Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added CWE links for several codemods #964

Merged
merged 5 commits into from
Jan 8, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions integration_tests/test_codemod_urls.py
Original file line number Diff line number Diff line change
@@ -10,7 +10,8 @@

async def visit_url(client, url):
try:
response = await client.get(url)
response = await client.head(url)

return url, response.status_code
except httpx.RequestError:
return url, None
@@ -36,9 +37,15 @@ async def check_accessible_urls(urls):

@pytest.mark.asyncio
async def test_codemod_reference_urls():
urls = [
ref.url for codemod in registry.codemods for ref in codemod._metadata.references
]
urls = list(
set(
[
ref.url
for codemod in registry.codemods
for ref in codemod._metadata.references
]
)
)
await check_accessible_urls(urls)


1 change: 1 addition & 0 deletions src/core_codemods/add_requests_timeouts.py
Original file line number Diff line number Diff line change
@@ -27,6 +27,7 @@ def on_result_found(self, original_node, updated_node):
Reference(
url="https://docs.python-requests.org/en/master/user/quickstart/#timeouts"
),
Reference(url="https://cwe.mitre.org/data/definitions/1088"),
],
),
detector=SemgrepRuleDetector(
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@
LibcstTransformerPipeline,
)
from codemodder.codemods.utils_mixin import NameResolutionMixin
from codemodder.codetf import Reference
from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
from core_codemods.harden_pickle_load import HardenPickleLoad
from core_codemods.harden_pyyaml import CodemodProtocol, HardenPyyamlCallMixin
@@ -56,7 +57,9 @@ def leave_Call(
)
],
),
references=[],
references=[
Reference(url="https://cwe.mitre.org/data/definitions/502"),
],
),
transformer=LibcstTransformerPipeline(
AvoidInsecureDeserializationTransformer, HardenPickleLoad
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@
LibcstTransformerPipeline,
)
from codemodder.codemods.utils_mixin import NameResolutionMixin
from codemodder.codetf import Reference
from core_codemods.defectdojo.api import DefectDojoCodemod, DefectDojoDetector
from core_codemods.secure_cookie_mixin import SecureCookieMixin

@@ -50,7 +51,9 @@ def leave_Call(self, original_node: cst.Call, updated_node: cst.Call) -> cst.Cal
)
],
),
references=[],
references=[
Reference(url="https://cwe.mitre.org/data/definitions/614"),
],
),
transformer=LibcstTransformerPipeline(DjangoSecureSetCookieTransformer),
detector=DefectDojoDetector(),
6 changes: 6 additions & 0 deletions src/core_codemods/disable_graphql_introspection.py
Original file line number Diff line number Diff line change
@@ -127,6 +127,12 @@ def _is_introspection_rule_or_starred(
Reference(
url="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL#introspection-queries",
),
Reference(
url="https://cwe.mitre.org/data/definitions/200",
),
Reference(
url="https://cwe.mitre.org/data/definitions/669",
),
],
),
transformer=LibcstTransformerPipeline(DisableGraphQLIntrospectionTransform),
1 change: 1 addition & 0 deletions src/core_codemods/django_debug_flag_on.py
Original file line number Diff line number Diff line change
@@ -16,6 +16,7 @@ class DjangoDebugFlagOn(SimpleCodemod):
Reference(
url="https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-DEBUG"
),
Reference(url="https://cwe.mitre.org/data/definitions/489"),
],
)
change_description = "Flip `Django` debug flag to off."
1 change: 1 addition & 0 deletions src/core_codemods/django_json_response_type.py
Original file line number Diff line number Diff line change
@@ -53,6 +53,7 @@ def on_result_found(self, _, updated_node):
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts"
),
Reference(url="https://cwe.mitre.org/data/definitions/79"),
],
),
transformer=LibcstTransformerPipeline(DjangoJsonResponseTypeTransformer),
1 change: 1 addition & 0 deletions src/core_codemods/django_session_cookie_secure_off.py
Original file line number Diff line number Diff line change
@@ -16,6 +16,7 @@ class DjangoSessionCookieSecureOff(SimpleCodemod):
Reference(
url="https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure"
),
Reference(url="https://cwe.mitre.org/data/definitions/614"),
],
)
change_description = "Sets Django's `SESSION_COOKIE_SECURE` flag if off or missing."
1 change: 1 addition & 0 deletions src/core_codemods/enable_jinja2_autoescape.py
Original file line number Diff line number Diff line change
@@ -30,6 +30,7 @@ def on_result_found(self, original_node, updated_node):
Reference(
url="https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping"
),
Reference(url="https://cwe.mitre.org/data/definitions/79"),
],
),
detector=SemgrepRuleDetector(
4 changes: 2 additions & 2 deletions src/core_codemods/file_resource_leak.py
Original file line number Diff line number Diff line change
@@ -73,8 +73,8 @@ def line_filter(x):
summary="Automatically Close Resources",
review_guidance=ReviewGuidance.MERGE_WITHOUT_REVIEW,
references=[
Reference(url="https://cwe.mitre.org/data/definitions/772.html"),
Reference(url="https://cwe.mitre.org/data/definitions/404.html"),
Reference(url="https://cwe.mitre.org/data/definitions/404"),
Reference(url="https://cwe.mitre.org/data/definitions/772"),
],
),
transformer=LibcstTransformerPipeline(FileResourceLeakTransformer),
1 change: 1 addition & 0 deletions src/core_codemods/flask_enable_csrf_protection.py
Original file line number Diff line number Diff line change
@@ -19,6 +19,7 @@ class FlaskEnableCSRFProtection(
references=[
Reference(url="https://owasp.org/www-community/attacks/csrf"),
Reference(url="https://flask-wtf.readthedocs.io/en/1.2.x/csrf/"),
Reference(url="https://cwe.mitre.org/data/definitions/352"),
],
)

1 change: 1 addition & 0 deletions src/core_codemods/flask_json_response_type.py
Original file line number Diff line number Diff line change
@@ -281,6 +281,7 @@ def _fix_json_dumps(self, node: cst.BaseExpression) -> cst.Tuple:
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts"
),
Reference(url="https://cwe.mitre.org/data/definitions/79"),
],
),
transformer=LibcstTransformerPipeline(FlaskJsonResponseTypeTransformer),
3 changes: 3 additions & 0 deletions src/core_codemods/harden_pickle_load.py
Original file line number Diff line number Diff line change
@@ -21,6 +21,9 @@ class HardenPickleLoad(SimpleCodemod, ImportModifierCodemod):
Reference(
url="https://github.com/trailofbits/fickling",
),
Reference(
url="https://cwe.mitre.org/data/definitions/502",
),
],
)

1 change: 1 addition & 0 deletions src/core_codemods/harden_pyyaml.py
Original file line number Diff line number Diff line change
@@ -126,6 +126,7 @@ def _update_bases(
Reference(
url="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation"
),
Reference(url="https://cwe.mitre.org/data/definitions/502"),
],
),
detector=SemgrepRuleDetector(
1 change: 1 addition & 0 deletions src/core_codemods/harden_ruamel.py
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ class HardenRuamel(SimpleCodemod):
Reference(
url="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data"
),
Reference(url="https://cwe.mitre.org/data/definitions/502"),
],
)
change_description = (
1 change: 1 addition & 0 deletions src/core_codemods/https_connection.py
Original file line number Diff line number Diff line change
@@ -59,6 +59,7 @@ class HTTPSConnection(SimpleCodemod):
Reference(
url="https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool"
),
Reference(url="https://cwe.mitre.org/data/definitions/319"),
],
)

1 change: 1 addition & 0 deletions src/core_codemods/jwt_decode_verify.py
Original file line number Diff line number Diff line change
@@ -109,6 +109,7 @@ def is_verify_keyword(element: cst.DictElement) -> bool:
Reference(
url="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens"
),
Reference(url="https://cwe.mitre.org/data/definitions/347"),
],
),
transformer=LibcstTransformerPipeline(JwtDecodeVerifyTransformer),
2 changes: 1 addition & 1 deletion src/core_codemods/limit_readline.py
Original file line number Diff line number Diff line change
@@ -11,7 +11,7 @@ class LimitReadline(SimpleCodemod):
summary="Limit readline()",
review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
references=[
Reference(url="https://cwe.mitre.org/data/definitions/400.html"),
Reference(url="https://cwe.mitre.org/data/definitions/400"),
],
)
change_description = "Adds a size limit argument to readline() calls."
1 change: 1 addition & 0 deletions src/core_codemods/lxml_safe_parser_defaults.py
Original file line number Diff line number Diff line change
@@ -17,6 +17,7 @@ class LxmlSafeParserDefaults(SimpleCodemod):
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
),
Reference(url="https://cwe.mitre.org/data/definitions/611"),
],
)
change_description = "Replace `lxml` parser parameters with safe defaults."
1 change: 1 addition & 0 deletions src/core_codemods/lxml_safe_parsing.py
Original file line number Diff line number Diff line change
@@ -17,6 +17,7 @@ class LxmlSafeParsing(SimpleCodemod):
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
),
Reference(url="https://cwe.mitre.org/data/definitions/611"),
],
)
change_description = (
2 changes: 2 additions & 0 deletions src/core_codemods/process_creation_sandbox.py
Original file line number Diff line number Diff line change
@@ -16,6 +16,8 @@ class ProcessSandbox(SimpleCodemod):
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html"
),
Reference(url="https://cwe.mitre.org/data/definitions/20"),
Reference(url="https://cwe.mitre.org/data/definitions/78"),
],
)
change_description = (
1 change: 1 addition & 0 deletions src/core_codemods/replace_flask_send_file.py
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@ class ReplaceFlaskSendFile(SimpleCodemod, NameAndAncestorResolutionMixin):
url="https://flask.palletsprojects.com/en/3.0.x/api/#flask.send_from_directory"
),
Reference(url="https://owasp.org/www-community/attacks/Path_Traversal"),
Reference(url="https://cwe.mitre.org/data/definitions/35"),
],
)

1 change: 1 addition & 0 deletions src/core_codemods/requests_verify.py
Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@ class RequestsVerify(SimpleCodemod):
Reference(
url="https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack"
),
Reference(url="https://cwe.mitre.org/data/definitions/295"),
],
)
change_description = (
1 change: 1 addition & 0 deletions src/core_codemods/secure_flask_cookie.py
Original file line number Diff line number Diff line change
@@ -14,6 +14,7 @@ class SecureFlaskCookie(SimpleCodemod, SecureCookieMixin):
Reference(
url="https://owasp.org/www-community/controls/SecureCookieAttribute"
),
Reference(url="https://cwe.mitre.org/data/definitions/614"),
],
)
change_description = "Flask response `set_cookie` call should be called with `secure=True`, `httponly=True`, and `samesite='Lax'`."
3 changes: 3 additions & 0 deletions src/core_codemods/secure_flask_session_config.py
Original file line number Diff line number Diff line change
@@ -23,6 +23,9 @@ class SecureFlaskSessionConfig(SimpleCodemod, Codemod):
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"
),
Reference(url="https://cwe.mitre.org/data/definitions/319"),
Reference(url="https://cwe.mitre.org/data/definitions/352"),
Reference(url="https://cwe.mitre.org/data/definitions/614"),
],
)
change_description = "Flip Flask session configuration if defined as insecure."
12 changes: 12 additions & 0 deletions src/core_codemods/secure_random.py
Original file line number Diff line number Diff line change
@@ -33,6 +33,18 @@ def on_result_found(self, original_node, updated_node):
Reference(
url="https://docs.python.org/3/library/random.html",
),
Reference(
url="https://cwe.mitre.org/data/definitions/338",
),
Reference(
url="https://cwe.mitre.org/data/definitions/330",
),
Reference(
url="https://cwe.mitre.org/data/definitions/326",
),
Reference(
url="https://cwe.mitre.org/data/definitions/1241",
),
],
),
detector=SemgrepRuleDetector(
5 changes: 4 additions & 1 deletion src/core_codemods/semgrep/semgrep_nan_injection.py
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@
LibcstTransformerPipeline,
)
from codemodder.codemods.semgrep import SemgrepSarifFileDetector
from codemodder.codetf import Reference
from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id


@@ -124,7 +125,9 @@ def visit_Call(self, node: cst.Call) -> None:
)
],
),
references=[],
references=[
Reference(url="https://cwe.mitre.org/data/definitions/704"),
],
),
transformer=LibcstTransformerPipeline(NanInjectionTransformer),
detector=SemgrepSarifFileDetector(),
5 changes: 4 additions & 1 deletion src/core_codemods/semgrep/semgrep_no_csrf_exempt.py
Original file line number Diff line number Diff line change
@@ -12,6 +12,7 @@
)
from codemodder.codemods.semgrep import SemgrepSarifFileDetector
from codemodder.codemods.utils_mixin import NameResolutionMixin
from codemodder.codetf import Reference
from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id


@@ -53,7 +54,9 @@ def leave_Decorator(
)
],
),
references=[],
references=[
Reference(url="https://cwe.mitre.org/data/definitions/352"),
],
),
transformer=LibcstTransformerPipeline(RemoveCsrfExemptTransformer),
detector=SemgrepSarifFileDetector(),
5 changes: 4 additions & 1 deletion src/core_codemods/semgrep/semgrep_rsa_key_size.py
Original file line number Diff line number Diff line change
@@ -12,6 +12,7 @@
NewArg,
)
from codemodder.codemods.semgrep import SemgrepSarifFileDetector
from codemodder.codetf import Reference
from codemodder.result import fuzzy_column_match, same_line
from core_codemods.semgrep.api import SemgrepCodemod, semgrep_url_from_id

@@ -74,7 +75,9 @@ def match_location(self, pos, result):
)
],
),
references=[],
references=[
Reference(url="https://cwe.mitre.org/data/definitions/326"),
],
),
transformer=LibcstTransformerPipeline(RsaKeySizeTransformer),
detector=SemgrepSarifFileDetector(),
3 changes: 2 additions & 1 deletion src/core_codemods/sql_parameterization.py
Original file line number Diff line number Diff line change
@@ -369,7 +369,8 @@ def _remove_literal_and_gather_extra(
summary="Parameterize SQL Queries",
review_guidance=ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
references=[
Reference(url="https://cwe.mitre.org/data/definitions/89.html"),
Reference(url="https://cwe.mitre.org/data/definitions/20"),
Reference(url="https://cwe.mitre.org/data/definitions/89"),
Reference(url="https://owasp.org/www-community/attacks/SQL_Injection"),
],
),
1 change: 1 addition & 0 deletions src/core_codemods/subprocess_shell_false.py
Original file line number Diff line number Diff line change
@@ -79,6 +79,7 @@ def first_arg_is_not_string(self, original_node: cst.Call) -> bool:
url="https://en.wikipedia.org/wiki/Code_injection#Shell_injection"
),
Reference(url="https://stackoverflow.com/a/3172488"),
Reference(url="https://cwe.mitre.org/data/definitions/78"),
],
),
transformer=LibcstTransformerPipeline(SubprocessShellFalseTransformer),
2 changes: 2 additions & 0 deletions src/core_codemods/tempfile_mktemp.py
Original file line number Diff line number Diff line change
@@ -169,6 +169,8 @@ def _mktemp_is_sink(
Reference(
url="https://docs.python.org/3/library/tempfile.html#tempfile.mktemp"
),
Reference(url="https://cwe.mitre.org/data/definitions/377"),
Reference(url="https://cwe.mitre.org/data/definitions/379"),
],
),
transformer=LibcstTransformerPipeline(TempfileMktempTransformer),
1 change: 1 addition & 0 deletions src/core_codemods/upgrade_sslcontext_minimum_version.py
Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@ class UpgradeSSLContextMinimumVersion(SimpleCodemod, NameResolutionMixin):
),
Reference(url="https://datatracker.ietf.org/doc/rfc8996/"),
Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"),
Reference(url="https://cwe.mitre.org/data/definitions/326"),
],
)
change_description = "Replaces minimum SSL/TLS version for SSLContext."
1 change: 1 addition & 0 deletions src/core_codemods/upgrade_sslcontext_tls.py
Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@ class UpgradeSSLContextTLS(SimpleCodemod):
),
Reference(url="https://datatracker.ietf.org/doc/rfc8996/"),
Reference(url="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1"),
Reference(url="https://cwe.mitre.org/data/definitions/326"),
],
)
change_description = "Replaces known insecure TLS/SSL protocol versions in SSLContext with secure ones."
3 changes: 2 additions & 1 deletion src/core_codemods/url_sandbox.py
Original file line number Diff line number Diff line change
@@ -32,14 +32,15 @@ def dependency(self) -> Dependency:
Reference(
url="https://github.com/pixee/python-security/blob/main/src/security/safe_requests/api.py"
),
Reference(url="https://portswigger.net/web-security/ssrf"),
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
),
Reference(
url="https://www.rapid7.com/blog/post/2021/11/23/owasp-top-10-deep-dive-defending-against-server-side-request-forgery/"
),
Reference(url="https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/"),
Reference(url="https://cwe.mitre.org/data/definitions/20"),
Reference(url="https://cwe.mitre.org/data/definitions/918"),
],
),
detector=SemgrepRuleDetector(
1 change: 1 addition & 0 deletions src/core_codemods/use_defused_xml.py
Original file line number Diff line number Diff line change
@@ -51,6 +51,7 @@ def dependency(self) -> Dependency:
Reference(
url="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
),
Reference(url="https://cwe.mitre.org/data/definitions/611"),
],
),
transformer=LibcstTransformerPipeline(UseDefusedXmlTransformer),