Last active
May 3, 2022 23:12
-
-
Save minusworld/a8c0a17c3facffbe23090292ccc9b373 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rules: | |
| - id: tainted-sql-string | |
| languages: | |
| - java | |
| severity: ERROR | |
| message: User data flows into this manually-constructed SQL string. User data | |
| can be safely inserted into SQL strings using prepared statements or an | |
| object-relational mapper (ORM). Manually-constructed SQL strings is a | |
| possible indicator of SQL injection, which could let an attacker steal or | |
| manipulate data from the database. Instead, use prepared statements | |
| (`connection.PreparedStatement`) or a safe library. | |
| metadata: | |
| cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command | |
| ('SQL Injection')" | |
| owasp: | |
| - A03:2021 | |
| - A01:2017 | |
| references: | |
| - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html | |
| category: security | |
| technology: | |
| - java | |
| - spring | |
| mode: taint | |
| pattern-sources: | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., @$ANNOTATION | |
| $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., | |
| @$ANNOTATION(...) $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam $TYPE $PARAMETER) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam($LOOKUP) $TYPE $PARAMETER) { | |
| ... | |
| } | |
| pattern-sinks: | |
| - pattern-either: | |
| - pattern: new FileInputStream(...) | |
| - pattern: new FileReader(...) | |
| - pattern: new File(...) | |
| - pattern: $SOMETHING.getResourceAsStream(...) | |
| - id: tainted-html-string | |
| languages: | |
| - java | |
| severity: ERROR | |
| message: >- | |
| Detected user input flowing into a manually constructed HTML string. | |
| You may be accidentally bypassing secure methods of rendering HTML by | |
| manually constructing HTML and this could create a cross-site scripting | |
| vulnerability, which could let attackers steal sensitive user data. To be | |
| sure this is safe, check that the HTML is rendered safely. You can use | |
| the OWASP ESAPI encoder if you must render user data. | |
| metadata: | |
| cwe: "CWE-79" | |
| owasp: | |
| - A03:2021 | |
| - A07:2017 | |
| references: | |
| - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html | |
| category: security | |
| technology: | |
| - java | |
| - spring | |
| mode: taint | |
| pattern-sources: | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., @$ANNOTATION | |
| $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., | |
| @$ANNOTATION(...) $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam $TYPE $PARAMETER) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam($LOOKUP) $TYPE $PARAMETER) { | |
| ... | |
| } | |
| pattern-sinks: | |
| - patterns: | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| "$HTMLSTR" + ... | |
| - pattern: | | |
| "$HTMLSTR".concat(...) | |
| - patterns: | |
| - pattern-inside: | | |
| StringBuilder $SB = new StringBuilder("$HTMLSTR"); | |
| ... | |
| - pattern: $SB.append(...) | |
| - patterns: | |
| - pattern-inside: | | |
| $VAR = "$HTMLSTR"; | |
| ... | |
| - pattern: $VAR += ... | |
| - pattern: String.format("$HTMLSTR", ...) | |
| - patterns: | |
| - pattern-inside: | | |
| String $VAR = "$HTMLSTR"; | |
| ... | |
| - pattern: String.format($VAR, ...) | |
| - metavariable-regex: | |
| metavariable: $HTMLSTR | |
| regex: ^<\w+ | |
| - id: tainted-sql-string | |
| languages: | |
| - java | |
| severity: ERROR | |
| message: User data flows into this manually-constructed SQL string. User data | |
| can be safely inserted into SQL strings using prepared statements or an | |
| object-relational mapper (ORM). Manually-constructed SQL strings is a | |
| possible indicator of SQL injection, which could let an attacker steal or | |
| manipulate data from the database. Instead, use prepared statements | |
| (`connection.PreparedStatement`) or a safe library. | |
| metadata: | |
| cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command | |
| ('SQL Injection')" | |
| owasp: | |
| - A03:2021 | |
| - A01:2017 | |
| references: | |
| - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html | |
| category: security | |
| technology: | |
| - spring | |
| license: Commons Clause License Condition v1.0[LGPL-2.1-only] | |
| mode: taint | |
| pattern-sources: | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., @$ANNOTATION | |
| $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., | |
| @$ANNOTATION(...) $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam $TYPE $PARAMETER) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam($LOOKUP) $TYPE $PARAMETER) { | |
| ... | |
| } | |
| pattern-sinks: | |
| - patterns: | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| "$SQLSTR" + ... | |
| - pattern: | | |
| "$SQLSTR".concat(...) | |
| - patterns: | |
| - pattern-inside: | | |
| StringBuilder $SB = new StringBuilder("$SQLSTR"); | |
| ... | |
| - pattern: $SB.append(...) | |
| - patterns: | |
| - pattern-inside: | | |
| $VAR = "$SQLSTR"; | |
| ... | |
| - pattern: $VAR += ... | |
| - pattern: String.format("$SQLSTR", ...) | |
| - patterns: | |
| - pattern-inside: | | |
| String $VAR = "$SQLSTR"; | |
| ... | |
| - pattern: String.format($VAR, ...) | |
| - metavariable-regex: | |
| metavariable: $SQLSTR | |
| regex: (?i)(select|delete|insert|create|update|alter|drop)\b | |
| - id: tainted-system-command | |
| languages: | |
| - java | |
| severity: ERROR | |
| mode: taint | |
| pattern-sources: | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., @$ANNOTATION | |
| $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., | |
| @$ANNOTATION(...) $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam $TYPE $PARAMETER) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam($LOOKUP) $TYPE $PARAMETER) { | |
| ... | |
| } | |
| pattern-sinks: | |
| - pattern-either: | |
| - pattern: (Runtime $RUNTIME).exec(...) | |
| - pattern: (Runtime $RUNTIME).loadLibrary(...) | |
| - pattern: Runtime.getRuntime(...).exec(...) | |
| - pattern: Runtime.getRuntime(...).loadLibrary(...) | |
| - pattern: new ProcessBuilder($ONEARG) | |
| - patterns: | |
| - pattern: new ProcessBuilder(...) | |
| - pattern-not: new ProcessBuilder("...", ...) | |
| message: >- | |
| Detected user input entering a method which executes a system command. | |
| This could result in a command injection vulnerability, which allows an | |
| attacker to inject an arbitrary system command onto the server. The attacker | |
| could download malware onto or steal data from the server. Instead, use | |
| ProcessBuilder, separating the command into individual arguments, like this: | |
| `new ProcessBuilder("ls", "-al", targetDirectory)`. Further, make sure you | |
| hardcode or allowlist the actual command so that attackers can't run arbitrary commands. | |
| metadata: | |
| cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command | |
| ('OS Command Injection')" | |
| owasp: "A01:2017 - Injection" | |
| category: security | |
| technology: | |
| - java | |
| - spring | |
| confidence: HIGH | |
| references: | |
| - https://www.stackhawk.com/blog/command-injection-java/ | |
| - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html | |
| - id: tainted-url-host | |
| languages: | |
| - java | |
| severity: ERROR | |
| message: >- | |
| User data flows into the host portion of this manually-constructed URL. | |
| This could allow an attacker to send data to their own server, | |
| potentially exposing sensitive data such as cookies or authorization | |
| information sent with this request. They could also probe internal | |
| servers or other resources that the server runnig this code can access. | |
| (This is called server-side request forgery, or SSRF.) Do not allow | |
| arbitrary hosts. Instead, create an allowlist for approved hosts hardcode | |
| the correct host, or ensure that the user data can only affect the path or parameters. | |
| metadata: | |
| cwe: "CWE-918: SSRF" | |
| owasp: | |
| - A10:2021 | |
| - A07:2017 | |
| references: | |
| - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html | |
| category: security | |
| technology: | |
| - java | |
| - spring | |
| mode: taint | |
| pattern-sources: | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., @$ANNOTATION | |
| $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| @RequestMapping(...) $RETURNTYPE $METHODNAME(..., | |
| @$ANNOTATION(...) $TYPE $PARAMETER, ...) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam $TYPE $PARAMETER) { | |
| ... | |
| } | |
| - pattern: | | |
| $RETURNTYPE $METHODNAME(..., @RequestParam($LOOKUP) $TYPE $PARAMETER) { | |
| ... | |
| } | |
| pattern-sinks: | |
| - pattern-either: | |
| - pattern: new URL($ONEARG) | |
| - patterns: | |
| - pattern-either: | |
| - pattern: | | |
| "$URLSTR" + ... | |
| - pattern: | | |
| "$URLSTR".concat(...) | |
| - patterns: | |
| - pattern-inside: | | |
| StringBuilder $SB = new StringBuilder("$URLSTR"); | |
| ... | |
| - pattern: $SB.append(...) | |
| - patterns: | |
| - pattern-inside: | | |
| $VAR = "$URLSTR"; | |
| ... | |
| - pattern: $VAR += ... | |
| - pattern: String.format("$URLSTR", ...) | |
| - patterns: | |
| - pattern-inside: | | |
| String $VAR = "$URLSTR"; | |
| ... | |
| - pattern: String.format($VAR, ...) | |
| - metavariable-regex: | |
| metavariable: $URLSTR | |
| regex: http(s?)://%(v|s|q).* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment