefer parameterized queries. + languages: + - ruby + severity: ERROR + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_sql.rb + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + technology: + - ruby + - rails + references: + - https://owasp.org/www-community/attacks/SQL_Injection + - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql + shortlink: https://sg.run/vpgb + semgrep.dev: + rule: + rule_id: OrUv2z + version_id: 44TowG + url: https://semgrep.dev/playground/r/44TowG/ruby.rails.security.brakeman.check-sql.check-sql + origin: community +- id: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods + mode: taint + pattern-sources: + - pattern-either: + - pattern: | + cookies[...] + - patterns: + - pattern: | + cookies. ... .$PROPERTY[...] + - metavariable-regex: + metavariable: $PROPERTY + regex: (?!signed|encrypted) + - pattern: | + params[...] + - pattern: | + request.env[...] + pattern-sinks: + - patterns: + - pattern: $X + - pattern-either: + - pattern-inside: | + $X. ... .to_proc + - pattern-inside: | + $Y.method(...) + - pattern-inside: | + $Y.tap(...) + message: Found user-controllable input to a reflection method. This may allow a + user to alter program behavior and potentially execute arbitrary instructions + in the context of the process. Do not provide arbitrary user input to `tap`, `method`, + or `to_proc` + languages: + - ruby + severity: ERROR + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection_methods.rb + category: security + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + technology: + - ruby + - rails + references: + - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb + cwe2022-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods + shortlink: https://sg.run/dPYd + semgrep.dev: + rule: + rule_id: eqUZ2Q + version_id: PkTYXn + url: https://semgrep.dev/playground/r/PkTYXn/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods + origin: community +- id: ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase + message: Found the use of an hardcoded passphrase for RSA. The passphrase can be + easily discovered, and therefore should not be stored in source-code. It is recommended + to remove the passphrase from source-code, and use system environment variables + or a restricted configuration file. + languages: + - ruby + severity: WARNING + metadata: + technology: + - ruby + - secrets + category: security + references: + - https://cwe.mitre.org/data/definitions/522.html + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + owasp: + - A07:2021 - Identification and Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase + shortlink: https://sg.run/xPEe + semgrep.dev: + rule: + rule_id: bwULyN + version_id: qkTq7w + url: https://semgrep.dev/playground/r/qkTq7w/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase + origin: community + patterns: + - pattern-either: + - pattern: OpenSSL::PKey::RSA.new(..., '...') + - pattern: OpenSSL::PKey::RSA.new(...).to_pem(..., '...') + - pattern: OpenSSL::PKey::RSA.new(...).export(..., '...') + - patterns: + - pattern-inside: | + $OPENSSL = OpenSSL::PKey::RSA.new(...) + ... + - pattern-either: + - pattern: | + $OPENSSL.export(...,'...') + - pattern: | + $OPENSSL.to_pem(...,'...') + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $ASSIGN = '...' + ... + def $METHOD(...) + ... + end + ... + - pattern: OpenSSL::PKey::RSA.new(..., $ASSIGN) + - patterns: + - pattern-inside: | + def $METHOD1(...) + ... + $ASSIGN = '...' + ... + end + ... + def $METHOD2(...) + ... + end + - pattern: OpenSSL::PKey::RSA.new(..., $ASSIGN) + - patterns: + - pattern-inside: | + $ASSIGN = '...' + ... + def $METHOD(...) + $OPENSSL = OpenSSL::PKey::RSA.new(...) + ... + end + ... + - pattern-either: + - pattern: $OPENSSL.export(...,$ASSIGN) + - pattern: $OPENSSL.to_pem(...,$ASSIGN) + - patterns: + - pattern-inside: | + def $METHOD1(...) + ... + $OPENSSL = OpenSSL::PKey::RSA.new(...) + ... + $ASSIGN = '...' + ... + end + ... + - pattern-either: + - pattern: $OPENSSL.export(...,$ASSIGN) + - pattern: $OPENSSL.to_pem(...,$ASSIGN) + - patterns: + - pattern-inside: | + def $METHOD1(...) + ... + $ASSIGN = '...' + ... + end + ... + def $METHOD2(...) + ... + $OPENSSL = OpenSSL::PKey::RSA.new(...) + ... + end + ... + - pattern-either: + - pattern: $OPENSSL.export(...,$ASSIGN) + - pattern: $OPENSSL.to_pem(...,$ASSIGN) +- id: ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size + message: The RSA key size $SIZE is insufficent by NIST standards. It is recommended + to use a key length of 2048 or higher. + languages: + - ruby + severity: WARNING + metadata: + technology: + - ruby + category: security + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size + shortlink: https://sg.run/O4Re + semgrep.dev: + rule: + rule_id: NbUe4N + version_id: bZTGW2 + url: https://semgrep.dev/playground/r/bZTGW2/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size + origin: community + patterns: + - pattern-either: + - pattern: OpenSSL::PKey::RSA.generate($SIZE,...) + - pattern: OpenSSL::PKey::RSA.new($SIZE, ...) + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $ASSIGN = $SIZE + ... + def $METHOD(...) + ... + end + ... + - pattern-either: + - pattern: OpenSSL::PKey::RSA.new($ASSIGN, ...) + - pattern: OpenSSL::PKey::RSA.generate($ASSIGN, ...) + - patterns: + - pattern-inside: | + def $METHOD1(...) + ... + $ASSIGN = $SIZE + ... + end + ... + def $METHOD2(...) + ... + end + ... + - pattern-either: + - pattern: OpenSSL::PKey::RSA.new($ASSIGN, ...) + - pattern: OpenSSL::PKey::RSA.generate($ASSIGN, ...) + - metavariable-comparison: + metavariable: $SIZE + comparison: $SIZE < 2048 +- id: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: params + - pattern: cookies + - pattern: request.env + - pattern: url_for(params[...],...,:only_path => false,...) + pattern-sanitizers: + - patterns: + - pattern-either: + - patterns: + - pattern: | + $F(...) + - metavariable-pattern: + metavariable: $F + patterns: + - pattern-not-regex: (params|url_for|cookies|request.env|permit|redirect_to) + - pattern: | + params.merge! :only_path => true + ... + - pattern: | + params.slice(...) + ... + - pattern: | + redirect_to [...] + - patterns: + - pattern: | + $MODEL. ... .$M(...) + ... + - metavariable-regex: + metavariable: $MODEL + regex: '[A-Z]\w+' + - metavariable-regex: + metavariable: $M + regex: (all|create|find|find_by|find_by_sql|first|last|new|from|group|having|joins|lock|order|reorder|select|where|take) + - patterns: + - pattern: | + params.$UNSAFE_HASH.merge(...,:only_path => true,...) + ... + - metavariable-regex: + metavariable: $UNSAFE_HASH + regex: to_unsafe_h(ash)? + - patterns: + - pattern: params.permit(...,$X,...) + - metavariable-pattern: + metavariable: $X + patterns: + - pattern-not-regex: (host|port|(sub)?domain) + pattern-sinks: + - patterns: + - pattern: $X + - pattern-inside: | + redirect_to $X, ... + - pattern-not-regex: params\.\w+(? true` hash value. + languages: + - ruby + severity: WARNING + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_redirect.rb + category: security + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + technology: + - ruby + - rails + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + owasp: + - A01:2021 - Broken Access Control + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to + shortlink: https://sg.run/eJNX + semgrep.dev: + rule: + rule_id: kxUOJ6 + version_id: 7ZTOjn + url: https://semgrep.dev/playground/r/7ZTOjn/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to + origin: community +- id: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection + mode: taint + pattern-sources: + - pattern-either: + - pattern: | + cookies[...] + - patterns: + - pattern: | + cookies. ... .$PROPERTY[...] + - metavariable-regex: + metavariable: $PROPERTY + regex: (?!signed|encrypted) + - pattern: | + params[...] + - pattern: | + request.env[...] + pattern-sinks: + - patterns: + - pattern: $X + - pattern-either: + - pattern-inside: | + $X.constantize + - pattern-inside: | + $X. ... .safe_constantize + - pattern-inside: | + const_get(...) + - pattern-inside: | + qualified_const_get(...) + message: Found user-controllable input to Ruby reflection functionality. This allows + a remote user to influence runtime behavior, up to and including arbitrary remote + code execution. Do not provide user-controllable input to reflection functionality. + Do not call symbol conversion on user-controllable input. + languages: + - ruby + severity: ERROR + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection.rb + category: security + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + technology: + - ruby + - rails + references: + - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb + cwe2022-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection + shortlink: https://sg.run/vpEX + semgrep.dev: + rule: + rule_id: wdUkYA + version_id: JdTqY2 + url: https://semgrep.dev/playground/r/JdTqY2/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection + origin: community +- id: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find + mode: taint + pattern-sources: + - pattern-either: + - pattern: | + cookies[...] + - patterns: + - pattern: | + cookies. ... .$PROPERTY[...] + - metavariable-regex: + metavariable: $PROPERTY + regex: (?!signed|encrypted) + - pattern: | + params[...] + - pattern: | + request.env[...] + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $MODEL.find(...) + - pattern: $MODEL.find_by_id(...) + - pattern: $MODEL.find_by_id!(...) + - metavariable-regex: + metavariable: $MODEL + regex: '[A-Z]\S+' + message: Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord + model being searched against is sensitive, this may lead to Insecure Direct Object + Reference (IDOR) behavior and allow users to read arbitrary records. Scope the + find to the current user, e.g. `current_user.accounts.find(params[:id])`. + languages: + - ruby + severity: WARNING + metadata: + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unscoped_find.rb + category: security + cwe: + - 'CWE-639: Authorization Bypass Through User-Controlled Key' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + technology: + - ruby + - rails + references: + - https://brakemanscanner.org/docs/warning_types/unscoped_find/ + - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find + shortlink: https://sg.run/dPbP + semgrep.dev: + rule: + rule_id: x8Ud6d + version_id: 5PT62x + url: https://semgrep.dev/playground/r/5PT62x/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find + origin: community +- id: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object + message: Detected DynamoDB query params that are tainted by `$EVENT` object. This + could lead to NoSQL injection if the variable is user-controlled and not properly + sanitized. Explicitly assign query params instead of passing data from `$EVENT` + directly to DynamoDB client. + metadata: + cwe: + - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' + owasp: + - A01:2017 - Injection + category: security + technology: + - javascript + - aws-lambda + - dynamodb + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object + shortlink: https://sg.run/X1e4 + semgrep.dev: + rule: + rule_id: 0oU1xk + version_id: JdTqDX + url: https://semgrep.dev/playground/r/JdTqDX/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern: $EVENT + - pattern-either: + - pattern-inside: | + exports.handler = function ($EVENT, ...) { + ... + } + - pattern-inside: | + function $FUNC ($EVENT, ...) {...} + ... + exports.handler = $FUNC + - pattern-inside: | + $FUNC = function ($EVENT, ...) {...} + ... + exports.handler = $FUNC + pattern-sinks: + - patterns: + - focus-metavariable: $SINK + - pattern: | + $DC.$METHOD($SINK, ...) + - metavariable-regex: + metavariable: $METHOD + regex: (query|send|scan|delete|put|transactWrite|update|batchExecuteStatement|executeStatement|executeTransaction|transactWriteItems) + - pattern-either: + - pattern-inside: | + $DC = new $AWS.DocumentClient(...); + ... + - pattern-inside: | + $DC = new $AWS.DynamoDB(...); + ... + - pattern-inside: | + $DC = new DynamoDBClient(...); + ... + - pattern-inside: | + $DC = DynamoDBDocumentClient.from(...); + ... + pattern-sanitizers: + - patterns: + - pattern: | + {...} +- id: python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection + mode: taint + metadata: + cwe: + - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' + owasp: + - A01:2017 - Injection + category: security + technology: + - python + - boto3 + - aws-lambda + - dynamodb + references: + - https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection + shortlink: https://sg.run/jjrl + semgrep.dev: + rule: + rule_id: KxUJ2B + version_id: 44To8Z + url: https://semgrep.dev/playground/r/44To8Z/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection + origin: community + message: Detected DynamoDB query filter that is tainted by `$EVENT` object. This + could lead to NoSQL injection if the variable is user-controlled and not properly + sanitized. Explicitly assign query params instead of passing data from `$EVENT` + directly to DynamoDB client. + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sanitizers: + - patterns: + - pattern: | + {...} + pattern-sinks: + - patterns: + - focus-metavariable: $SINK + - pattern-either: + - pattern: $TABLE.scan(..., ScanFilter = $SINK, ...) + - pattern: $TABLE.query(..., QueryFilter = $SINK, ...) + - pattern-either: + - patterns: + - pattern-inside: | + $TABLE = $DB.Table(...) + ... + - pattern-inside: | + $DB = boto3.resource('dynamodb', ...) + ... + - pattern-inside: | + $TABLE = boto3.client('dynamodb', ...) + ... + severity: ERROR + languages: + - python +- id: python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response + message: Detected data rendered directly to the end user via 'Response'. This bypasses + Pyramid's built-in cross-site scripting (XSS) defenses and could result in an + XSS vulnerability. Use Pyramid's template engines to safely render HTML. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - pyramid + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response + shortlink: https://sg.run/DX8G + semgrep.dev: + rule: + rule_id: gxUeA8 + version_id: ZRTwkw + url: https://semgrep.dev/playground/r/ZRTwkw/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response + origin: community + languages: + - python + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + pyramid.request.Response.text($SINK) + - pattern: | + pyramid.request.Response($SINK) + - pattern: | + $REQ.response.body = $SINK + - pattern: | + $REQ.response.text = $SINK + - pattern: | + $REQ.response.ubody = $SINK + - pattern: | + $REQ.response.unicode_body = $SINK + - pattern: $SINK +- id: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection + message: Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause + sql injections if the developer inputs raw SQL into the before-mentioned clauses. + This pattern captures relevant cases in which the developer inputs raw SQL into + the distinct, having, group_by, order_by or filter clauses and injects user-input + into the raw SQL with any function besides "bindparams". Use bindParams to securely + bind user-input to SQL statements. + languages: + - python + severity: ERROR + metadata: + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data + technology: + - pyramid + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection + shortlink: https://sg.run/W7eE + semgrep.dev: + rule: + rule_id: QrUZ7l + version_id: nWT75e + url: https://semgrep.dev/playground/r/nWT75e/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + from pyramid.view import view_config + ... + @view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern-inside: | + $QUERY = $REQ.dbsession.query(...) + ... + - pattern-either: + - pattern: | + $QUERY.$SQLFUNC("...".$FORMATFUNC(..., $SINK, ...)) + - pattern: | + $QUERY.join(...).$SQLFUNC("...".$FORMATFUNC(..., $SINK, ...)) + - pattern: $SINK + - metavariable-regex: + metavariable: $SQLFUNC + regex: (group_by|order_by|distinct|having|filter) + - metavariable-regex: + metavariable: $FORMATFUNC + regex: (?!bindparams) + fix-regex: + regex: format + replacement: bindparams +- id: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint + message: Use of angular.element can lead to XSS if user-input is treated as part + of the HTML element within `$SINK`. It is recommended to contextually output encode + user-input, before inserting into `$SINK`. If the HTML needs to be preserved it + is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize. + metadata: + confidence: MEDIUM + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://docs.angularjs.org/api/ng/function/angular.element + - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf + category: security + technology: + - angularjs + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint + shortlink: https://sg.run/5AQ0 + semgrep.dev: + rule: + rule_id: GdUP71 + version_id: 44ToZb + url: https://semgrep.dev/playground/r/44ToZb/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: window.location.search + - pattern: window.document.location.search + - pattern: document.location.search + - pattern: location.search + - pattern: $location.search(...) + - patterns: + - pattern-either: + - pattern: $DECODE(<... location.hash ...>) + - pattern: $DECODE(<... window.location.hash ...>) + - pattern: $DECODE(<... document.location.hash ...>) + - pattern: $DECODE(<... location.href ...>) + - pattern: $DECODE(<... window.location.href ...>) + - pattern: $DECODE(<... document.location.href ...>) + - pattern: $DECODE(<... document.URL ...>) + - pattern: $DECODE(<... window.document.URL ...>) + - pattern: $DECODE(<... document.location.href ...>) + - pattern: $DECODE(<... document.location.href ...>) + - pattern: $DECODE(<... $location.absUrl() ...>) + - pattern: $DECODE(<... $location.url() ...>) + - pattern: $DECODE(<... $location.hash() ...>) + - metavariable-regex: + metavariable: $DECODE + regex: ^(unescape|decodeURI|decodeURIComponent)$ + - patterns: + - pattern-inside: $http.$METHOD(...).$CONTINUE(function $FUNC($RES) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|delete|head|jsonp|post|put|patch) + - pattern: $RES.data + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + angular.element(...). ... .$SINK($QUERY) + - pattern-inside: | + $ANGULAR = angular.element(...) + ... + $ANGULAR. ... .$SINK($QUERY) + - metavariable-regex: + metavariable: $SINK + regex: ^(after|append|html|prepend|replaceWith|wrap)$ + - focus-metavariable: $QUERY + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern: $sce.getTrustedHtml(...) + - pattern: $sanitize(...) + - pattern: DOMPurify.sanitize(...) +- id: python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization + mode: taint + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context): + ... + pattern-sinks: + - patterns: + - focus-metavariable: $SINK + - pattern-either: + - pattern: pickle.load($SINK,...) + - pattern: pickle.loads($SINK,...) + - pattern: _pickle.load($SINK,...) + - pattern: _pickle.loads($SINK,...) + - pattern: cPickle.load($SINK,...) + - pattern: cPickle.loads($SINK,...) + - pattern: dill.load($SINK,...) + - pattern: dill.loads($SINK,...) + - pattern: shelve.open($SINK,...) + message: Avoid using `pickle`, which is known to lead to code execution vulnerabilities. + When unpickling, the serialized data could be manipulated to run arbitrary code. + Instead, consider serializing the relevant data as JSON or a similar text-based + serialization format. + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://docs.python.org/3/library/pickle.html + - https://davidhamann.de/2020/04/05/exploiting-python-pickle/ + category: security + technology: + - python + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization + shortlink: https://sg.run/JbjW + semgrep.dev: + rule: + rule_id: JDUDQg + version_id: WrTbJ6 + url: https://semgrep.dev/playground/r/WrTbJ6/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization + origin: community + languages: + - python + severity: WARNING +- id: php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection + mode: taint + pattern-sources: + - patterns: + - focus-metavariable: $ARG + - pattern-inside: | + Route::$METHOD($ROUTE_NAME, function(...,$ARG,...){...}) + pattern-sanitizers: + - patterns: + - pattern: | + DB::raw("...",[...]) + pattern-sinks: + - patterns: + - pattern: | + DB::raw(...) + message: HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL + injection via string concatenation or unsafe interpolation. + languages: + - php + severity: WARNING + metadata: + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md + technology: + - php + - laravel + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection + shortlink: https://sg.run/x94g + semgrep.dev: + rule: + rule_id: zdUln0 + version_id: X0TPYR + url: https://semgrep.dev/playground/r/X0TPYR/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection + origin: community +- id: php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator + mode: taint + pattern-sources: + - patterns: + - pattern: | + public function $F(...,Request $R,...){...} + - focus-metavariable: $R + - patterns: + - pattern-either: + - pattern: | + $this->$PROPERTY + - pattern: | + $this->$PROPERTY->$GET + - metavariable-pattern: + metavariable: $PROPERTY + patterns: + - pattern-either: + - pattern: query + - pattern: request + - pattern: headers + - pattern: cookies + - pattern: cookie + - pattern: files + - pattern: file + - pattern: allFiles + - pattern: input + - pattern: all + - pattern: post + - pattern: json + - pattern-either: + - pattern-inside: | + class $CL extends Illuminate\Http\Request {...} + - pattern-inside: | + class $CL extends Illuminate\Foundation\Http\FormRequest {...} + pattern-sinks: + - patterns: + - pattern: | + Illuminate\Validation\Rule::unique(...)->ignore(...,$IGNORE,...) + - focus-metavariable: $IGNORE + message: Found a request argument passed to an `ignore()` definition in a Rule constraint. + This can lead to SQL injection. + languages: + - php + severity: ERROR + metadata: + category: security + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + technology: + - php + - laravel + references: + - https://laravel.com/docs/9.x/validation#rule-unique + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator + shortlink: https://sg.run/vkeb + semgrep.dev: + rule: + rule_id: X5ULgE + version_id: w8T3We + url: https://semgrep.dev/playground/r/w8T3We/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator + origin: community +- id: java.spring.security.injection.tainted-file-path.tainted-file-path + languages: + - java + severity: ERROR + message: Detected user input controlling a file path. An attacker could control + the location of this file, to include going backwards in the directory with '../'. + To address this, ensure that user-controlled variables in file paths are sanitized. + You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) + to only retrieve the file name from the path. + metadata: + cwe: + - 'CWE-23: Relative Path Traversal' + owasp: + - A01:2021 - Broken Access Control + references: + - https://owasp.org/www-community/attacks/Path_Traversal + category: security + technology: + - java + - spring + subcategory: + - vuln + impact: HIGH + likelihood: MEDIUM + confidence: HIGH + interfile: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path + shortlink: https://sg.run/x9o0 + semgrep.dev: + rule: + rule_id: lBUxok + version_id: nWT7pG + url: https://semgrep.dev/playground/r/nWT7pG/java.spring.security.injection.tainted-file-path.tainted-file-path + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { + ... + } + - pattern-inside: | + $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { + ... + } + - metavariable-regex: + metavariable: $TYPE + regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) + - metavariable-regex: + metavariable: $REQ + regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) + - focus-metavariable: $SOURCE + pattern-sinks: + - patterns: + - pattern-either: + - pattern: new File(...) + - pattern: new java.io.File(...) + - pattern: new FileReader(...) + - pattern: new java.io.FileReader(...) + - pattern: new FileInputStream(...) + - pattern: new java.io.FileInputStream(...) + - pattern: (Paths $PATHS).get(...) + - patterns: + - pattern: | + $CLASS.$FUNC(...) + - metavariable-regex: + metavariable: $FUNC + regex: ^(getResourceAsStream|getResource)$ + - patterns: + - pattern-either: + - pattern: new ClassPathResource($FILE, ...) + - pattern: ResourceUtils.getFile($FILE, ...) + - pattern: new FileOutputStream($FILE, ...) + - pattern: new java.io.FileOutputStream($FILE, ...) + - pattern: new StreamSource($FILE, ...) + - pattern: new javax.xml.transform.StreamSource($FILE, ...) + - pattern: FileUtils.openOutputStream($FILE, ...) + - focus-metavariable: $FILE + pattern-sanitizers: + - pattern: org.apache.commons.io.FilenameUtils.getName(...) +- id: java.spring.security.injection.tainted-html-string.tainted-html-string + languages: + - java + severity: ERROR + message: Detected user input flowing into a manually constructed HTML string. You + may be accidentally bypassing secure methods of rendering HTML by manually constructing + HTML and this could create a cross-site scripting vulnerability, which could let + attackers steal sensitive user data. To be sure this is safe, check that the HTML + is rendered safely. You can use the OWASP ESAPI encoder if you must render user + data. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + category: security + technology: + - java + - spring + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string + shortlink: https://sg.run/ObdR + semgrep.dev: + rule: + rule_id: YGUvkL + version_id: ExTngr + url: https://semgrep.dev/playground/r/ExTngr/java.spring.security.injection.tainted-html-string.tainted-html-string + origin: community + mode: taint + pattern-sources: + - label: INPUT + patterns: + - pattern-either: + - pattern-inside: | + $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { + ... + } + - pattern-inside: | + $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { + ... + } + - metavariable-regex: + metavariable: $TYPE + regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) + - metavariable-regex: + metavariable: $REQ + regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) + - focus-metavariable: $SOURCE + - label: CONCAT + by-side-effect: true + requires: INPUT + patterns: + - pattern-either: + - pattern: | + "$HTMLSTR" + ... + - pattern: | + "$HTMLSTR".concat(...) + - patterns: + - pattern-inside: | + StringBuilder $SB = new StringBuilder("$HTMLSTR"); + ... + - pattern: $SB.append(...) + - patterns: + - pattern-inside: | + $VAR = "$HTMLSTR"; + ... + - pattern: $VAR += ... + - pattern: String.format("$HTMLSTR", ...) + - patterns: + - pattern-inside: | + String $VAR = "$HTMLSTR"; + ... + - pattern: String.format($VAR, ...) + - metavariable-regex: + metavariable: $HTMLSTR + regex: ^<\w+ + pattern-propagators: + - pattern: (StringBuilder $SB).append($...TAINTED) + from: $...TAINTED + to: $SB + - pattern: $VAR += $...TAINTED + from: $...TAINTED + to: $VAR + pattern-sinks: + - requires: CONCAT + patterns: + - pattern-either: + - pattern: new ResponseEntity<>($PAYLOAD, ...) + - pattern: new ResponseEntity<$ERROR>($PAYLOAD, ...) + - pattern: ResponseEntity. ... .body($PAYLOAD) + - patterns: + - pattern: | + ResponseEntity.$RESPFUNC($PAYLOAD). ... + - metavariable-regex: + metavariable: $RESPFUNC + regex: ^(ok|of)$ + - focus-metavariable: $PAYLOAD + pattern-sanitizers: + - pattern-either: + - pattern: Encode.forHtml(...) + - pattern: (PolicyFactory $POLICY).sanitize(...) + - pattern: (AntiSamy $AS).scan(...) + - pattern: JSoup.clean(...) +- id: java.spring.security.injection.tainted-system-command.tainted-system-command + languages: + - java + severity: ERROR + mode: taint + pattern-propagators: + - pattern: (StringBuilder $STRB).append($INPUT) + from: $INPUT + to: $STRB + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { + ... + } + - pattern-inside: | + $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { + ... + } + - metavariable-regex: + metavariable: $TYPE + regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) + - metavariable-regex: + metavariable: $REQ + regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) + - focus-metavariable: $SOURCE + label: INPUT + - patterns: + - pattern-either: + - pattern: $X + $SOURCE + - pattern: $SOURCE + $Y + - pattern: (StringBuilder $STRB).append($SOURCE) + - pattern: String.format("...", ..., $SOURCE, ...) + - pattern: String.join("...", ..., $SOURCE, ...) + - pattern: (String $STR).concat($SOURCE) + - pattern: $SOURCE.concat(...) + - pattern: $X += $SOURCE + - pattern: $SOURCE += $X + label: CONCAT + requires: INPUT + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + (Process $P) = new Process(...); + - pattern: | + (ProcessBuilder $PB).command(...); + - patterns: + - pattern-either: + - pattern: | + (Runtime $R).$EXEC(...); + - pattern: | + Runtime.getRuntime(...).$EXEC(...); + - metavariable-regex: + metavariable: $EXEC + regex: (exec|loadLibrary|load) + - patterns: + - pattern: | + (ProcessBuilder $PB).command(...).$ADD(...); + - metavariable-regex: + metavariable: $ADD + regex: (add|addAll) + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $BUILDER = new ProcessBuilder(...); + ... + - pattern: $BUILDER.start(...) + - pattern: | + new ProcessBuilder(...). ... .start(...); + requires: CONCAT + message: 'Detected user input entering a method which executes a system command. + This could result in a command injection vulnerability, which allows an attacker + to inject an arbitrary system command onto the server. The attacker could download + malware onto or steal data from the server. Instead, use ProcessBuilder, separating + the command into individual arguments, like this: `new ProcessBuilder("ls", "-al", + targetDirectory)`. Further, make sure you hardcode or allowlist the actual command + so that attackers can''t run arbitrary commands.' + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + category: security + technology: + - java + - spring + confidence: HIGH + references: + - https://www.stackhawk.com/blog/command-injection-java/ + - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html + - https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command + shortlink: https://sg.run/epY0 + semgrep.dev: + rule: + rule_id: 6JUxGN + version_id: LjT0XX + url: https://semgrep.dev/playground/r/LjT0XX/java.spring.security.injection.tainted-system-command.tainted-system-command + origin: community +- id: java.spring.security.injection.tainted-url-host.tainted-url-host + languages: + - java + severity: ERROR + message: User data flows into the host portion of this manually-constructed URL. + This could allow an attacker to send data to their own server, potentially exposing + sensitive data such as cookies or authorization information sent with this request. + They could also probe internal servers or other resources that the server runnig + this code can access. (This is called server-side request forgery, or SSRF.) Do + not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode + the correct host, or ensure that the user data can only affect the path or parameters. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - java + - spring + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + interfile: true + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host + shortlink: https://sg.run/vkYn + semgrep.dev: + rule: + rule_id: oqUZo8 + version_id: 8KTbK9 + url: https://semgrep.dev/playground/r/8KTbK9/java.spring.security.injection.tainted-url-host.tainted-url-host + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { + ... + } + - pattern-inside: | + $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { + ... + } + - metavariable-regex: + metavariable: $TYPE + regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) + - metavariable-regex: + metavariable: $REQ + regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) + - focus-metavariable: $SOURCE + pattern-sinks: + - pattern-either: + - pattern: new URL($ONEARG) + - patterns: + - pattern-either: + - pattern: | + "$URLSTR" + ... + - pattern: | + "$URLSTR".concat(...) + - patterns: + - pattern-inside: | + StringBuilder $SB = new StringBuilder("$URLSTR"); + ... + - pattern: $SB.append(...) + - patterns: + - pattern-inside: | + $VAR = "$URLSTR"; + ... + - pattern: $VAR += ... + - patterns: + - pattern: String.format("$URLSTR", ...) + - pattern-not: String.format("$URLSTR", "...", ...) + - patterns: + - pattern-inside: | + String $VAR = "$URLSTR"; + ... + - pattern: String.format($VAR, ...) + - metavariable-regex: + metavariable: $URLSTR + regex: http(s?)://%(v|s|q).* +- id: ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization + mode: taint + languages: + - ruby + message: Deserialization of a string tainted by `event` object found. Objects in + Ruby can be serialized into strings, then later loaded from strings. However, + uses of `load` can cause remote code execution. Loading user input with MARSHAL, + YAML or CSV can potentially be dangerous. If you need to deserialize untrusted + data, you should use JSON as it is only capable of returning 'primitive' types + such as strings, arrays, hashes, numbers and nil. + metadata: + references: + - https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html + - https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb + category: security + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + technology: + - ruby + - aws-lambda + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization + shortlink: https://sg.run/dplX + semgrep.dev: + rule: + rule_id: zdUlNJ + version_id: 5PT6ly + url: https://semgrep.dev/playground/r/5PT6ly/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization + origin: community + pattern-sinks: + - patterns: + - pattern: $SINK + - pattern-either: + - pattern-inside: | + YAML.load($SINK,...) + - pattern-inside: | + CSV.load($SINK,...) + - pattern-inside: | + Marshal.load($SINK,...) + - pattern-inside: | + Marshal.restore($SINK,...) + pattern-sources: + - patterns: + - pattern: event + - pattern-inside: | + def $HANDLER(event, context) + ... + end + severity: WARNING +- id: javascript.express.security.audit.express-libxml-noent.express-libxml-noent + message: The libxml library processes user-input with the `noent` attribute is set + to `true` which can lead to being vulnerable to XML External Entities (XXE) type + attacks. It is recommended to set `noent` to `false` when using this feature to + ensure you are protected. + metadata: + interfile: true + references: + - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + technology: + - express + category: security + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent + shortlink: https://sg.run/Z75x + semgrep.dev: + rule: + rule_id: pKUNeD + version_id: gETqxo + url: https://semgrep.dev/playground/r/gETqxo/javascript.express.security.audit.express-libxml-noent.express-libxml-noent + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - pattern: $REQ.files.$ANYTHING.data.toString('utf8') + - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + - pattern: files.$ANYTHING.data.toString('utf8') + - pattern: files.$ANYTHING['data'].toString('utf8') + pattern-sinks: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + $XML = require('$IMPORT') + ... + - pattern-inside: | + import $XML from '$IMPORT' + ... + - pattern-inside: | + import * as $XML from '$IMPORT' + ... + - metavariable-regex: + metavariable: $IMPORT + regex: ^(libxmljs|libxmljs2)$ + - pattern-inside: $XML.$FUNC($QUERY, {...,noent:true,...}) + - metavariable-regex: + metavariable: $FUNC + regex: ^(parseXmlString|parseXml)$ + - focus-metavariable: $QUERY +- id: javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent + message: Detected use of parseXml() function with the `noent` field set to `true`. + This can lead to an XML External Entities (XXE) attack if untrusted data is passed + into it. + metadata: + references: + - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + category: security + technology: + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent + shortlink: https://sg.run/n8Ag + semgrep.dev: + rule: + rule_id: 2ZUY52 + version_id: QkTJ0Y + url: https://semgrep.dev/playground/r/QkTJ0Y/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: $VM.runInContext("$CMD", ...) + - pattern: $VM.runInNewContext("$CMD", ...) + - pattern: $VM.runInThisContext("$CMD", ...) + - pattern: $VM.compileFunction("$CMD", ...) + - metavariable-pattern: + metavariable: $CMD + language: typescript + pattern-either: + - pattern: | + $LIBXML.parseXml($DATA, {..., noent: true, ...}, ...) + - patterns: + - pattern-inside: | + $OPTS = {..., noent: true, ...} + ... + - pattern: $LIBXML.parseXml( $DATA, $OPTS ) + - pattern: | + $LIBXML.parseXml($DATA, {..., noent: true, ...}, ...) + - patterns: + - pattern-inside: | + $OPTS = {..., noent: true, ...} + ... + - pattern: $LIBXML.parseXml( $DATA, $OPTS ) +- id: javascript.express.security.audit.express-open-redirect.express-open-redirect + message: The application redirects to a URL specified by user-supplied input `$REQ` + that is not validated. This could redirect users to malicious locations. Consider + using an allow-list approach to validate URLs, or warn users they are being redirected + to a third-party website. + metadata: + technology: + - express + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + category: security + owasp: + - A01:2021 - Broken Access Control + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect + shortlink: https://sg.run/EpoP + semgrep.dev: + rule: + rule_id: X5ULkq + version_id: 3ZTdQZ + url: https://semgrep.dev/playground/r/3ZTdQZ/javascript.express.security.audit.express-open-redirect.express-open-redirect + origin: community + languages: + - javascript + - typescript + severity: WARNING + options: + taint_unify_mvars: true + symbolic_propagation: true + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $RES.redirect("$HTTP"+$REQ. ... .$VALUE) + - pattern: $RES.redirect("$HTTP"+$REQ. ... .$VALUE + $...A) + - pattern: $RES.redirect(`$HTTP${$REQ. ... .$VALUE}...`) + - pattern: $RES.redirect("$HTTP"+$REQ.$VALUE[...]) + - pattern: $RES.redirect("$HTTP"+$REQ.$VALUE[...] + $...A) + - pattern: $RES.redirect(`$HTTP${$REQ.$VALUE[...]}...`) + - metavariable-regex: + metavariable: $HTTP + regex: ^https?:\/\/$ + - pattern-either: + - pattern: $REQ. ... .$VALUE + - patterns: + - pattern-either: + - pattern: $RES.redirect($REQ. ... .$VALUE) + - pattern: $RES.redirect($REQ. ... .$VALUE + $...A) + - pattern: $RES.redirect(`${$REQ. ... .$VALUE}...`) + - pattern: $REQ. ... .$VALUE + - patterns: + - pattern-either: + - pattern: $RES.redirect($REQ.$VALUE['...']) + - pattern: $RES.redirect($REQ.$VALUE['...'] + $...A) + - pattern: $RES.redirect(`${$REQ.$VALUE['...']}...`) + - pattern: $REQ.$VALUE + - patterns: + - pattern-either: + - pattern-inside: | + $ASSIGN = $REQ. ... .$VALUE + ... + - pattern-inside: | + $ASSIGN = $REQ.$VALUE['...'] + ... + - pattern-inside: | + $ASSIGN = $REQ. ... .$VALUE + $...A + ... + - pattern-inside: "$ASSIGN = $REQ.$VALUE['...'] + $...A\n... \n" + - pattern-inside: | + $ASSIGN = `${$REQ. ... .$VALUE}...` + ... + - pattern-inside: "$ASSIGN = `${$REQ.$VALUE['...']}...`\n... \n" + - pattern-either: + - pattern: $RES.redirect($ASSIGN) + - pattern: $RES.redirect($ASSIGN + $...FOO) + - pattern: $RES.redirect(`${$ASSIGN}...`) + - focus-metavariable: $ASSIGN +- id: javascript.express.security.audit.express-res-sendfile.express-res-sendfile + message: The application processes user-input, this is passed to res.sendFile which + can allow an attacker to arbitrarily read files on the system through path traversal. + It is recommended to perform input validation in addition to canonicalizing the + path. This allows you to validate the path against the intended directory it should + be accessing. + metadata: + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html + technology: + - express + category: security + cwe: + - 'CWE-73: External Control of File Name or Path' + owasp: + - A04:2021 - Insecure Design + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile + shortlink: https://sg.run/7DJk + semgrep.dev: + rule: + rule_id: j2UzDx + version_id: PkTY14 + url: https://semgrep.dev/playground/r/PkTY14/javascript.express.security.audit.express-res-sendfile.express-res-sendfile + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + function ... (...,$REQ: $TYPE, ...) {...} + - metavariable-regex: + metavariable: $TYPE + regex: ^(string|String) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $RES.$METH($QUERY,...) + - pattern-not-inside: $RES.$METH($QUERY,$OPTIONS) + - metavariable-regex: + metavariable: $METH + regex: ^(sendfile|sendFile)$ + - focus-metavariable: $QUERY +- id: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + interfile: true + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + category: security + technology: + - express + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret + shortlink: https://sg.run/LYvG + semgrep.dev: + rule: + rule_id: 10Uo39 + version_id: JdTqpX + url: https://semgrep.dev/playground/r/JdTqpX/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern-inside: | + import $SESSION from 'express-session' + ... + - pattern-inside: | + import {..., $SESSION, ...} from 'express-session' + ... + - pattern-inside: | + import * as $SESSION from 'express-session' + ... + - patterns: + - pattern-either: + - pattern-inside: $APP.use($SESSION({...})) + - pattern: | + $SECRET = $VALUE + ... + $APP.use($SESSION($SECRET)) + - pattern: | + secret: '$Y' +- id: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization + message: The following function call $SER.$FUNC accepts user controlled data which + can result in Remote Code Execution (RCE) through Object Deserialization. It is + recommended to use secure data processing alternatives such as JSON.parse() and + Buffer.from(). + metadata: + interfile: true + technology: + - express + category: security + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html + source_rule_url: + - https://github.com/ajinabraham/njsscan/blob/75bfbeb9c8d72999e4d527dfa2548f7f0f3cc48a/njsscan/rules/semantic_grep/eval/eval_deserialize.yaml + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization + shortlink: https://sg.run/8W5j + semgrep.dev: + rule: + rule_id: 9AUyqj + version_id: GxT26d + url: https://semgrep.dev/playground/r/GxT26d/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - pattern: $REQ.files.$ANYTHING.data.toString('utf8') + - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + - pattern: files.$ANYTHING.data.toString('utf8') + - pattern: files.$ANYTHING['data'].toString('utf8') + pattern-sinks: + - pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + $SER = require('$IMPORT') + ... + - pattern-inside: | + import $SER from '$IMPORT' + ... + - pattern-inside: | + import * as $SER from '$IMPORT' + ... + - metavariable-regex: + metavariable: $IMPORT + regex: ^(node-serialize|serialize-to-js)$ + - pattern: $SER.$FUNC(...) + - metavariable-regex: + metavariable: $FUNC + regex: ^(unserialize|deserialize)$ +- id: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + message: Detected a sequelize statement that is tainted by user-input. This could + lead to SQL injection if the variable is user-controlled and is not properly sanitized. + In order to prevent SQL injection, it is recommended to use parameterized queries + or prepared statements. + metadata: + interfile: true + references: + - https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements + category: security + technology: + - express + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + shortlink: https://sg.run/gjoe + semgrep.dev: + rule: + rule_id: yyU0GX + version_id: YDToE2 + url: https://semgrep.dev/playground/r/YDToE2/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - pattern: $REQ.files.$ANYTHING.data.toString('utf8') + - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + - pattern: files.$ANYTHING.data.toString('utf8') + - pattern: files.$ANYTHING['data'].toString('utf8') + pattern-sinks: + - pattern-either: + - patterns: + - pattern-either: + - pattern: sequelize.query($QUERY,...) + - pattern: $DB.sequelize.query($QUERY,...) + - focus-metavariable: $QUERY + pattern-sanitizers: + - pattern-either: + - pattern: parseInt(...) + - pattern: $FUNC. ... .hash(...) +- id: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization + message: Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. + Manually sanitizing input through a manually built list can be circumvented in + many situations, and it's better to use a well known sanitization library such + as `sanitize-html` or `DOMPurify`. + metadata: + category: security + technology: + - javascript + - typescript + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + references: + - https://www.npmjs.com/package/dompurify + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization + shortlink: https://sg.run/AzoB + semgrep.dev: + rule: + rule_id: kxUYE9 + version_id: l4T5xb + url: https://semgrep.dev/playground/r/l4T5xb/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization + origin: community + languages: + - javascript + - typescript + severity: INFO + patterns: + - pattern-either: + - pattern: $STR.$FUNC('<', '<') + - pattern: $STR.$FUNC('>', '>') + - pattern: $STR.$FUNC('"', '"') + - pattern: $STR.$FUNC("'", ''') + - pattern: $STR.$FUNC('&', '&') + - metavariable-regex: + metavariable: $FUNC + regex: (replace|replaceAll) +- id: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage + message: A CSRF middleware was not detected in your express application. Ensure + you are either using one such as `csurf` or `csrf` (see rule references) and/or + you are properly doing CSRF validation in your routes with a token or cookies. + metadata: + category: security + references: + - https://www.npmjs.com/package/csurf + - https://www.npmjs.com/package/csrf + - https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + technology: + - javascript + - typescript + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage + shortlink: https://sg.run/BxzR + semgrep.dev: + rule: + rule_id: wdUKEq + version_id: O9TyOQ + url: https://semgrep.dev/playground/r/O9TyOQ/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage + origin: community + languages: + - javascript + - typescript + severity: INFO + patterns: + - pattern-inside: | + $EXPRESS = require('express') + ... + - pattern-not-inside: | + import {$CSRF} from 'csurf' + ... + - pattern-not-inside: | + require('csurf') + ... + - pattern-not-inside: | + import {$CSRF} from 'csrf' + ... + - pattern-not-inside: | + require('csrf') + ... + - pattern: | + $APP = $EXPRESS() +- id: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing + message: Directory listing/indexing is enabled, which may lead to disclosure of + sensitive directories and files. It is recommended to disable directory listing + unless it is a public resource. If you need directory listing, ensure that sensitive + files are inaccessible when querying the resource. + metadata: + interfile: true + cwe: + - 'CWE-548: Exposure of Information Through Directory Listing' + owasp: + - A06:2017 - Security Misconfiguration + - A01:2021 - Broken Access Control + category: security + technology: + - express + references: + - https://www.npmjs.com/package/serve-index + - https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/ + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing + shortlink: https://sg.run/DX2G + semgrep.dev: + rule: + rule_id: x8UqEb + version_id: e1Tx1b + url: https://semgrep.dev/playground/r/e1Tx1b/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $APP.use(require('serve-index')(...)) + - patterns: + - pattern-either: + - pattern-inside: | + $SERVEINDEX = require('serve-index') + ... + - pattern-inside: | + import $SERVEINDEX from 'serve-index' + ... + - pattern-inside: | + import * as $SERVEINDEX from 'serve-index' + ... + - pattern-either: + - patterns: + - pattern-inside: | + $VALUE = $SERVEINDEX(...) + ... + - pattern: | + $VALUE(...) + - pattern: | + $APP.use(..., $SERVEINDEX(...), ...) +- id: javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage + message: Detected usage of the `notevil` package, which is unmaintained and has + vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, + but if you must, the `eval` package is an up to date alternative. Be sure that + only trusted input reaches an `eval()` function. + metadata: + category: security + references: + - https://github.com/mmckegg/notevil + cwe: + - 'CWE-1104: Use of Unmaintained Third Party Components' + owasp: + - A06:2021 - Vulnerable and Outdated Components + technology: + - javascript + - typescript + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage + shortlink: https://sg.run/W70E + semgrep.dev: + rule: + rule_id: OrUX9K + version_id: LjT0Qd + url: https://semgrep.dev/playground/r/LjT0Qd/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + import $EVAL from 'notevil' + ... + - pattern-inside: | + import {$EVAL} from 'notevil' + ... + - pattern-inside: | + $EVAL = require('notevil') + ... + - pattern-either: + - patterns: + - pattern: $EVAL(...) + - pattern-not: $EVAL('...') + - patterns: + - pattern-either: + - pattern: $VM.runInContext("$CMD", ...) + - pattern: $VM.runInNewContext("$CMD", ...) + - pattern: $VM.runInThisContext("$CMD", ...) + - pattern: $VM.compileFunction("$CMD", ...) + - metavariable-pattern: + patterns: + - pattern: $EVAL(...) + - pattern-not: $EVAL('...') + metavariable: $CMD + language: typescript +- id: javascript.express.security.audit.express-ssrf.express-ssrf + message: 'The following request $REQUEST.$METHOD() was found to be crafted from + user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. + It is recommended where possible to not allow user-input to craft the base request, + but to be treated as part of the path or query parameter. When user-input is necessary + to craft the request, it is recommeneded to follow OWASP best practices to prevent + abuse. ' + metadata: + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + technology: + - express + category: security + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf + shortlink: https://sg.run/0PNw + semgrep.dev: + rule: + rule_id: eqU9l2 + version_id: 5PT6Ab + url: https://semgrep.dev/playground/r/5PT6Ab/javascript.express.security.audit.express-ssrf.express-ssrf + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + options: + taint_unify_mvars: true + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, ...) {...} + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,...) => + {...} + - pattern-inside: | + ({ $REQ }: $EXPRESS.Request,...) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $REQUEST = require('request') + ... + - pattern-inside: | + import * as $REQUEST from 'request' + ... + - pattern-inside: | + import $REQUEST from 'request' + ... + - pattern-either: + - pattern: $REQUEST.$METHOD("$HTTP"+$REQ. ... .$VALUE) + - pattern: $REQUEST.$METHOD("$HTTP"+$REQ. ... .$VALUE + $...A) + - pattern: $REQUEST.$METHOD(`$HTTP${$REQ. ... .$VALUE}...`) + - pattern: $REQUEST.$METHOD("$HTTP"+$REQ.$VALUE[...]) + - pattern: $REQUEST.$METHOD("$HTTP"+$REQ.$VALUE[...] + $...A) + - pattern: $REQUEST.$METHOD(`$HTTP${$REQ.$VALUE[...]}...`) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|patch|del|head|delete)$ + - metavariable-regex: + metavariable: $HTTP + regex: ^(https?:\/\/|//)$ + - pattern-either: + - pattern: $REQ. ... .$VALUE + - patterns: + - pattern-either: + - pattern-inside: | + $REQUEST = require('request') + ... + - pattern-inside: | + import * as $REQUEST from 'request' + ... + - pattern-inside: | + import $REQUEST from 'request' + ... + - pattern-either: + - pattern: $REQUEST.$METHOD($REQ. ... .$VALUE,...) + - pattern: $REQUEST.$METHOD($REQ. ... .$VALUE + $...A,...) + - pattern: $REQUEST.$METHOD(`${$REQ. ... .$VALUE}...`,...) + - pattern: $REQ. ... .$VALUE + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|patch|del|head|delete)$ + - patterns: + - pattern-either: + - pattern-inside: | + $REQUEST = require('request') + ... + - pattern-inside: | + import * as $REQUEST from 'request' + ... + - pattern-inside: | + import $REQUEST from 'request' + ... + - pattern-either: + - pattern: $REQUEST.$METHOD($REQ.$VALUE['...'],...) + - pattern: $REQUEST.$METHOD($REQ.$VALUE['...'] + $...A,...) + - pattern: $REQUEST.$METHOD(`${$REQ.$VALUE['...']}...`,...) + - pattern: $REQ.$VALUE + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|patch|del|head|delete)$ + - patterns: + - pattern-either: + - pattern-inside: | + $REQUEST = require('request') + ... + - pattern-inside: | + import * as $REQUEST from 'request' + ... + - pattern-inside: | + import $REQUEST from 'request' + ... + - pattern-either: + - pattern-inside: | + $ASSIGN = $REQ. ... .$VALUE + ... + - pattern-inside: | + $ASSIGN = $REQ. ... .$VALUE['...'] + ... + - pattern-inside: | + $ASSIGN = $REQ. ... .$VALUE + $...A + ... + - pattern-inside: "$ASSIGN = $REQ. ... .$VALUE['...'] + $...A\n... \n" + - pattern-inside: | + $ASSIGN = `${$REQ. ... .$VALUE}...` + ... + - pattern-inside: "$ASSIGN = `${$REQ. ... .$VALUE['...']}...`\n... \n" + - patterns: + - pattern-either: + - pattern-inside: | + $ASSIGN = "$HTTP"+ $REQ. ... .$VALUE + ... + - pattern-inside: | + $ASSIGN = "$HTTP"+$REQ. ... .$VALUE + $...A + ... + - pattern-inside: | + $ASSIGN = "$HTTP"+$REQ.$VALUE[...] + ... + - pattern-inside: | + $ASSIGN = "$HTTP"+$REQ.$VALUE[...] + $...A + ... + - pattern-inside: | + $ASSIGN = `$HTTP${$REQ.$VALUE[...]}...` + ... + - metavariable-regex: + metavariable: $HTTP + regex: ^(https?:\/\/|//)$ + - pattern-either: + - pattern: $REQUEST.$METHOD($ASSIGN,...) + - pattern: $REQUEST.$METHOD($ASSIGN + $...FOO,...) + - pattern: $REQUEST.$METHOD(`${$ASSIGN}...`,...) + - patterns: + - pattern-either: + - pattern: $REQUEST.$METHOD("$HTTP"+$ASSIGN,...) + - pattern: $REQUEST.$METHOD("$HTTP"+$ASSIGN + $...A,...) + - pattern: $REQUEST.$METHOD(`$HTTP${$ASSIGN}...`,...) + - metavariable-regex: + metavariable: $HTTP + regex: ^(https?:\/\/|//)$ + - pattern: $ASSIGN + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|patch|del|head|delete)$ +- id: javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key + message: Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using + an alternate option such as reading the secret from a config file or using an + environment variable. + metadata: + interfile: true + category: security + technology: + - crypto + - hmac + references: + - https://rules.sonarsource.com/javascript/RSPEC-2068 + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management + owasp: + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key + shortlink: https://sg.run/K9bn + semgrep.dev: + rule: + rule_id: v8UGEw + version_id: 5PT6od + url: https://semgrep.dev/playground/r/5PT6od/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern-either: + - pattern: $CRYPTO.createHmac($ALGO, '...') + - patterns: + - pattern-inside: | + const $SECRET = '...' + ... + - pattern: $CRYPTO.createHmac($ALGO, $SECRET) +- id: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure + patterns: + - pattern: $APP.UseDeveloperExceptionPage(...); + - pattern-not-inside: "if ($ENV.IsDevelopment(...)) {\n ... \n $APP.UseDeveloperExceptionPage(...); + \n ...\n}\n" + message: Stacktrace information is displayed in a non-Development environment. Accidentally + disclosing sensitive stack trace information in a production environment aids + an attacker in reconnaissance and information gathering. + metadata: + category: security + technology: + - csharp + owasp: + - A06:2017 - Security Misconfiguration + - A04:2021 - Insecure Design + cwe: + - 'CWE-209: Generation of Error Message Containing Sensitive Information' + references: + - https://cwe.mitre.org/data/definitions/209.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure + shortlink: https://sg.run/XvkA + semgrep.dev: + rule: + rule_id: lBU6Dv + version_id: yeTXRK + url: https://semgrep.dev/playground/r/yeTXRK/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure + origin: community + languages: + - csharp + severity: WARNING +- id: csharp.dotnet.security.audit.mass-assignment.mass-assignment + message: Mass assignment or Autobinding vulnerability in code allows an attacker + to execute over-posting attacks, which could create a new parameter in the binding + request and manipulate the underlying object in the application. + severity: WARNING + metadata: + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + category: security + cwe: + - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object + Attributes' + owasp: + - A08:2021 - Software and Data Integrity Failures + references: + - https://cwe.mitre.org/data/definitions/915.html + - https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md + subcategory: + - vuln + technology: + - .net + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mass Assignment + source: https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment + shortlink: https://sg.run/7B3e + semgrep.dev: + rule: + rule_id: x8Up5B + version_id: yeTXkK + url: https://semgrep.dev/playground/r/yeTXkK/csharp.dotnet.security.audit.mass-assignment.mass-assignment + origin: community + languages: + - csharp + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + public IActionResult $METHOD(..., $TYPE $ARG, ...){ + ... + } + - pattern: | + public ActionResult $METHOD(..., $TYPE $ARG, ...){ + ... + } + - pattern-inside: | + using Microsoft.AspNetCore.Mvc; + ... + - pattern-not: | + public IActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){ + ... + } + - pattern-not: | + public ActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){ + ... + } + - focus-metavariable: $ARG + pattern-sinks: + - pattern: View(...) +- id: python.lang.security.dangerous-code-run.dangerous-interactive-code-run + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + - patterns: + - pattern-either: + - pattern-inside: | + @rest_framework.decorators.api_view(...) + def $FUNC($REQ, ...): + ... + - patterns: + - pattern-either: + - pattern-inside: | + class $VIEW(..., rest_framework.views.APIView, ...): + ... + - pattern-inside: "class $VIEW(..., rest_framework.generics.GenericAPIView, + ...):\n ... \n" + - pattern-inside: | + def $METHOD(self, $REQ, ...): + ... + - metavariable-regex: + metavariable: $METHOD + regex: (get|post|put|patch|delete|head) + - pattern-either: + - pattern: $REQ.POST.get(...) + - pattern: $REQ.POST[...] + - pattern: $REQ.FILES.get(...) + - pattern: $REQ.FILES[...] + - pattern: $REQ.DATA.get(...) + - pattern: $REQ.DATA[...] + - pattern: $REQ.QUERY_PARAMS.get(...) + - pattern: $REQ.QUERY_PARAMS[...] + - pattern: $REQ.data.get(...) + - pattern: $REQ.data[...] + - pattern: $REQ.query_params.get(...) + - pattern: $REQ.query_params[...] + - pattern: $REQ.content_type + - pattern: $REQ.content_type + - pattern: $REQ.stream + - pattern: $REQ.stream + - patterns: + - pattern-either: + - pattern-inside: | + class $SERVER(..., http.server.BaseHTTPRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.StreamRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.DatagramRequestHandler, ...): + ... + - pattern-either: + - pattern: self.requestline + - pattern: self.path + - pattern: self.headers[...] + - pattern: self.headers.get(...) + - pattern: self.rfile + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $X = code.InteractiveConsole(...) + ... + - pattern-inside: | + $X = code.InteractiveInterpreter(...) + ... + - pattern-either: + - pattern: | + $X.push($PAYLOAD,...) + - pattern: | + $X.runsource($PAYLOAD,...) + - pattern: | + $X.runcode(code.compile_command($PAYLOAD),...) + - pattern: | + $PL = code.compile_command($PAYLOAD,...) + ... + $X.runcode($PL,...) + - focus-metavariable: $PAYLOAD + - pattern-not: | + $X.push("...",...) + - pattern-not: | + $X.runsource("...",...) + - pattern-not: | + $X.runcode(code.compile_command("..."),...) + - pattern-not: | + $PL = code.compile_command("...",...) + ... + $X.runcode($PL,...) + message: Found user controlled data inside InteractiveConsole/InteractiveInterpreter + method. This is dangerous if external data can reach this function call because + it allows a malicious actor to run arbitrary Python code. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + category: security + technology: + - python + confidence: MEDIUM + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-code-run.dangerous-interactive-code-run + shortlink: https://sg.run/9pRY + semgrep.dev: + rule: + rule_id: KxUKzx + version_id: gETqp2 + url: https://semgrep.dev/playground/r/gETqp2/python.lang.security.dangerous-code-run.dangerous-interactive-code-run + origin: community + severity: WARNING + languages: + - python +- id: python.lang.security.dangerous-os-exec.dangerous-os-exec + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + - patterns: + - pattern-either: + - pattern-inside: | + @rest_framework.decorators.api_view(...) + def $FUNC($REQ, ...): + ... + - patterns: + - pattern-either: + - pattern-inside: | + class $VIEW(..., rest_framework.views.APIView, ...): + ... + - pattern-inside: "class $VIEW(..., rest_framework.generics.GenericAPIView, + ...):\n ... \n" + - pattern-inside: | + def $METHOD(self, $REQ, ...): + ... + - metavariable-regex: + metavariable: $METHOD + regex: (get|post|put|patch|delete|head) + - pattern-either: + - pattern: $REQ.POST.get(...) + - pattern: $REQ.POST[...] + - pattern: $REQ.FILES.get(...) + - pattern: $REQ.FILES[...] + - pattern: $REQ.DATA.get(...) + - pattern: $REQ.DATA[...] + - pattern: $REQ.QUERY_PARAMS.get(...) + - pattern: $REQ.QUERY_PARAMS[...] + - pattern: $REQ.data.get(...) + - pattern: $REQ.data[...] + - pattern: $REQ.query_params.get(...) + - pattern: $REQ.query_params[...] + - pattern: $REQ.content_type + - pattern: $REQ.content_type + - pattern: $REQ.stream + - pattern: $REQ.stream + - patterns: + - pattern-either: + - pattern-inside: | + class $SERVER(..., http.server.BaseHTTPRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.StreamRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.DatagramRequestHandler, ...): + ... + - pattern-either: + - pattern: self.requestline + - pattern: self.path + - pattern: self.headers[...] + - pattern: self.headers.get(...) + - pattern: self.rfile + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-not: os.$METHOD("...", ...) + - pattern: os.$METHOD(...) + - metavariable-regex: + metavariable: $METHOD + regex: (execl|execle|execlp|execlpe|execv|execve|execvp|execvpe) + - patterns: + - pattern-not: os.$METHOD("...", [$PATH,"...","...",...],...) + - pattern-inside: os.$METHOD($BASH,[$PATH,"-c",$CMD,...],...) + - pattern: $CMD + - metavariable-regex: + metavariable: $METHOD + regex: (execv|execve|execvp|execvpe) + - metavariable-regex: + metavariable: $BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + - patterns: + - pattern-not: os.$METHOD("...", $PATH, "...", "...",...) + - pattern-inside: os.$METHOD($BASH, $PATH, "-c", $CMD,...) + - pattern: $CMD + - metavariable-regex: + metavariable: $METHOD + regex: (execl|execle|execlp|execlpe) + - metavariable-regex: + metavariable: $BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + message: Found user controlled content when spawning a process. This is dangerous + because it allows a malicious actor to execute commands. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + confidence: MEDIUM + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-os-exec.dangerous-os-exec + shortlink: https://sg.run/yL9x + semgrep.dev: + rule: + rule_id: qNUR13 + version_id: 3ZTdgX + url: https://semgrep.dev/playground/r/3ZTdgX/python.lang.security.dangerous-os-exec.dangerous-os-exec + origin: community + languages: + - python + severity: ERROR +- id: python.lang.security.dangerous-spawn-process.dangerous-spawn-process + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + - patterns: + - pattern-either: + - pattern-inside: | + @rest_framework.decorators.api_view(...) + def $FUNC($REQ, ...): + ... + - patterns: + - pattern-either: + - pattern-inside: | + class $VIEW(..., rest_framework.views.APIView, ...): + ... + - pattern-inside: "class $VIEW(..., rest_framework.generics.GenericAPIView, + ...):\n ... \n" + - pattern-inside: | + def $METHOD(self, $REQ, ...): + ... + - metavariable-regex: + metavariable: $METHOD + regex: (get|post|put|patch|delete|head) + - pattern-either: + - pattern: $REQ.POST.get(...) + - pattern: $REQ.POST[...] + - pattern: $REQ.FILES.get(...) + - pattern: $REQ.FILES[...] + - pattern: $REQ.DATA.get(...) + - pattern: $REQ.DATA[...] + - pattern: $REQ.QUERY_PARAMS.get(...) + - pattern: $REQ.QUERY_PARAMS[...] + - pattern: $REQ.data.get(...) + - pattern: $REQ.data[...] + - pattern: $REQ.query_params.get(...) + - pattern: $REQ.query_params[...] + - pattern: $REQ.content_type + - pattern: $REQ.content_type + - pattern: $REQ.stream + - pattern: $REQ.stream + - patterns: + - pattern-either: + - pattern-inside: | + class $SERVER(..., http.server.BaseHTTPRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.StreamRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.DatagramRequestHandler, ...): + ... + - pattern-either: + - pattern: self.requestline + - pattern: self.path + - pattern: self.headers[...] + - pattern: self.headers.get(...) + - pattern: self.rfile + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + - patterns: + - pattern-either: + - pattern: os.environ['$ANYTHING'] + - pattern: os.environ.get('$FOO', ...) + - pattern: os.environb['$ANYTHING'] + - pattern: os.environb.get('$FOO', ...) + - pattern: os.getenv('$ANYTHING', ...) + - pattern: os.getenvb('$ANYTHING', ...) + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: sys.argv[...] + - pattern: sys.orig_argv[...] + - patterns: + - pattern-inside: | + $PARSER = argparse.ArgumentParser(...) + ... + - pattern-inside: | + $ARGS = $PARSER.parse_args() + - pattern: <... $ARGS ...> + - patterns: + - pattern-inside: | + $PARSER = optparse.OptionParser(...) + ... + - pattern-inside: | + $ARGS = $PARSER.parse_args() + - pattern: <... $ARGS ...> + - patterns: + - pattern-either: + - pattern-inside: | + $OPTS, $ARGS = getopt.getopt(...) + ... + - pattern-inside: | + $OPTS, $ARGS = getopt.gnu_getopt(...) + ... + - pattern-either: + - patterns: + - pattern-inside: | + for $O, $A in $OPTS: + ... + - pattern: $A + - pattern: $ARGS + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-not: os.$METHOD($MODE, "...", ...) + - pattern-inside: os.$METHOD($MODE, $CMD, ...) + - pattern: $CMD + - metavariable-regex: + metavariable: $METHOD + regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile) + - patterns: + - pattern-not: os.$METHOD($MODE, "...", ["...","...",...], ...) + - pattern-inside: os.$METHOD($MODE, $BASH, ["-c",$CMD,...],...) + - pattern: $CMD + - metavariable-regex: + metavariable: $METHOD + regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp) + - metavariable-regex: + metavariable: $BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + - patterns: + - pattern-not: os.$METHOD($MODE, "...", "...", "...", ...) + - pattern-inside: os.$METHOD($MODE, $BASH, "-c", $CMD,...) + - pattern: $CMD + - metavariable-regex: + metavariable: $METHOD + regex: (spawnl|spawnle|spawnlp|spawnlpe) + - metavariable-regex: + metavariable: $BASH + regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) + message: Found user controlled content when spawning a process. This is dangerous + because it allows a malicious actor to execute commands. + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + category: security + technology: + - python + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-spawn-process.dangerous-spawn-process + shortlink: https://sg.run/r8Zn + semgrep.dev: + rule: + rule_id: lBUJrn + version_id: 44ToJd + url: https://semgrep.dev/playground/r/44ToJd/python.lang.security.dangerous-spawn-process.dangerous-spawn-process + origin: community + languages: + - python + severity: ERROR +- id: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + - patterns: + - pattern-either: + - pattern-inside: | + @rest_framework.decorators.api_view(...) + def $FUNC($REQ, ...): + ... + - patterns: + - pattern-either: + - pattern-inside: | + class $VIEW(..., rest_framework.views.APIView, ...): + ... + - pattern-inside: "class $VIEW(..., rest_framework.generics.GenericAPIView, + ...):\n ... \n" + - pattern-inside: | + def $METHOD(self, $REQ, ...): + ... + - metavariable-regex: + metavariable: $METHOD + regex: (get|post|put|patch|delete|head) + - pattern-either: + - pattern: $REQ.POST.get(...) + - pattern: $REQ.POST[...] + - pattern: $REQ.FILES.get(...) + - pattern: $REQ.FILES[...] + - pattern: $REQ.DATA.get(...) + - pattern: $REQ.DATA[...] + - pattern: $REQ.QUERY_PARAMS.get(...) + - pattern: $REQ.QUERY_PARAMS[...] + - pattern: $REQ.data.get(...) + - pattern: $REQ.data[...] + - pattern: $REQ.query_params.get(...) + - pattern: $REQ.query_params[...] + - pattern: $REQ.content_type + - pattern: $REQ.content_type + - pattern: $REQ.stream + - pattern: $REQ.stream + - patterns: + - pattern-either: + - pattern-inside: | + class $SERVER(..., http.server.BaseHTTPRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.StreamRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.DatagramRequestHandler, ...): + ... + - pattern-either: + - pattern: self.requestline + - pattern: self.path + - pattern: self.headers[...] + - pattern: self.headers.get(...) + - pattern: self.rfile + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern: | + _xxsubinterpreters.run_string($ID, $PAYLOAD, ...) + - pattern-not: | + _xxsubinterpreters.run_string($ID, "...", ...) + - focus-metavariable: $PAYLOAD + message: Found user controlled content in `run_string`. This is dangerous because + it allows a malicious actor to run arbitrary Python code. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://bugs.python.org/issue43472 + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + category: security + technology: + - python + confidence: MEDIUM + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string + shortlink: https://sg.run/bPop + semgrep.dev: + rule: + rule_id: PeURWr + version_id: PkTYK6 + url: https://semgrep.dev/playground/r/PkTYK6/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string + origin: community + severity: WARNING + languages: + - python +- id: python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + - patterns: + - pattern-either: + - pattern-inside: | + @rest_framework.decorators.api_view(...) + def $FUNC($REQ, ...): + ... + - patterns: + - pattern-either: + - pattern-inside: | + class $VIEW(..., rest_framework.views.APIView, ...): + ... + - pattern-inside: "class $VIEW(..., rest_framework.generics.GenericAPIView, + ...):\n ... \n" + - pattern-inside: | + def $METHOD(self, $REQ, ...): + ... + - metavariable-regex: + metavariable: $METHOD + regex: (get|post|put|patch|delete|head) + - pattern-either: + - pattern: $REQ.POST.get(...) + - pattern: $REQ.POST[...] + - pattern: $REQ.FILES.get(...) + - pattern: $REQ.FILES[...] + - pattern: $REQ.DATA.get(...) + - pattern: $REQ.DATA[...] + - pattern: $REQ.QUERY_PARAMS.get(...) + - pattern: $REQ.QUERY_PARAMS[...] + - pattern: $REQ.data.get(...) + - pattern: $REQ.data[...] + - pattern: $REQ.query_params.get(...) + - pattern: $REQ.query_params[...] + - pattern: $REQ.content_type + - pattern: $REQ.content_type + - pattern: $REQ.stream + - pattern: $REQ.stream + - patterns: + - pattern-either: + - pattern-inside: | + class $SERVER(..., http.server.BaseHTTPRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.StreamRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.DatagramRequestHandler, ...): + ... + - pattern-either: + - pattern: self.requestline + - pattern: self.path + - pattern: self.headers[...] + - pattern: self.headers.get(...) + - pattern: self.rfile + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-not: subprocess.$FUNC("...", ...) + - pattern-not: subprocess.$FUNC(["...",...], ...) + - pattern-not: subprocess.$FUNC(("...",...), ...) + - pattern-not: subprocess.CalledProcessError(...) + - pattern-not: subprocess.SubprocessError(...) + - pattern: subprocess.$FUNC($CMD, ...) + - patterns: + - pattern-not: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...) + - pattern: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c", $CMD) + - patterns: + - pattern-not: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...],...) + - pattern-not: subprocess.$FUNC(("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...),...) + - pattern-either: + - pattern: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c", $CMD], + ...) + - pattern: subprocess.$FUNC(("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c", $CMD), + ...) + - patterns: + - pattern-not: subprocess.$FUNC("=~/(python)/","...",...) + - pattern: subprocess.$FUNC("=~/(python)/", $CMD) + - patterns: + - pattern-not: subprocess.$FUNC(["=~/(python)/","...",...],...) + - pattern-not: subprocess.$FUNC(("=~/(python)/","...",...),...) + - pattern-either: + - pattern: subprocess.$FUNC(["=~/(python)/", $CMD],...) + - pattern: subprocess.$FUNC(("=~/(python)/", $CMD),...) + - focus-metavariable: $CMD + message: Detected subprocess function '$FUNC' with user controlled data. A malicious + actor could leverage this to perform command injection. You may consider using + 'shlex.escape()'. + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.8 OS Command Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess + - https://docs.python.org/3/library/subprocess.html + - https://docs.python.org/3/library/shlex.html + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + category: security + technology: + - python + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use + shortlink: https://sg.run/NWxp + semgrep.dev: + rule: + rule_id: JDUz3R + version_id: JdTq4d + url: https://semgrep.dev/playground/r/JdTq4d/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use + origin: community + languages: + - python + severity: ERROR +- id: python.lang.security.dangerous-system-call.dangerous-system-call + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + - patterns: + - pattern-either: + - pattern-inside: | + @rest_framework.decorators.api_view(...) + def $FUNC($REQ, ...): + ... + - patterns: + - pattern-either: + - pattern-inside: | + class $VIEW(..., rest_framework.views.APIView, ...): + ... + - pattern-inside: "class $VIEW(..., rest_framework.generics.GenericAPIView, + ...):\n ... \n" + - pattern-inside: | + def $METHOD(self, $REQ, ...): + ... + - metavariable-regex: + metavariable: $METHOD + regex: (get|post|put|patch|delete|head) + - pattern-either: + - pattern: $REQ.POST.get(...) + - pattern: $REQ.POST[...] + - pattern: $REQ.FILES.get(...) + - pattern: $REQ.FILES[...] + - pattern: $REQ.DATA.get(...) + - pattern: $REQ.DATA[...] + - pattern: $REQ.QUERY_PARAMS.get(...) + - pattern: $REQ.QUERY_PARAMS[...] + - pattern: $REQ.data.get(...) + - pattern: $REQ.data[...] + - pattern: $REQ.query_params.get(...) + - pattern: $REQ.query_params[...] + - pattern: $REQ.content_type + - pattern: $REQ.content_type + - pattern: $REQ.stream + - pattern: $REQ.stream + - patterns: + - pattern-either: + - pattern-inside: | + class $SERVER(..., http.server.BaseHTTPRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.StreamRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.DatagramRequestHandler, ...): + ... + - pattern-either: + - pattern: self.requestline + - pattern: self.path + - pattern: self.headers[...] + - pattern: self.headers.get(...) + - pattern: self.rfile + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern-not: os.$W("...", ...) + - pattern-either: + - pattern: os.system(...) + - pattern: getattr(os, "system")(...) + - pattern: __import__("os").system(...) + - pattern: getattr(__import__("os"), "system")(...) + - pattern: | + $X = __import__("os") + ... + $X.system(...) + - pattern: | + $X = __import__("os") + ... + getattr($X, "system")(...) + - pattern: | + $X = getattr(os, "system") + ... + $X(...) + - pattern: | + $X = __import__("os") + ... + $Y = getattr($X, "system") + ... + $Y(...) + - pattern: os.popen(...) + - pattern: os.popen2(...) + - pattern: os.popen3(...) + - pattern: os.popen4(...) + message: Found user-controlled data used in a system call. This could allow a malicious + actor to execute commands. Use the 'subprocess' module instead, which is easier + to use without accidentally exposing a command injection vulnerability. + metadata: + source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.2.4 Dyanmic Code Execution Features + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements + version: '4' + category: security + technology: + - python + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call + shortlink: https://sg.run/k0W7 + semgrep.dev: + rule: + rule_id: 5rUoP1 + version_id: 5PT6xv + url: https://semgrep.dev/playground/r/5PT6xv/python.lang.security.dangerous-system-call.dangerous-system-call + origin: community + languages: + - python + severity: ERROR +- id: python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + - patterns: + - pattern-inside: | + def $FUNC(request, ...): + ... + - pattern-either: + - pattern: request.$PROPERTY.get(...) + - pattern: request.$PROPERTY[...] + - patterns: + - pattern-either: + - pattern-inside: | + @rest_framework.decorators.api_view(...) + def $FUNC($REQ, ...): + ... + - patterns: + - pattern-either: + - pattern-inside: | + class $VIEW(..., rest_framework.views.APIView, ...): + ... + - pattern-inside: "class $VIEW(..., rest_framework.generics.GenericAPIView, + ...):\n ... \n" + - pattern-inside: | + def $METHOD(self, $REQ, ...): + ... + - metavariable-regex: + metavariable: $METHOD + regex: (get|post|put|patch|delete|head) + - pattern-either: + - pattern: $REQ.POST.get(...) + - pattern: $REQ.POST[...] + - pattern: $REQ.FILES.get(...) + - pattern: $REQ.FILES[...] + - pattern: $REQ.DATA.get(...) + - pattern: $REQ.DATA[...] + - pattern: $REQ.QUERY_PARAMS.get(...) + - pattern: $REQ.QUERY_PARAMS[...] + - pattern: $REQ.data.get(...) + - pattern: $REQ.data[...] + - pattern: $REQ.query_params.get(...) + - pattern: $REQ.query_params[...] + - pattern: $REQ.content_type + - pattern: $REQ.content_type + - pattern: $REQ.stream + - pattern: $REQ.stream + - patterns: + - pattern-either: + - pattern-inside: | + class $SERVER(..., http.server.BaseHTTPRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.StreamRequestHandler, ...): + ... + - pattern-inside: | + class $SERVER(..., http.server.DatagramRequestHandler, ...): + ... + - pattern-either: + - pattern: self.requestline + - pattern: self.path + - pattern: self.headers[...] + - pattern: self.headers.get(...) + - pattern: self.rfile + - patterns: + - pattern-inside: | + @pyramid.view.view_config( ... ) + def $VIEW($REQ): + ... + - pattern: $REQ.$ANYTHING + - pattern-not: $REQ.dbsession + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + _testcapi.run_in_subinterp($PAYLOAD, ...) + - pattern: | + test.support.run_in_subinterp($PAYLOAD, ...) + - focus-metavariable: $PAYLOAD + - pattern-not: | + _testcapi.run_in_subinterp("...", ...) + - pattern-not: | + test.support.run_in_subinterp("...", ...) + message: Found user controlled content in `run_in_subinterp`. This is dangerous + because it allows a malicious actor to run arbitrary Python code. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + category: security + technology: + - python + confidence: MEDIUM + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp + shortlink: https://sg.run/wLpY + semgrep.dev: + rule: + rule_id: GdUkxR + version_id: GxT2g2 + url: https://semgrep.dev/playground/r/GxT2g2/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp + origin: community + severity: WARNING + languages: + - python +- id: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation + patterns: + - pattern-either: + - patterns: + - pattern: $LIFETIME = $FALSE + - pattern-inside: new TokenValidationParameters {...} + - patterns: + - pattern: | + (TokenValidationParameters $OPTS). ... .$LIFETIME = $FALSE + - metavariable-regex: + metavariable: $LIFETIME + regex: (RequireExpirationTime|ValidateLifetime) + - metavariable-regex: + metavariable: $FALSE + regex: (false) + - focus-metavariable: $FALSE + fix: | + true + message: The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the + JWT tokens lifetime is not validated. This can lead to an JWT token being used + after it has expired, which has security implications. It is recommended to validate + the JWT lifetime to ensure only valid tokens are used. + metadata: + category: security + technology: + - csharp + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-613: Insufficient Session Expiration' + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + - https://cwe.mitre.org/data/definitions/613.html + - https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation + shortlink: https://sg.run/KA0d + semgrep.dev: + rule: + rule_id: bwU5kK + version_id: gETq3W + url: https://semgrep.dev/playground/r/gETq3W/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation + origin: community + languages: + - csharp + severity: WARNING +- id: python.django.security.injection.command.subprocess-injection.subprocess-injection + languages: + - python + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - patterns: + - pattern-inside: | + def $FUNC(..., $REQUEST, ...): + ... + - focus-metavariable: $REQUEST + - metavariable-pattern: + metavariable: $REQUEST + patterns: + - pattern: request + - pattern-not-inside: request.build_absolute_uri + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: subprocess.$FUNC(...) + - pattern-not: subprocess.$FUNC("...", ...) + - pattern-not: subprocess.$FUNC(["...", ...], ...) + - pattern-not-inside: | + $CMD = ["...", ...] + ... + subprocess.$FUNC($CMD, ...) + - patterns: + - pattern: subprocess.$FUNC(["$SHELL", "-c", ...], ...) + - metavariable-regex: + metavariable: $SHELL + regex: ^(sh|bash|ksh|csh|tcsh|zsh)$ + - patterns: + - pattern: subprocess.$FUNC(["$INTERPRETER", ...], ...) + - metavariable-regex: + metavariable: $INTERPRETER + regex: ^(python|python\d)$ + pattern-sanitizers: + - patterns: + - pattern: $DICT[$KEY] + - focus-metavariable: $KEY + severity: ERROR + message: Detected user input entering a `subprocess` call unsafely. This could result + in a command injection vulnerability. An attacker could use this vulnerability + to execute arbitrary commands on the host, which allows them to download malware, + scan sensitive data, or run any command they wish on the server. Do not let users + choose the command to run. In general, prefer to use Python API versions of system + commands. If you must use subprocess, use a dictionary to allowlist a set of commands. + metadata: + category: security + technology: + - flask + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection + shortlink: https://sg.run/49BE + semgrep.dev: + rule: + rule_id: EwUepx + version_id: PkTYOq + url: https://semgrep.dev/playground/r/PkTYOq/python.django.security.injection.command.subprocess-injection.subprocess-injection + origin: community +- id: python.flask.security.injection.subprocess-injection.subprocess-injection + languages: + - python + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: subprocess.$FUNC(...) + - pattern-not: subprocess.$FUNC("...", ...) + - pattern-not: subprocess.$FUNC(["...", ...], ...) + - pattern-not-inside: | + $CMD = ["...", ...] + ... + subprocess.$FUNC($CMD, ...) + - patterns: + - pattern: subprocess.$FUNC(["$SHELL", "-c", ...], ...) + - metavariable-regex: + metavariable: $SHELL + regex: ^(sh|bash|ksh|csh|tcsh|zsh)$ + - patterns: + - pattern: subprocess.$FUNC(["$INTERPRETER", ...], ...) + - metavariable-regex: + metavariable: $INTERPRETER + regex: ^(python|python\d)$ + pattern-sanitizers: + - patterns: + - pattern: $DICT[$KEY] + - focus-metavariable: $KEY + severity: ERROR + message: Detected user input entering a `subprocess` call unsafely. This could result + in a command injection vulnerability. An attacker could use this vulnerability + to execute arbitrary commands on the host, which allows them to download malware, + scan sensitive data, or run any command they wish on the server. Do not let users + choose the command to run. In general, prefer to use Python API versions of system + commands. If you must use subprocess, use a dictionary to allowlist a set of commands. + metadata: + category: security + technology: + - flask + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection + shortlink: https://sg.run/5gW3 + semgrep.dev: + rule: + rule_id: 8GU3qp + version_id: RGTbw7 + url: https://semgrep.dev/playground/r/RGTbw7/python.flask.security.injection.subprocess-injection.subprocess-injection + origin: community +- id: yaml.github-actions.security.github-script-injection.github-script-injection + languages: + - yaml + message: 'Using variable interpolation `${{...}}` with `github` context data in + a `actions/github-script`''s `script:` step could allow an attacker to inject + their own code into the runner. This would allow them to steal secrets and code. + `github` context data can have arbitrary user input and should be treated as untrusted. + Instead, use an intermediate environment variable with `env:` to store the data + and use the environment variable in the `run:` script. Be sure to use double-quotes + the environment variable, like this: "$ENVVAR".' + metadata: + category: security + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + references: + - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections + - https://securitylab.github.com/research/github-actions-untrusted-input/ + - https://github.com/actions/github-script + technology: + - github-actions + cwe2022-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection + shortlink: https://sg.run/g1G0 + semgrep.dev: + rule: + rule_id: OrUQvK + version_id: 8KTbkv + url: https://semgrep.dev/playground/r/8KTbkv/yaml.github-actions.security.github-script-injection.github-script-injection + origin: community + patterns: + - pattern-inside: 'steps: [...]' + - pattern-inside: | + uses: $ACTION + ... + - pattern-inside: | + with: + ... + script: ... + ... + - pattern: 'script: $SHELL' + - metavariable-regex: + metavariable: $ACTION + regex: actions/github-script@.* + - metavariable-pattern: + language: generic + metavariable: $SHELL + patterns: + - pattern-either: + - pattern: ${{ github.event.issue.title }} + - pattern: ${{ github.event.issue.body }} + - pattern: ${{ github.event.pull_request.title }} + - pattern: ${{ github.event.pull_request.body }} + - pattern: ${{ github.event.comment.body }} + - pattern: ${{ github.event.review.body }} + - pattern: ${{ github.event.review_comment.body }} + - pattern: ${{ github.event.pages. ... .page_name}} + - pattern: ${{ github.event.head_commit.message }} + - pattern: ${{ github.event.head_commit.author.email }} + - pattern: ${{ github.event.head_commit.author.name }} + - pattern: ${{ github.event.commits ... .author.email }} + - pattern: ${{ github.event.commits ... .author.name }} + - pattern: ${{ github.event.pull_request.head.ref }} + - pattern: ${{ github.event.pull_request.head.label }} + - pattern: ${{ github.event.pull_request.head.repo.default_branch }} + - pattern: ${{ github.head_ref }} + - pattern: ${{ github.event.inputs ... }} + severity: ERROR +- id: python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 + pattern: cryptography.hazmat.primitives.ciphers.algorithms.ARC4(...) + message: Detected ARC4 cipher algorithm which is considered insecure. The algorithm + is considered weak and has been deprecated. Use AES instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B304 + references: + - https://tools.ietf.org/html/rfc5469 + category: security + technology: + - cryptography + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 + shortlink: https://sg.run/xoZL + semgrep.dev: + rule: + rule_id: KxU8gK + version_id: l4T51q + url: https://semgrep.dev/playground/r/l4T51q/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 + origin: community + severity: WARNING + languages: + - python +- id: python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish + pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...) + message: Detected Blowfish cipher algorithm which is considered insecure. The algorithm + is considered weak and has been deprecated. Use AES instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B304 + references: + - https://tools.ietf.org/html/rfc5469 + category: security + technology: + - cryptography + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish + shortlink: https://sg.run/OdzL + semgrep.dev: + rule: + rule_id: qNULvO + version_id: YDTo4j + url: https://semgrep.dev/playground/r/YDTo4j/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish + origin: community + severity: WARNING + languages: + - python +- id: python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 + pattern: cryptography.hazmat.primitives.hashes.MD5(...) + message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use SHA256 + or SHA3 instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B303 + references: + - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html + - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability + - http://2012.sharcs.org/slides/stevens.pdf + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - cryptography + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 + shortlink: https://sg.run/eY88 + semgrep.dev: + rule: + rule_id: lBUopp + version_id: GxT2B3 + url: https://semgrep.dev/playground/r/GxT2B3/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 + origin: community + severity: WARNING + languages: + - python +- id: python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish + message: Detected Blowfish cipher algorithm which is considered insecure. This algorithm + is not cryptographically secure and can be reversed easily. Use AES instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B304 + references: + - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish + shortlink: https://sg.run/dlOE + semgrep.dev: + rule: + rule_id: JDUGnK + version_id: BjTE4p + url: https://semgrep.dev/playground/r/BjTE4p/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Cryptodome.Cipher.Blowfish.new(...) + - pattern: Crypto.Cipher.Blowfish.new(...) +- id: python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des + message: Detected DES cipher algorithm which is considered insecure. This algorithm + is not cryptographically secure and can be reversed easily. Use AES instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B304 + references: + - https://cwe.mitre.org/data/definitions/326.html + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des + shortlink: https://sg.run/Z5bw + semgrep.dev: + rule: + rule_id: 5rUr73 + version_id: DkTQBR + url: https://semgrep.dev/playground/r/DkTQBR/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Cryptodome.Cipher.DES.new(...) + - pattern: Crypto.Cipher.DES.new(...) +- id: python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 + message: Detected RC2 cipher algorithm which is considered insecure. This algorithm + is not cryptographically secure and can be reversed easily. Use AES instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B304 + references: + - https://cwe.mitre.org/data/definitions/326.html + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 + shortlink: https://sg.run/nAbY + semgrep.dev: + rule: + rule_id: GdUYlW + version_id: WrTbe8 + url: https://semgrep.dev/playground/r/WrTbe8/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Cryptodome.Cipher.ARC2.new(...) + - pattern: Crypto.Cipher.ARC2.new(...) +- id: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4 + message: Detected ARC4 cipher algorithm which is considered insecure. This algorithm + is not cryptographically secure and can be reversed easily. Use AES instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + bandit-code: B304 + references: + - https://cwe.mitre.org/data/definitions/326.html + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4 + shortlink: https://sg.run/Eo6N + semgrep.dev: + rule: + rule_id: ReUnEB + version_id: 0bTv0G + url: https://semgrep.dev/playground/r/0bTv0G/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4 + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Cryptodome.Cipher.ARC4.new(...) + - pattern: Crypto.Cipher.ARC4.new(...) +- id: python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2 + message: Detected MD2 hash algorithm which is considered insecure. MD2 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use SHA256 + or SHA3 instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html + - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability + - http://2012.sharcs.org/slides/stevens.pdf + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2 + shortlink: https://sg.run/7JP2 + semgrep.dev: + rule: + rule_id: AbU0Ex + version_id: qkTNAJ + url: https://semgrep.dev/playground/r/qkTNAJ/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2 + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Crypto.Hash.MD2.new(...) + - pattern: Cryptodome.Hash.MD2.new (...) +- id: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4 + message: Detected MD4 hash algorithm which is considered insecure. MD4 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use SHA256 + or SHA3 instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html + - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability + - http://2012.sharcs.org/slides/stevens.pdf + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4 + shortlink: https://sg.run/Lve6 + semgrep.dev: + rule: + rule_id: BYUJy4 + version_id: l4T532 + url: https://semgrep.dev/playground/r/l4T532/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4 + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Crypto.Hash.MD4.new(...) + - pattern: Cryptodome.Hash.MD4.new (...) +- id: python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5 + message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use SHA256 + or SHA3 instead. + metadata: + source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + references: + - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html + - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability + - http://2012.sharcs.org/slides/stevens.pdf + - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html + category: security + technology: + - pycryptodome + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5 + shortlink: https://sg.run/85JN + semgrep.dev: + rule: + rule_id: DbUXwo + version_id: YDTog8 + url: https://semgrep.dev/playground/r/YDTog8/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5 + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: Crypto.Hash.MD5.new(...) + - pattern: Cryptodome.Hash.MD5.new (...) +- id: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout + languages: + - yaml + message: This GitHub Actions workflow file uses `workflow_run` and checks out code + from the incoming pull request. When using `workflow_run`, the Action runs in + the context of the target repository, which includes access to all repository + secrets. Normally, this is safe because the Action only runs code from the target + repository, not the incoming PR. However, by checking out the incoming PR code, + you're now using the incoming code for the rest of the action. You may be inadvertently + executing arbitrary code from the incoming PR with access to repository secrets, + which would let an attacker steal repository secrets. This normally happens by + running build scripts (e.g., `npm build` and `make`) or dependency installation + scripts (e.g., `python setup.py install`). Audit your workflow file to make sure + no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + for additional mitigations. + metadata: + category: security + owasp: A01:2017 - Injection + cwe: 'CWE-913: Improper Control of Dynamically-Managed Code Resources' + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + subcategory: + - vuln + references: + - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md + - https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability + technology: + - github-actions + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout + shortlink: https://sg.run/A0p6 + semgrep.dev: + rule: + rule_id: 4bU8E4 + version_id: 3ZTdAr + url: https://semgrep.dev/playground/r/3ZTdAr/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout + origin: community + patterns: + - pattern-inside: | + on: + ... + workflow_run: ... + ... + ... + - pattern-inside: | + jobs: + ... + $JOBNAME: + ... + steps: + ... + - pattern: | + ... + uses: "$ACTION" + with: + ... + ref: $EXPR + - metavariable-regex: + metavariable: $ACTION + regex: actions/checkout@.* + - metavariable-pattern: + language: generic + metavariable: $EXPR + patterns: + - pattern: ${{ github.event.workflow_run ... }} + severity: WARNING +- id: csharp.dotnet.security.use_ecb_mode.use_ecb_mode + message: Usage of the insecure ECB mode detected. You should use an authenticated + encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305. + severity: WARNING + metadata: + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + category: security + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A02:2021 - Cryptographic Failures + references: + - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0 + - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0 + - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0 + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes + subcategory: + - vuln + technology: + - .net + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode + shortlink: https://sg.run/wj9n + semgrep.dev: + rule: + rule_id: 0oUqWP + version_id: ZRTw4j + url: https://semgrep.dev/playground/r/ZRTw4j/csharp.dotnet.security.use_ecb_mode.use_ecb_mode + origin: community + languages: + - csharp + patterns: + - pattern-either: + - pattern: ($KEYTYPE $KEY).EncryptEcb(...); + - pattern: ($KEYTYPE $KEY).DecryptEcb(...); + - pattern: ($KEYTYPE $KEY).Mode = CipherMode.ECB; + - metavariable-pattern: + metavariable: $KEYTYPE + pattern-either: + - pattern: SymmetricAlgorithm + - pattern: Aes + - pattern: Rijndael + - pattern: DES + - pattern: TripleDES + - pattern: RC2 +- id: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration + message: You are using an insecure random number generator (RNG) to create a cryptographic + key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator + instead. + severity: ERROR + metadata: + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + category: security + cwe: + - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' + owasp: + - A02:2021 - Cryptographic Failures + references: + - https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks + - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0 + - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors + - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key + subcategory: + - vuln + technology: + - .net + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration + shortlink: https://sg.run/xjrA + semgrep.dev: + rule: + rule_id: KxU3Nq + version_id: nWT7xW + url: https://semgrep.dev/playground/r/nWT7xW/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration + origin: community + languages: + - csharp + mode: taint + pattern-sources: + - patterns: + - pattern-inside: (System.Random $RNG).NextBytes($KEY); ... + - pattern: $KEY + pattern-sinks: + - pattern-either: + - patterns: + - pattern: ($KEYTYPE $CIPHER).Key = $SINK; + - focus-metavariable: $SINK + - metavariable-pattern: + metavariable: $KEYTYPE + pattern-either: + - pattern: SymmetricAlgorithm + - pattern: Aes + - pattern: Rijndael + - pattern: DES + - pattern: TripleDES + - pattern: RC2 + - pattern: new AesGcm(...) + - pattern: new AesCcm(...) + - pattern: new ChaCha20Poly1305(...) +- id: html.security.plaintext-http-link.plaintext-http-link + metadata: + category: security + technology: + - html + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + confidence: HIGH + subcategory: + - vuln + references: + - https://cwe.mitre.org/data/definitions/319.html + likelihood: LOW + impact: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link + shortlink: https://sg.run/RA5q + semgrep.dev: + rule: + rule_id: AbUnNo + version_id: rxTx2E + url: https://semgrep.dev/playground/r/rxTx2E/html.security.plaintext-http-link.plaintext-http-link + origin: community + patterns: + - pattern: ... + - metavariable-regex: + metavariable: $URL + regex: ^(?i)http:// + message: This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL + if possible. + severity: WARNING + languages: + - html +- id: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils + message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use HMAC + instead. + languages: + - java + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-328: Use of Weak Hash' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils + shortlink: https://sg.run/AWL2 + semgrep.dev: + rule: + rule_id: BYUGK0 + version_id: BjTEe4 + url: https://semgrep.dev/playground/r/BjTEe4/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils + origin: community + patterns: + - pattern: | + $DU.$GET_ALGO().digest(...) + - metavariable-pattern: + metavariable: $GET_ALGO + pattern: getMd5Digest + - metavariable-pattern: + metavariable: $DU + pattern: DigestUtils + - focus-metavariable: $GET_ALGO + fix: | + getSha512Digest +- id: rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid + message: Dangerously accepting invalid TLS information + pattern-either: + - pattern: reqwest::Client::builder(). ... .danger_accept_invalid_hostnames(true) + - pattern: reqwest::Client::builder(). ... .danger_accept_invalid_certs(true) + metadata: + references: + - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames + - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs + technology: + - reqwest + category: security + cwe: 'CWE-295: Improper Certificate Validation' + confidence: HIGH + likelihood: LOW + impact: MEDIUM + subcategory: vuln + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid + shortlink: https://sg.run/DqrG + semgrep.dev: + rule: + rule_id: qNUKDg + version_id: l4T5AG + url: https://semgrep.dev/playground/r/l4T5AG/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid + origin: community + languages: + - rust + severity: WARNING +- id: rust.lang.security.rustls-dangerous.rustls-dangerous + message: Dangerous client config used, ensure SSL verification + pattern-either: + - pattern: rustls::client::DangerousClientConfig + - pattern: $CLIENT.dangerous().set_certificate_verifier(...) + - pattern: | + let $CLIENT = rustls::client::ClientConfig::dangerous(...); + ... + $CLIENT.set_certificate_verifier(...); + metadata: + references: + - https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html + - https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous + technology: + - rustls + category: security + cwe: 'CWE-295: Improper Certificate Validation' + confidence: HIGH + likelihood: LOW + impact: MEDIUM + subcategory: vuln + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous + shortlink: https://sg.run/01Rw + semgrep.dev: + rule: + rule_id: YGU8LK + version_id: 6xTewg + url: https://semgrep.dev/playground/r/6xTewg/rust.lang.security.rustls-dangerous.rustls-dangerous + origin: community + languages: + - rust + severity: WARNING +- id: rust.lang.security.ssl-verify-none.ssl-verify-none + message: SSL verification disabled, this allows for MitM attacks + pattern: $BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE) + metadata: + references: + - https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify + technology: + - openssl + category: security + cwe: 'CWE-295: Improper Certificate Validation' + confidence: HIGH + likelihood: LOW + impact: MEDIUM + subcategory: vuln + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none + shortlink: https://sg.run/K2Pn + semgrep.dev: + rule: + rule_id: 6JU0Bl + version_id: o5Tnp1 + url: https://semgrep.dev/playground/r/o5Tnp1/rust.lang.security.ssl-verify-none.ssl-verify-none + origin: community + languages: + - rust + severity: WARNING +- id: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection + message: Using input or workflow parameters in here-scripts can lead to command + injection or code injection. Convert the parameters to env variables instead. + languages: + - yaml + metadata: + category: security + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - "A03:2021 \u2013 Injection" + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + subcategory: + - vuln + references: + - https://github.com/argoproj/argo-workflows/issues/5061 + - https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370 + technology: + - ci + - argo + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Command Injection + - Code Injection + source: https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection + shortlink: https://sg.run/yqeZ + semgrep.dev: + rule: + rule_id: 10U0zW + version_id: ExTkN4 + url: https://semgrep.dev/playground/r/ExTkN4/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection + origin: community + severity: ERROR + patterns: + - pattern-inside: | + apiVersion: $VERSION + ... + - metavariable-regex: + metavariable: $VERSION + regex: (argoproj.io.*) + - pattern-either: + - patterns: + - pattern-inside: "command:\n ...\n - python\n ...\n...\nsource: \n $SCRIPT\n" + - focus-metavariable: $SCRIPT + - metavariable-pattern: + metavariable: $SCRIPT + language: python + patterns: + - pattern: | + $FUNC(..., $PARAM, ...) + - metavariable-pattern: + metavariable: $PARAM + pattern-either: + - pattern-regex: (.*{{.*inputs.parameters.*}}.*) + - pattern-regex: (.*{{.*workflow.parameters.*}}.*) + - patterns: + - pattern-inside: "command:\n ...\n - $LANG\n ...\n...\nsource: \n $SCRIPT\n" + - metavariable-regex: + metavariable: $LANG + regex: (bash|sh) + - focus-metavariable: $SCRIPT + - metavariable-pattern: + metavariable: $SCRIPT + language: bash + patterns: + - pattern: | + $CMD ... $PARAM ... + - metavariable-pattern: + metavariable: $PARAM + pattern-either: + - pattern-regex: (.*{{.*inputs.parameters.*}}.*) + - pattern-regex: (.*{{.*workflow.parameters.*}}.*) + - patterns: + - pattern-inside: | + container: + ... + command: $LANG + ... + args: $PARAM + - metavariable-regex: + metavariable: $LANG + regex: .*(sh|bash|ksh|csh|tcsh|zsh).* + - metavariable-pattern: + metavariable: $PARAM + pattern-either: + - pattern-regex: (.*{{.*inputs.parameters.*}}.*) + - pattern-regex: (.*{{.*workflow.parameters.*}}.*) + - focus-metavariable: $PARAM +- id: python.cryptography.security.empty-aes-key.empty-aes-key + message: Potential empty AES encryption key. Using an empty key in AES encryption + can result in weak encryption and may allow attackers to easily decrypt sensitive + data. Ensure that a strong, non-empty key is used for AES encryption. + patterns: + - pattern: AES.new("",...) + languages: + - python + severity: WARNING + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + - 'CWE-310: Cryptographic Issues' + references: + - https://cwe.mitre.org/data/definitions/327.html + - https://cwe.mitre.org/data/definitions/310.html + category: security + technology: + - python + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + owasp: A6:2017 misconfiguration + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key + shortlink: https://sg.run/zQ9G + semgrep.dev: + rule: + rule_id: OrUADK + version_id: qkTNJA + url: https://semgrep.dev/playground/r/qkTNJA/python.cryptography.security.empty-aes-key.empty-aes-key + origin: community +- id: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint + patterns: + - pattern: | + ENTRYPOINT $...VARS + - pattern-not-inside: | + USER $USER + ... + fix: | + USER non-root + ENTRYPOINT $...VARS + message: By not specifying a USER, a program in the container may run as 'root'. + This is a security hazard. If an attacker can control a process running as root, + they may have control over the container. Ensure that the last USER in a Dockerfile + is a USER other than 'root'. + severity: ERROR + languages: + - dockerfile + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + category: security + technology: + - dockerfile + confidence: MEDIUM + owasp: + - A04:2021 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint + shortlink: https://sg.run/k281 + semgrep.dev: + rule: + rule_id: ReUW9E + version_id: xyT4Ko + url: https://semgrep.dev/playground/r/xyT4Ko/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint + origin: community +- id: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions + pattern-either: + - pattern: | + resource "aws_config_configuration_aggregator" $ANYTHING { + ... + account_aggregation_source { + ... + regions = ... + ... + } + ... + } + - pattern: | + resource "aws_config_configuration_aggregator" $ANYTHING { + ... + organization_aggregation_source { + ... + regions = ... + ... + } + ... + } + message: The AWS configuration aggregator does not aggregate all AWS Config region. + This may result in unmonitored configuration in regions that are thought to be + unused. Configure the aggregator with all_regions for the source. + languages: + - hcl + severity: WARNING + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A09:2021 - Security Logging and Monitoring Failures + cwe: + - 'CWE-778: Insufficient Logging' + references: + - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insufficient Logging + source: https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions + shortlink: https://sg.run/O6A7 + semgrep.dev: + rule: + rule_id: DbUo7v + version_id: YDTo19 + url: https://semgrep.dev/playground/r/YDTo19/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions + origin: community +- id: yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext + patterns: + - pattern-inside: | + containers: + ... + - pattern-inside: | + - name: $CONTAINER + ... + - pattern: | + image: ... + ... + - pattern-not: | + image: ... + ... + securityContext: + ... + - focus-metavariable: $CONTAINER + fix: | + $CONTAINER + securityContext: + allowPrivilegeEscalation: false + message: In Kubernetes, each pod runs in its own isolated environment with its own set + of security policies. However, certain container images may contain `setuid` + or `setgid` binaries that could allow an attacker to perform privilege escalation + and gain access to sensitive resources. To mitigate this risk, it's recommended + to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` + set to `false`. This will prevent the container from running any privileged processes + and limit the impact of any potential attacks. By adding a `securityContext` + to your Kubernetes pod, you can help to ensure that your containerized applications + are more secure and less vulnerable to privilege escalation attacks. + metadata: + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag + category: security + technology: + - kubernetes + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext + shortlink: https://sg.run/eleR + semgrep.dev: + rule: + rule_id: WAU5J6 + version_id: 44ToPE + url: https://semgrep.dev/playground/r/44ToPE/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext + origin: community + languages: + - yaml + severity: WARNING +- id: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true + patterns: + - pattern-inside: | + containers: + ... + - pattern-inside: | + - name: $CONTAINER + ... + - pattern-inside: | + image: ... + ... + - pattern-inside: | + securityContext: + ... + - pattern: | + allowPrivilegeEscalation: $TRUE + - metavariable-pattern: + metavariable: $TRUE + pattern: | + true + - focus-metavariable: $TRUE + fix: | + false + message: In Kubernetes, each pod runs in its own isolated environment with its own set + of security policies. However, certain container images may contain `setuid` + or `setgid` binaries that could allow an attacker to perform privilege escalation + and gain access to sensitive resources. To mitigate this risk, it's recommended + to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` + set to `false`. This will prevent the container from running any privileged processes + and limit the impact of any potential attacks. In the container `$CONTAINER` + this parameter is set to `true` which makes this container much more vulnerable + to privelege escalation attacks. + metadata: + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + references: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt + - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag + category: security + technology: + - kubernetes + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true + shortlink: https://sg.run/vw3W + semgrep.dev: + rule: + rule_id: 0oUkqQ + version_id: PkTYrz + url: https://semgrep.dev/playground/r/PkTYrz/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true + origin: community + languages: + - yaml + severity: WARNING +- id: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled + patterns: + - pattern: | + resource "aws_docdb_cluster" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_docdb_cluster" $ANYTHING { + ... + enabled_cloudwatch_logs_exports = [..., "audit", ...] + ... + } + message: Auditing is not enabled for DocumentDB. To ensure that you are able to + accurately audit the usage of your DocumentDB cluster, you should enable auditing + and export logs to CloudWatch. + languages: + - hcl + severity: INFO + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A09:2021 - Security Logging and Monitoring Failures + cwe: + - 'CWE-778: Insufficient Logging' + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports + - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insufficient Logging + source: https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled + shortlink: https://sg.run/xJYP + semgrep.dev: + rule: + rule_id: AbU1WN + version_id: GxT2ne + url: https://semgrep.dev/playground/r/GxT2ne/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled + origin: community +- id: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags + patterns: + - pattern: | + resource "aws_ecr_repository" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_ecr_repository" $ANYTHING { + ... + image_tag_mutability = "IMMUTABLE" + ... + } + message: The ECR repository allows tag mutability. Image tags could be overwritten + with compromised images. ECR images should be set to IMMUTABLE to prevent code + injection through image mutation. This can be done by setting `image_tag_mutability` + to IMMUTABLE. + languages: + - hcl + severity: WARNING + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-345: Insufficient Verification of Data Authenticity' + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags + shortlink: https://sg.run/ZEeL + semgrep.dev: + rule: + rule_id: KxUB4o + version_id: 2KT1ZP + url: https://semgrep.dev/playground/r/2KT1ZP/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags + origin: community +- id: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal + patterns: + - pattern-inside: | + resource "aws_ecr_repository_policy" $ANYTHING { + ... + } + - pattern-either: + - patterns: + - pattern: policy = "$JSONPOLICY" + - metavariable-pattern: + metavariable: $JSONPOLICY + language: json + patterns: + - pattern-not-inside: | + {..., "Effect": "Deny", ...} + - pattern-either: + - pattern: | + {..., "Principal": "*", ...} + - pattern: | + {..., "Principal": [..., "*", ...], ...} + - pattern: | + {..., "Principal": { "AWS": "*" }, ...} + - pattern: | + {..., "Principal": { "AWS": [..., "*", ...] }, ...} + - patterns: + - pattern-inside: policy = jsonencode(...) + - pattern-not-inside: | + {..., Effect = "Deny", ...} + - pattern-either: + - pattern: | + {..., Principal = "*", ...} + - pattern: | + {..., Principal = [..., "*", ...], ...} + - pattern: | + {..., Principal = { AWS = "*" }, ...} + - pattern: | + {..., Principal = { AWS = [..., "*", ...] }, ...} + message: Detected wildcard access granted in your ECR repository policy principal. + This grants access to all users, including anonymous users (public access). Instead, + limit principals, actions and resources to what you need according to least privilege. + metadata: + category: security + technology: + - aws + - terraform + owasp: + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy + - https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html + - https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html + - https://cwe.mitre.org/data/definitions/732.html + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal + shortlink: https://sg.run/nzqb + semgrep.dev: + rule: + rule_id: qNUzov + version_id: X0TP1g + url: https://semgrep.dev/playground/r/X0TP1g/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal + origin: community + languages: + - hcl + severity: WARNING +- id: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb + pattern: $CIPHER.getInstance("=~/AES/ECB.*/") + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb + shortlink: https://sg.run/dB2Y + semgrep.dev: + rule: + rule_id: WAU2yA + version_id: GxT2DW + url: https://semgrep.dev/playground/r/GxT2DW/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb + origin: community + message: 'Use of AES with ECB mode detected. ECB doesn''t provide message confidentiality + and is not semantically secure so should not be used. Instead, use a strong, + secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' + severity: WARNING + languages: + - java +- id: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish + pattern: $CIPHER.getInstance("Blowfish") + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish + shortlink: https://sg.run/ZE4n + semgrep.dev: + rule: + rule_id: 0oUR28 + version_id: RGTbKB + url: https://semgrep.dev/playground/r/RGTbKB/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish + origin: community + message: 'Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes + it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, + use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' + severity: WARNING + languages: + - java +- id: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes + pattern-either: + - patterns: + - pattern-either: + - pattern-inside: | + import javax; + ... + - pattern-either: + - pattern: javax.crypto.Cipher.getInstance("AES") + - pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES") + - patterns: + - pattern-either: + - pattern-inside: | + import javax.*; + ... + - pattern-inside: | + import javax.crypto; + ... + - pattern-either: + - pattern: crypto.Cipher.getInstance("AES") + - pattern: (crypto.Cipher $CIPHER).getInstance("AES") + - patterns: + - pattern-either: + - pattern-inside: | + import javax.crypto.*; + ... + - pattern-inside: | + import javax.crypto.Cipher; + ... + - pattern-either: + - pattern: Cipher.getInstance("AES") + - pattern: (Cipher $CIPHER).getInstance("AES") + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes + shortlink: https://sg.run/nzKO + semgrep.dev: + rule: + rule_id: KxUB7Z + version_id: A8TR3x + url: https://semgrep.dev/playground/r/A8TR3x/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes + origin: community + message: 'Use of AES with no settings detected. By default, java.crypto.Cipher uses + ECB mode. ECB doesn''t provide message confidentiality and is not semantically + secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance("AES/CBC/PKCS7PADDING"). + See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for + more information.' + severity: WARNING + languages: + - java +- id: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 + pattern: $CIPHER.getInstance("RC2") + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 + shortlink: https://sg.run/EEvA + semgrep.dev: + rule: + rule_id: qNUzXG + version_id: WrTbd2 + url: https://semgrep.dev/playground/r/WrTbd2/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 + origin: community + message: 'Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and + is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). + See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for + more information.' + severity: WARNING + languages: + - java +- id: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 + pattern: $CIPHER.getInstance("RC4") + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 + shortlink: https://sg.run/7OYR + semgrep.dev: + rule: + rule_id: lBUw8k + version_id: 0bTvwY + url: https://semgrep.dev/playground/r/0bTvwY/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 + origin: community + message: 'Use of RC4 was detected. RC4 is vulnerable to several attacks, including + stream cipher attacks and bit flipping attacks. Instead, use a strong, secure + cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' + severity: WARNING + languages: + - java +- id: problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request + message: Detected an HTTP request sent via HttpGet. This could lead to sensitive + information being sent over an insecure channel. Instead, it is recommended to + send requests over HTTPS. + severity: WARNING + metadata: + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + category: security + cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: A03:2017 - Sensitive Data Exposure + references: + - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html + - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection() + subcategory: + - vuln + technology: + - java + vulnerability: Insecure Transport + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request + shortlink: https://sg.run/QE2q + semgrep.dev: + rule: + rule_id: 6JUOJ2 + version_id: pZTreo + url: https://semgrep.dev/playground/r/pZTreo/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request + origin: community + languages: + - java + fix-regex: + regex: '[Hh][Tt][Tt][Pp]://' + replacement: https:// + count: 1 + patterns: + - pattern: | + "=~/[Hh][Tt][Tt][Pp]://.*/" + - pattern-inside: | + $R = new HttpGet("=~/[Hh][Tt][Tt][Pp]://.*/"); + ... + $CLIENT. ... .execute($R, ...); +- id: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted + patterns: + - pattern: | + resource "aws_ebs_volume" $ANYTHING { + ... + } + - pattern-not: | + resource "aws_ebs_volume" $ANYTHING { + ... + encrypted = true + ... + } + message: The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived + snapshots could be read if compromised. Volumes should be encrypted to ensure + sensitive data is stored securely. + languages: + - hcl + severity: WARNING + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted + - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted + shortlink: https://sg.run/6ZbY + semgrep.dev: + rule: + rule_id: YGUKl1 + version_id: K3TlDN + url: https://semgrep.dev/playground/r/K3TlDN/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted + origin: community +- id: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled + patterns: + - pattern: | + resource "aws_launch_template" $ANYTHING { + ... + } + - pattern-not-inside: | + resource "aws_launch_template" $ANYTHING { + ... + metadata_options { + ... + http_endpoint = "disabled" + ... + } + ... + } + - pattern-not-inside: | + resource "aws_launch_template" $ANYTHING { + ... + metadata_options { + ... + http_tokens = "required" + ... + } + ... + } + message: The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) + enabled. IMDSv2 introduced session authentication tokens which improve security + when talking to IMDS. You should either disable IMDS or require the use of IMDSv2. + languages: + - hcl + severity: WARNING + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-1390: Weak Authentication' + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options + - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled + shortlink: https://sg.run/pg9J + semgrep.dev: + rule: + rule_id: zdU0Wo + version_id: 6xTer5 + url: https://semgrep.dev/playground/r/6xTer5/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled + origin: community +- id: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address + patterns: + - pattern-either: + - pattern: | + resource "aws_subnet" $ANYTHING { + ... + map_public_ip_on_launch = true + ... + } + - pattern: | + resource "aws_default_subnet" $ANYTHING { + ... + } + - pattern-not: | + resource "aws_default_subnet" $ANYTHING { + ... + map_public_ip_on_launch = false + ... + } + message: Resources in the AWS subnet are assigned a public IP address. Resources + should not be exposed on the public internet, but should have access limited to + consumers required for the function of your application. Set `map_public_ip_on_launch` + to false so that resources are not publicly-accessible. + languages: + - hcl + severity: WARNING + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A01:2021 - Broken Access Control + cwe: + - 'CWE-284: Improper Access Control' + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch + - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address + shortlink: https://sg.run/XJZw + semgrep.dev: + rule: + rule_id: 2ZUo79 + version_id: o5Tnve + url: https://semgrep.dev/playground/r/o5Tnve/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address + origin: community +- id: clojure.lang.security.use-of-md5.use-of-md5 + languages: + - clojure + severity: WARNING + message: MD5 hash algorithm detected. This is not collision resistant and leads + to easily-cracked password hashes. Replace with current recommended hashing algorithms. + metadata: + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + technology: + - clojure + source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + - 'CWE-328: Use of Weak Hash' + author: Gabriel Marquet + category: security + subcategory: + - vuln + confidence: HIGH + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5 + shortlink: https://sg.run/BgPx + semgrep.dev: + rule: + rule_id: nJU1ep + version_id: QkT4J3 + url: https://semgrep.dev/playground/r/QkT4J3/clojure.lang.security.use-of-md5.use-of-md5 + origin: community + pattern-either: + - pattern: (MessageDigest/getInstance "MD5") + - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5) + - pattern: (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5) + - pattern: (java.security.MessageDigest/getInstance "MD5") + - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5) + - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5) +- id: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak + patterns: + - pattern-regex: ^(AIza[0-9A-Za-z_-]{35}(?!\S))$ + message: Detects potential Google Maps API keys in code + languages: + - generic + severity: WARNING + metadata: + description: Detects potential Google Maps API keys in code + severity: MEDIUM + category: security + confidence: MEDIUM + impact: HIGH + likelihood: MEDIUM + subcategory: + - audit + owasp: + - A3:2017 Sensitive Data Exposure + references: + - https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e + cwe: + - 'CWE-538: Insertion of Sensitive Information into Externally-Accessible File + or Directory' + technology: + - Google Maps + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak + shortlink: https://sg.run/DL5d + semgrep.dev: + rule: + rule_id: EwU3kN + version_id: DkTQK8 + url: https://semgrep.dev/playground/r/DkTQK8/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak + origin: community +- id: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted + patterns: + - pattern: | + resource "aws_kinesis_stream" $ANYTHING { + ... + } + - pattern-not: | + resource "aws_kinesis_stream" $ANYTHING { + ... + encryption_type = "KMS" + ... + } + message: The AWS Kinesis stream does not encrypt data at rest. The data could be + read if the Kinesis stream storage layer is compromised. Enable Kinesis stream + server-side encryption. + languages: + - hcl + severity: WARNING + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type + - https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: MEDIUM + rule-origin-note: published from /src/aws-kinesis-stream-unencrypted.yml in None + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted + shortlink: https://sg.run/KZ0L + semgrep.dev: + rule: + rule_id: 8GU72N + version_id: 7ZTOGj + url: https://semgrep.dev/playground/r/7ZTOGj/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted + origin: community +- id: terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal + patterns: + - pattern-either: + - pattern-inside: | + resource "aws_sqs_queue_policy" $ANYTHING { + ... + } + - pattern-inside: | + resource "aws_sqs_queue" $ANYTHING { + ... + } + - pattern-either: + - patterns: + - pattern: policy = "$JSONPOLICY" + - metavariable-pattern: + metavariable: $JSONPOLICY + language: json + patterns: + - pattern-not-inside: | + {..., "Effect": "Deny", ...} + - pattern-either: + - pattern: | + {..., "Principal": "*", ...} + - pattern: | + {..., "Principal": [..., "*", ...], ...} + - pattern: | + {..., "Principal": { "AWS": "*" }, ...} + - pattern: | + {..., "Principal": { "AWS": [..., "*", ...] }, ...} + - patterns: + - pattern-inside: policy = jsonencode(...) + - pattern-not-inside: | + {..., Effect = "Deny", ...} + - pattern-either: + - pattern: | + {..., Principal = "*", ...} + - pattern: | + {..., Principal = [..., "*", ...], ...} + - pattern: | + {..., Principal = { AWS = "*" }, ...} + - pattern: | + {..., Principal = { AWS = [..., "*", ...] }, ...} + message: Wildcard used in your SQS queue policy principal. This grants access to + all users, including anonymous users (public access). Unless you explicitly require + anyone on the internet to be able to read or write to your queue, limit principals, + actions and resources to what you need according to least privilege. + metadata: + category: security + technology: + - aws + - terraform + owasp: + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + references: + - https://cwe.mitre.org/data/definitions/732.html + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy + - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + rule-origin-note: published from /src/aws-sqs-queue-policy-wildcard-principal.yml + in None + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal + shortlink: https://sg.run/z3eW + semgrep.dev: + rule: + rule_id: PeUl9d + version_id: l4T5b4 + url: https://semgrep.dev/playground/r/l4T5b4/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal + origin: community + languages: + - hcl + severity: ERROR +- id: terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn + patterns: + - pattern: | + resource "aws_lambda_permission" $ANYTHING { + ... + principal = "$PRINCIPAL" + ... + } + - pattern-not: | + resource "aws_lambda_permission" $ANYTHING { + ... + source_arn = ... + ... + } + - metavariable-regex: + metavariable: $PRINCIPAL + regex: .*[.]amazonaws[.]com$ + message: The AWS Lambda permission has an AWS service principal but does not specify + a source ARN. If you grant permission to a service principal without specifying + the source, other accounts could potentially configure resources in their account + to invoke your Lambda function. Set the source_arn value to the ARN of the AWS + resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, + API Gateway, or SNS topic. + languages: + - hcl + severity: ERROR + metadata: + category: security + technology: + - terraform + - aws + owasp: + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-732: Incorrect Permission Assignment for Critical Resource' + references: + - https://cwe.mitre.org/data/definitions/732.html + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission + - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn + shortlink: https://sg.run/kOP7 + semgrep.dev: + rule: + rule_id: OrU9Ox + version_id: 44ToBr + url: https://semgrep.dev/playground/r/44ToBr/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn + origin: community +- id: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active + patterns: + - pattern: | + resource "aws_lambda_function" $ANYTHING { + ... + } + - pattern-not: | + resource "aws_lambda_function" $ANYTHING { + ... + tracing_config { + ... + mode = "Active" + ... + } + ... + } + message: The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray + tracing enables end-to-end debugging and analysis of all function activity. This + makes it easier to trace the flow of logs and identify bottlenecks, slow downs + and timeouts. + languages: + - hcl + severity: INFO + metadata: + category: security + technology: + - aws + - terraform + owasp: + - A09:2021 Security Logging and Monitoring Failures + cwe: + - 'CWE-778: Insufficient Logging' + references: + - https://cwe.mitre.org/data/definitions/778.html + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode + - https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insufficient Logging + source: https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active + shortlink: https://sg.run/wO2Y + semgrep.dev: + rule: + rule_id: eqUl1O + version_id: PkTY9P + url: https://semgrep.dev/playground/r/PkTY9P/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active + origin: community +- id: java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + ObjectMapper $OM = new ObjectMapper(...); + ... + - pattern-inside: | + $OM.enableDefaultTyping(); + ... + - pattern: $OM.readValue($JSON, ...); + - patterns: + - pattern-inside: | + class $CLASS { + ... + @JsonTypeInfo(use = Id.CLASS,...) + $TYPE $VAR; + ... + } + - metavariable-regex: + metavariable: $TYPE + regex: (Object|Serializable|Comparable) + - pattern: $OM.readValue($JSON, $CLASS.class); + - patterns: + - pattern-inside: | + class $CLASS { + ... + ObjectMapper $OM; + ... + $INITMETHODTYPE $INITMETHOD(...) { + ... + $OM = new ObjectMapper(); + ... + $OM.enableDefaultTyping(); + ... + } + ... + } + - pattern-inside: "$METHODTYPE $METHOD(...) {\n ... \n}\n" + - pattern: $OM.readValue($JSON, ...); + message: When using Jackson to marshall/unmarshall JSON to Java objects, enabling + default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` + it might be possible to provide a malicious JSON which can be used to exploit + unsecure deserialization. In order to prevent this issue, avoid to enable default + typing (globally or by using "Per-class" annotations) and avoid using `Object` + and other dangerous types for member variable declaration which creating classes + for Jackson based deserialization. + languages: + - java + severity: WARNING + metadata: + category: security + subcategory: + - audit + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + confidence: MEDIUM + likelihood: LOW + impact: HIGH + owasp: + - A8:2017 Insecure Deserialization + - A8:2021 Software and Data Integrity Failures + references: + - https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038 + - https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 + - https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ + technology: + - jackson + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization + shortlink: https://sg.run/GDop + semgrep.dev: + rule: + rule_id: QrUD20 + version_id: o5TnK6 + url: https://semgrep.dev/playground/r/o5TnK6/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization + origin: community +- id: c.lang.security.function-use-after-free.function-use-after-free + patterns: + - pattern-either: + - pattern: $FUNC(..., <... $VAR ...>, ...) + - pattern: $FUNC(..., <... $VAR->$ACCESSOR ...>, ...) + - pattern: $FUNC(..., <... (*$VAR).$ACCESSOR ...>, ...) + - pattern: $FUNC(..., <... $VAR[$NUM] ...>, ...) + - metavariable-regex: + metavariable: $FUNC + regex: (?!^free$) + - pattern-inside: free($VAR); ... + - pattern-not-inside: free($VAR); ... $VAR = NULL; ... + - pattern-not-inside: free($VAR); ... $VAR = malloc(...); ... + message: Variable '$VAR' was passed to a function after being freed. This can lead + to undefined behavior. + metadata: + cwe: + - 'CWE-416: Use After Free' + references: + - https://cwe.mitre.org/data/definitions/416.html + - https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/ + category: security + technology: + - c + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Memory Issues + source: https://semgrep.dev/r/c.lang.security.function-use-after-free.function-use-after-free + shortlink: https://sg.run/eWyZ + semgrep.dev: + rule: + rule_id: WAU9Dz + version_id: xyTY4Z + url: https://semgrep.dev/playground/r/xyTY4Z/c.lang.security.function-use-after-free.function-use-after-free + origin: community + languages: + - c + severity: WARNING +- id: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://blog.sonarsource.com/secure-xml-processor + - https://xerces.apache.org/xerces2-j/features.html + category: security + technology: + - java + - xml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing + shortlink: https://sg.run/Gj32 + semgrep.dev: + rule: + rule_id: j2Udpk + version_id: K3TlwD + url: https://semgrep.dev/playground/r/K3TlwD/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing + origin: community + message: DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable + to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` + to true. Alternatively, allow DOCTYPE declarations and only prohibit external + entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` + and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - + The previous links are not meant to be clicked. They are the literal config key + values that are supposed to be used to disable these features. For more information, + see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory. + mode: taint + pattern-sources: + - by-side-effect: true + patterns: + - pattern-either: + - pattern: | + $FACTORY = SAXParserFactory.newInstance(); + - patterns: + - pattern: $FACTORY + - pattern-inside: | + class $C { + ... + $V $FACTORY = SAXParserFactory.newInstance(); + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = SAXParserFactory.newInstance(); + static { + ... + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + ... + } + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = SAXParserFactory.newInstance(); + static { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + } + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = SAXParserFactory.newInstance(); + static { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + } + ... + } + pattern-sinks: + - patterns: + - pattern: $FACTORY.newSAXParser(); + pattern-sanitizers: + - by-side-effect: true + pattern-either: + - patterns: + - pattern-either: + - pattern: | + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + - pattern: | + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + - pattern: | + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + - focus-metavariable: $FACTORY + - patterns: + - pattern-either: + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", + true); + ... + } + ... + } + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + } + ... + } + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + ... + $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities",false); + ... + } + ... + } + - pattern: $M($X) + - focus-metavariable: $X + fix: | + $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + $FACTORY.newSAXParser(); + languages: + - java +- id: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://blog.sonarsource.com/secure-xml-processor + - https://xerces.apache.org/xerces2-j/features.html + category: security + technology: + - java + - xml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled + shortlink: https://sg.run/1wyQ + semgrep.dev: + rule: + rule_id: v8UeQ1 + version_id: qkTNpE + url: https://semgrep.dev/playground/r/qkTNpE/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled + origin: community + message: DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable + to XML external entity attacks. Disable this by setting the attributes "accessExternalDTD" + and "accessExternalStylesheet" to "". + mode: taint + pattern-sources: + - by-side-effect: true + patterns: + - pattern-either: + - pattern: | + $FACTORY = TransformerFactory.newInstance(); + - patterns: + - pattern: $FACTORY + - pattern-inside: | + class $C { + ... + $V $FACTORY = TransformerFactory.newInstance(); + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = TransformerFactory.newInstance(); + static { + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + ... + } + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = TransformerFactory.newInstance(); + static { + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + ... + } + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = TransformerFactory.newInstance(); + static { + ... + $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); + ... + $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); + ... + } + ... + } + - pattern-not-inside: | + class $C { + ... + $V $FACTORY = TransformerFactory.newInstance(); + static { + ... + $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); + ... + $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); + ... + } + ... + } + pattern-sinks: + - patterns: + - pattern: $FACTORY.newTransformer(...); + pattern-sanitizers: + - by-side-effect: true + pattern-either: + - patterns: + - pattern-either: + - pattern: | + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + - pattern: | + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + - pattern: | + $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); ... + $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); + - pattern: | + $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); + ... + $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); + - focus-metavariable: $FACTORY + - patterns: + - pattern-either: + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + ... + } + ... + } + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + ... + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + ... + } + ... + } + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); + ... + $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); + ... + } + ... + } + - pattern-inside: | + class $C { + ... + $T $M(...) { + ... + $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); + ... + $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); + ... + } + ... + } + - pattern: $M($X) + - focus-metavariable: $X + fix: | + $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + $FACTORY.newTransformer(...); + languages: + - java +- id: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash + patterns: + - pattern-either: + - pattern: | + window.intercomSettings = {..., email: $EMAIL, ...}; + - pattern: | + window.intercomSettings = {..., user_id: $USER_ID, ...}; + - pattern: | + Intercom('boot', {..., email: $EMAIL, ...}); + - pattern: | + Intercom('boot', {..., user_id: $USER_ID, ...}); + - pattern: | + $VAR = {..., email: $EMAIL, ...}; + ... + Intercom('boot', $VAR); + - pattern: | + $VAR = {..., user_id: $EMAIL, ...}; + ... + Intercom('boot', $VAR); + - pattern-not: | + window.intercomSettings = {..., user_hash: $USER_HASH, ...}; + - pattern-not: | + Intercom('boot', {..., user_hash: $USER_HASH, ...}); + - pattern-not: | + $VAR = {..., user_hash: $USER_HASH, ...}; + ... + Intercom('boot', $VAR); + message: Found an initialization of the Intercom Messenger that identifies a User, + but does not specify a `user_hash`.This configuration allows users to impersonate + one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile + languages: + - js + severity: WARNING + metadata: + category: security + subcategory: + - guardrail + cwe: + - 'CWE-287: Improper Authentication' + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: + - intercom + references: + - https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash + shortlink: https://sg.run/Eb5w + semgrep.dev: + rule: + rule_id: QrU96W + version_id: gETqOo + url: https://semgrep.dev/playground/r/gETqOo/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash + origin: community +- id: java.android.security.exported_activity.exported_activity + patterns: + - pattern-not-inside: + - pattern-inside: " \n" + - pattern-either: + - pattern: | + + - pattern: | + ... /> + message: Use of Exported Activity + languages: + - generic + severity: WARNING + paths: + exclude: + - sources/ + - classes3.dex + - '*.so' + include: + - '*AndroidManifest.xml' + metadata: + vulnerability: Use of exported components + Description: The application exports an activity. Any application on the device + can launch the exported activity which may compromise the integrity of your + application or its data. Ensure that any exported activities do not have privileged + access to your application's control plane. + Severity: HIGH + category: security + subcategory: + - vuln + cwe: + - 'CWE-926: Improper Export of Android Application Components' + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + owasp: + - A5:2021 Security Misconfiguration + technology: + - Android + references: + - https://cwe.mitre.org/data/definitions/926.html + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/java.android.security.exported_activity.exported_activity + shortlink: https://sg.run/eNGZ + semgrep.dev: + rule: + rule_id: v8Ul0r + version_id: bZTGzr + url: https://semgrep.dev/playground/r/bZTGzr/java.android.security.exported_activity.exported_activity + origin: community +- id: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha + patterns: + - pattern-inside: '{steps: ...}' + - pattern: | + uses: "$USES" + - metavariable-pattern: + metavariable: $USES + language: generic + patterns: + - pattern-not-regex: ^[.]/ + - pattern-not-regex: ^actions/ + - pattern-not-regex: '@[0-9a-f]{40}$' + - pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$ + message: An action sourced from a third-party repository on GitHub is not pinned + to a full length commit SHA. Pinning an action to a full length commit SHA is + currently the only way to use an action as an immutable release. Pinning to a + particular SHA helps mitigate the risk of a bad actor adding a backdoor to the + action's repository, as they would need to generate a SHA-1 collision for a valid + Git object payload. + languages: + - yaml + severity: WARNING + metadata: + cwe: + - 'CWE-1357: Reliance on Insufficiently Trustworthy Component' + owasp: A06:2021 - Vulnerable and Outdated Components + references: + - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components + - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions + category: security + technology: + - github-actions + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Other + source: https://semgrep.dev/r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha + shortlink: https://sg.run/koLA + semgrep.dev: + rule: + rule_id: YGUdrq + version_id: 9lTK6r + url: https://semgrep.dev/playground/r/9lTK6r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha + origin: community +- id: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration + message: The target origin of the window.postMessage() API is set to "*". This could + allow for information disclosure due to the possibility of any origin allowed + to receive the message. + metadata: + owasp: + - A08:2021 - Software and Data Integrity Failures + cwe: + - 'CWE-345: Insufficient Verification of Data Authenticity' + category: security + technology: + - browser + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + references: + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration + shortlink: https://sg.run/PJ4p + semgrep.dev: + rule: + rule_id: KxUbq4 + version_id: 9lTzWZ + url: https://semgrep.dev/playground/r/9lTzWZ/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern: $OBJECT.postMessage(...,'*') +- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection + message: If unverified user data can reach the `compileScript` method it can result + in Server-Side Request Forgery vulnerabilities + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - chrome-remote-interface + references: + - https://github.com/cyrus-and/chrome-remote-interface + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection + shortlink: https://sg.run/J9kj + semgrep.dev: + rule: + rule_id: qNUjnb + version_id: yeTX2N + url: https://semgrep.dev/playground/r/yeTX2N/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-inside: function ... (..., $ARG,...) {...} + - focus-metavariable: $ARG + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + require('chrome-remote-interface'); + ... + - pattern-inside: | + import 'chrome-remote-interface'; + ... + - pattern-either: + - pattern: | + $RUNTIME.compileScript({expression: $SINK},...) + - pattern: | + $RUNTIME.evaluate({expression: $SINK},...) + - pattern: | + $PAGE.navigate({url: $SINK},...) + - pattern: | + $RUNTIME.printToPDF({headerTemplate: $SINK},...) + - pattern: | + $RUNTIME.printToPDF({footerTemplate: $SINK},...) + - pattern: | + $PAGE.setDocumentContent({html: $SINK},...) + - focus-metavariable: $SINK +- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-evaluate-injection.chrome-remote-interface-evaluate-injection + message: this rule has been deprecated. + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - chrome-remote-interface + references: + - https://github.com/cyrus-and/chrome-remote-interface + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-evaluate-injection.chrome-remote-interface-evaluate-injection + shortlink: https://sg.run/5QBD + semgrep.dev: + rule: + rule_id: lBU9O8 + version_id: rxTxLj + url: https://semgrep.dev/playground/r/rxTxLj/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-evaluate-injection.chrome-remote-interface-evaluate-injection + origin: community + languages: + - javascript + - typescript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-navigate-injection.chrome-remote-interface-navigate-injection + message: this rule has been deprecated. + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - chrome-remote-interface + references: + - https://github.com/cyrus-and/chrome-remote-interface + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-navigate-injection.chrome-remote-interface-navigate-injection + shortlink: https://sg.run/Gery + semgrep.dev: + rule: + rule_id: YGUR0A + version_id: bZTG1X + url: https://semgrep.dev/playground/r/bZTG1X/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-navigate-injection.chrome-remote-interface-navigate-injection + origin: community + languages: + - javascript + - typescript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-printtopdf-injection.chrome-remote-interface-printtopdf-injection + message: this rule has been deprecated. + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - chrome-remote-interface + references: + - https://github.com/cyrus-and/chrome-remote-interface + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-printtopdf-injection.chrome-remote-interface-printtopdf-injection + shortlink: https://sg.run/RoJg + semgrep.dev: + rule: + rule_id: 6JUjgD + version_id: NdT1dd + url: https://semgrep.dev/playground/r/NdT1dd/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-printtopdf-injection.chrome-remote-interface-printtopdf-injection + origin: community + languages: + - javascript + - typescript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-setdocumentcontent-injection.chrome-remote-interface-setdocumentcontent-injection + message: this rule has been deprecated. + metadata: + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + category: security + technology: + - chrome-remote-interface + references: + - https://github.com/cyrus-and/chrome-remote-interface + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-setdocumentcontent-injection.chrome-remote-interface-setdocumentcontent-injection + shortlink: https://sg.run/Av2L + semgrep.dev: + rule: + rule_id: oqUeEK + version_id: kbT7xL + url: https://semgrep.dev/playground/r/kbT7xL/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-setdocumentcontent-injection.chrome-remote-interface-setdocumentcontent-injection + origin: community + languages: + - javascript + - typescript + severity: INFO + patterns: + - pattern: a() + - pattern: b() +- id: javascript.express.security.express-expat-xxe.express-expat-xxe + message: Make sure that unverified user data can not reach the XML Parser, as it + can result in XML External or Internal Entity (XXE) Processing vulnerabilities. + metadata: + interfile: true + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://github.com/astro/node-expat + category: security + technology: + - express + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe + shortlink: https://sg.run/BkXx + semgrep.dev: + rule: + rule_id: zdUkJl + version_id: yeTXZN + url: https://semgrep.dev/playground/r/yeTXZN/javascript.express.security.express-expat-xxe.express-expat-xxe + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: function ... ($REQ, $RES) {...} + - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} + - patterns: + - pattern-either: + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) + - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) + - metavariable-regex: + metavariable: $METHOD + regex: ^(get|post|put|head|delete|options)$ + - pattern-either: + - pattern: $REQ.query + - pattern: $REQ.body + - pattern: $REQ.params + - pattern: $REQ.cookies + - pattern: $REQ.headers + - patterns: + - pattern-either: + - pattern-inside: | + ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + {...} + - pattern-inside: | + ({ $REQ }: Request,$RES: Response) => {...} + - focus-metavariable: $REQ + - pattern-either: + - pattern: params + - pattern: query + - pattern: cookies + - pattern: headers + - pattern: body + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $XML = require('node-expat') + ... + - pattern-inside: | + import $XML from 'node-expat' + ... + - pattern-inside: | + import * as $XML from 'node-expat' + ... + - pattern-either: + - pattern-inside: | + $PARSER = new $XML.Parser(...); + ... + - pattern-either: + - pattern: $PARSER.parse($QUERY) + - pattern: $PARSER.write($QUERY) + - focus-metavariable: $QUERY +- id: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + interfile: true + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + category: security + technology: + - express + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret + shortlink: https://sg.run/Do1d + semgrep.dev: + rule: + rule_id: pKUOjy + version_id: bZTG9X + url: https://semgrep.dev/playground/r/bZTG9X/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + $JWT = require('express-jwt'); + ... + - pattern-inside: | + import $JWT from 'express-jwt'; + ... + - pattern-inside: | + import * as $JWT from 'express-jwt'; + ... + - pattern-inside: | + import { ..., $JWT, ... } from 'express-jwt'; + ... + - pattern-either: + - pattern: | + $JWT({...,secret: "$Y",...},...) + - pattern: | + $OPTS = "$Y"; + ... + $JWT({...,secret: $OPTS},...); + - focus-metavariable: $Y \ No newline at end of file