feat: gitlab improvements part 2 (#46)

Bearer · May 10, 2023 · 327b90d · 327b90d
1 parent 655b6d4
commit 327b90d
Show file tree

Hide file tree

Showing 80 changed files with 1,640 additions and 82 deletions.
diff --git a/javascript/aws_lambda/code_injection.yml b/javascript/aws_lambda/code_injection.yml
@@ -39,8 +39,8 @@ patterns:
 auxiliary:
   - id: javascript_aws_lambda_code_injection_user_input
     patterns:
-      - event.$<_>
-      - event[$<_>]
+      - async function ($<!>event, $<_>) {}
+      - async ($<!>event, $<_>) => {}
 languages:
   - javascript
 severity: high

diff --git a/javascript/aws_lambda/os_command_injection.yml b/javascript/aws_lambda/os_command_injection.yml
@@ -13,7 +13,8 @@ patterns:
 auxiliary:
   - id: javascript_aws_lambda_cross_site_scripting_event
     patterns:
-      - event
+      - async function ($<!>event, $<_>) {}
+      - async ($<!>event, $<_>) => {}
 languages:
   - javascript
 severity: high

diff --git a/javascript/aws_lambda/os_command_injection/testdata/os_command_injection.js b/javascript/aws_lambda/os_command_injection/testdata/os_command_injection.js
@@ -1,6 +1,6 @@
 const { exec, execSync, spawn, spawnSync } = require('node:child_process');
 
-exports.handler = async (event) => {
+exports.handler = async (event, _context) => {
   exec("ls "+event["user_dir"]+"| wc -l", (err, stdout, stderr) => {
     // do something
   });
@@ -12,4 +12,4 @@ exports.handler = async (event) => {
   spawn(event["query"]);
 
   spawnSync("grep " + event["tmp"])
-};
+};
diff --git a/javascript/aws_lambda/query_injection.yml b/javascript/aws_lambda/query_injection.yml
@@ -14,8 +14,8 @@ patterns:
 auxiliary:
   - id: javascript_aws_lambda_query_injection_user_input
     patterns:
-      - event.$<_>
-      - event[$<_>]
+      - async function ($<!>event, $<_>) {}
+      - async ($<!>event, $<_>) => {}
   - id: javascript_aws_lambda_query_injection_hash
     patterns:
       - |

diff --git a/javascript/aws_lambda/sql_injection.yml b/javascript/aws_lambda/sql_injection.yml
@@ -50,7 +50,8 @@ patterns:
 auxiliary:
   - id: javascript_aws_lambda_sql_injection_event
     patterns:
-      - event.$<_>
+      - async function ($<!>event, $<_>) {}
+      - async ($<!>event, $<_>) => {}
   - id: javascript_aws_lambda_sql_injection_pg_client
     patterns:
       - new Client()

diff --git a/javascript/lang/format_string_using_user_input.yml b/javascript/lang/format_string_using_user_input.yml
@@ -30,8 +30,8 @@ auxiliary:
       - req.cookies
       - req.headers
       # AWS
-      - event.$<_>
-      - event[$<_>]
+      - async function ($<!>event, $<_>) {}
+      - async ($<!>event, $<_>) => {}
 severity: low
 metadata:
   description: "User input in format string detected."

diff --git a/javascript/lang/hardcoded_secret.yml b/javascript/lang/hardcoded_secret.yml
@@ -1,26 +1,37 @@
 patterns:
   - pattern: |
-      { $<KEY>: $<STRING_LITERAL> }
+      const $<NAME> = $<STRING_LITERAL>
     filters:
-      - variable: KEY
-        values:
-          - clientSecret
-          - secretOrKey
-          - consumerSecret
+      - variable: NAME
+        regex: (?i)(password|api_?key|secret)\b
       - variable: STRING_LITERAL
         detection: string_literal
         contains: false
+      - not:
+          variable: STRING_LITERAL
+          string_regex: \A[*•]+\z
   - pattern: |
-      $<_>.$<KEY> = $<STRING_LITERAL>
+      $<_>.$<NAME> = $<STRING_LITERAL>
     filters:
-      - variable: KEY
-        values:
-          - clientSecret
-          - secretOrKey
-          - consumerSecret
+      - variable: NAME
+        regex: (?i)(password|api_?key|secret)\b
+      - variable: STRING_LITERAL
+        detection: string_literal
+        contains: false
+      - not:
+          variable: STRING_LITERAL
+          string_regex: \A[*•]+\z
+  - pattern: |
+      { $<!>$<NAME>: $<STRING_LITERAL> }
+    filters:
+      - variable: NAME
+        regex: (?i)(password|api_?key|secret)\b
       - variable: STRING_LITERAL
         detection: string_literal
         contains: false
+      - not:
+          variable: STRING_LITERAL
+          string_regex: \A[*•]+\z
   - pattern: crypto.$<METHOD>($<_>, $<STRING_LITERAL>$<...>)
     filters:
       - variable: METHOD

diff --git a/javascript/lang/hardcoded_secret/.snapshots/unsecure_assigment.yml b/javascript/lang/hardcoded_secret/.snapshots/unsecure_assigment.yml
@@ -34,4 +34,39 @@ high:
       parent_line_number: 2
       snippet: config.clientSecret = "secretHardcodedString"
       fingerprint: 33f4ae54bd29e69c4afb8971fe2b4c1c_0
+    - rule:
+        cwe_ids:
+            - "798"
+        id: javascript_lang_hardcoded_secret
+        title: Hardcoded secret detected
+        description: |
+            ## Description
+
+            Code is not a safe place to store secrets, use environment variables instead.
+
+            ## Remediations
+            ```javascript
+              passport.use(new OAuth2Strategy({
+                  authorizationURL: 'https://www.example.com/oauth2/authorize',
+                  tokenURL: 'https://www.example.com/oauth2/token',
+                  clientID:  process.env.CLIENT_ID,
+                  clientSecret: process.env.CLIENT_SECRET,
+                  callbackURL: "http://localhost:3000/auth/example/callback"
+                },
+                function(accessToken, refreshToken, profile, cb) {
+                  User.findOrCreate({ exampleId: profile.id }, function (err, user) {
+                    return cb(err, user);
+                  });
+                }
+              ));
+            ```
+
+            ## Resources
+            - [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_lang_hardcoded_secret
+      line_number: 4
+      filename: /tmp/scan/unsecure_assigment.js
+      parent_line_number: 4
+      snippet: const apiKey = "oops"
+      fingerprint: 33f4ae54bd29e69c4afb8971fe2b4c1c_1
 
diff --git a/javascript/lang/hardcoded_secret/.snapshots/unsecure_object.yml b/javascript/lang/hardcoded_secret/.snapshots/unsecure_object.yml
@@ -29,18 +29,12 @@ high:
             ## Resources
             - [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
         documentation_url: https://docs.bearer.com/reference/rules/javascript_lang_hardcoded_secret
-      line_number: 1
+      line_number: 3
       filename: /tmp/scan/unsecure_object.js
       category_groups:
         - PII
         - Personal Data
-      parent_line_number: 1
-      snippet: |-
-        {
-        	clientID: process.env["GOOGLE_CLIENT_ID"],
-        	clientSecret: "secretHardcodedString",
-        	callbackURL: "/oauth2/redirect/google",
-        	scope: ["profile"],
-        }
+      parent_line_number: 3
+      snippet: 'clientSecret: "secretHardcodedString"'
       fingerprint: 08b891215f23b5f7082f674966366927_0
 
diff --git a/javascript/lang/hardcoded_secret/testdata/secure.js b/javascript/lang/hardcoded_secret/testdata/secure.js
@@ -13,3 +13,7 @@ crypto.privateEncrypt({ passphrase: process.env["SECRET"] }, buffer)
 
 const s = crypto.createSign('RSA-SHA256')
 s.sign(process.env["SECRET"], "utf-8")
+
+const apiKey = "**"
+o.password = "***"
+const foo = { password: "••" }
diff --git a/javascript/lang/hardcoded_secret/testdata/unsecure_assigment.js b/javascript/lang/hardcoded_secret/testdata/unsecure_assigment.js
@@ -1,2 +1,4 @@
 const config = {};
 config.clientSecret = "secretHardcodedString";
+
+const apiKey = "oops"
diff --git a/javascript/lang/http_url_using_user_input.yml b/javascript/lang/http_url_using_user_input.yml
@@ -72,8 +72,8 @@ auxiliary:
       - req.cookies
       - req.headers
       # AWS
-      - event.$<_>
-      - event[$<_>]
+      - async function ($<!>event, $<_>) {}
+      - async ($<!>event, $<_>) => {}
 severity: high
 metadata:
   description: "HTTP communication with user-controlled destination detected."

diff --git a/javascript/lang/http_url_using_user_input/.snapshots/bad.yml b/javascript/lang/http_url_using_user_input/.snapshots/bad.yml
@@ -215,4 +215,76 @@ high:
       parent_line_number: 27
       snippet: request(url, function () {})
       fingerprint: 62309be37a26b5016cdbcb3c143da49f_5
+    - rule:
+        cwe_ids:
+            - "918"
+        id: javascript_lang_http_url_using_user_input
+        title: HTTP communication with user-controlled destination detected.
+        description: |
+            ## Description
+
+            Applications should not connect to locations formed from user input.
+            This rule checks for URLs containing user-supplied data.
+
+            ## Remediations
+
+            ❌ Avoid using user input in HTTP URLs:
+
+            ```javascript
+            const response = axios.get(`https://${req.params.host}`)
+            ```
+
+            ✅ Use user input indirectly to form a URL:
+
+            ```javascript
+            const hosts = new Map([
+              ["option1", "api1.com"],
+              ["option2", "api2.com"]
+            ])
+
+            const host = hosts.get(req.params.host)
+            const response = axois.get(`https://${host}`)
+            ```
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_lang_http_url_using_user_input
+      line_number: 31
+      filename: /tmp/scan/bad.js
+      parent_line_number: 31
+      snippet: axios.get(event.url)
+      fingerprint: 62309be37a26b5016cdbcb3c143da49f_6
+    - rule:
+        cwe_ids:
+            - "918"
+        id: javascript_lang_http_url_using_user_input
+        title: HTTP communication with user-controlled destination detected.
+        description: |
+            ## Description
+
+            Applications should not connect to locations formed from user input.
+            This rule checks for URLs containing user-supplied data.
+
+            ## Remediations
+
+            ❌ Avoid using user input in HTTP URLs:
+
+            ```javascript
+            const response = axios.get(`https://${req.params.host}`)
+            ```
+
+            ✅ Use user input indirectly to form a URL:
+
+            ```javascript
+            const hosts = new Map([
+              ["option1", "api1.com"],
+              ["option2", "api2.com"]
+            ])
+
+            const host = hosts.get(req.params.host)
+            const response = axois.get(`https://${host}`)
+            ```
+        documentation_url: https://docs.bearer.com/reference/rules/javascript_lang_http_url_using_user_input
+      line_number: 35
+      filename: /tmp/scan/bad.js
+      parent_line_number: 35
+      snippet: axios.get(event["url"])
+      fingerprint: 62309be37a26b5016cdbcb3c143da49f_7
 
diff --git a/javascript/lang/http_url_using_user_input/testdata/bad.js b/javascript/lang/http_url_using_user_input/testdata/bad.js
@@ -25,3 +25,12 @@ const request = require('request')
 const imageRequest = request.get(url)
 
 request(url, function () {})
+
+
+export const handler = async (event, context) => {
+  axios.get(event.url)
+}
+
+exports.handler = async function (event, context) {
+  axios.get(event["url"])
+}
diff --git a/javascript/lang/http_url_using_user_input/testdata/ok.js b/javascript/lang/http_url_using_user_input/testdata/ok.js
@@ -25,3 +25,11 @@ const request = require('request')
 const imageRequest = request.get(url)
 
 request(url, function () {})
+
+export const handler = async (event, context) => {
+  axios.get(url)
+}
+
+exports.handler = async function (event, context) {
+  axios.get(url)
+}
diff --git a/javascript/lang/raw_html_using_user_input.yml b/javascript/lang/raw_html_using_user_input.yml
@@ -0,0 +1,71 @@
+languages:
+  - javascript
+patterns:
+  - pattern: $<STRING>
+    filters:
+      - variable: STRING
+        string_regex: <\w+(\s[^>]*)?>
+      - variable: STRING
+        detection: javascript_lang_raw_html_using_user_input_user_input
+      - not:
+          variable: STRING
+          detection: javascript_lang_raw_html_using_user_input_sanitized
+auxiliary:
+  - id: javascript_lang_raw_html_using_user_input_user_input_source
+    patterns:
+      # Express
+      - req.params
+      - req.query
+      - req.body
+      - req.cookies
+      - req.headers
+      # AWS
+      - async function ($<!>event, $<_>) {}
+      - async ($<!>event, $<_>) => {}
+  - id: javascript_lang_raw_html_using_user_input_user_input
+    patterns:
+      - pattern: $<USER_INPUT>
+        filters:
+          - variable: USER_INPUT
+            detection: javascript_lang_raw_html_using_user_input_user_input_source
+            contains: false
+  - id: javascript_lang_raw_html_using_user_input_sanitized
+    patterns:
+      - pattern: sanitizeHtml($<SANITIZED_USER_INPUT>$<...>)
+        filters:
+          - variable: SANITIZED_USER_INPUT
+            detection: javascript_lang_raw_html_using_user_input_user_input
+severity: high
+metadata:
+  description: "Unsanitized user input detected in raw HTML string."
+  remediation_message: |
+    ## Description
+
+    Applications should not include unsanitized user input in HTML. This
+    can allow cross-site scripting (XSS) attacks.
+
+    ## Remediations
+
+    ❌ Avoid including user input directly in HTML strings:
+
+    ```javascript
+    const html = `<h1>${req.params.title}</h1>`
+    ```
+
+    ✅ Use a framework or templating language to construct the HTML.
+
+    ✅ When HTML strings must be used, sanitize user input:
+
+    ```javascript
+    import sanitizeHtml from 'sanitize-html'
+
+    const sanitizedTitle = sanitizeHtml(req.params.title)
+    const html = `<h1>${sanitizedTitle}</h1>`
+    ```
+
+    ## Resources
+    - [OWASP Cross-Site Scripting (XSS) Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+  cwe_id:
+    - 79
+  id: javascript_lang_raw_html_using_user_input
+  documentation_url: https://docs.bearer.com/reference/rules/javascript_lang_raw_html_using_user_input