Merge branch 'develop' into semgrep-live-PeodN

semgrep · May 9, 2024 · 31ececd · 31ececd
2 parents 2be6991 + 48f6e91
commit 31ececd
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 2 deletions.
diff --git a/scala/play/security/webservice-ssrf.yaml b/scala/play/security/webservice-ssrf.yaml
@@ -27,7 +27,7 @@ rules:
     A parameter being passed directly into `WSClient` most likely lead to SSRF.
     This could allow an attacker to send data to their own server, potentially exposing sensitive data
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
+    They could also probe internal servers or other resources that the server running this code can access.
     Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct
     host.
   metadata:

diff --git a/yaml/openapi/security/api-key-in-query-parameter.test.yaml b/yaml/openapi/security/api-key-in-query-parameter.test.yaml
@@ -0,0 +1,37 @@
+openapi: 3.1.0
+info:
+  title: Example API
+  description: Example API
+  version: 1.0.0
+
+servers:
+  - url: https://api.example.com/
+
+paths:
+  /test/{param}:
+    get:
+      operationId: test
+      parameters:
+        - name: param
+          in: path
+          required: true
+          description: test
+          schema:
+            type: string
+
+security:
+  - apiKeyAuthQuery: []
+  - apiKeyAuthHeader: []
+
+components:
+  securitySchemes:
+    # ruleid: api-key-in-query-parameter
+    apiKeyAuthQuery:
+      type: apiKey
+      in: query
+      name: api_key
+    # ok: api-key-in-query-parameter
+    apiKeyAuthHeader:
+      type: apiKey
+      in: header
+      name: X-API-Key
diff --git a/yaml/openapi/security/api-key-in-query-parameter.yaml b/yaml/openapi/security/api-key-in-query-parameter.yaml
@@ -0,0 +1,45 @@
+rules:
+  - id: api-key-in-query-parameter
+    languages: [yaml]
+    message: >-
+      The $SECURITY_SCHEME security scheme passes an API key in a query parameter.
+      API keys should not be passed as query parameters in security schemes. 
+      Pass the API key in the header or body.
+      If using a query parameter is necessary, ensure that the API key is tightly scoped and short lived.
+    severity: ERROR
+    patterns:
+    - pattern-inside: |
+        openapi: $VERSION
+        ...
+        components:
+          ...
+          securitySchemes:
+            ...
+    - metavariable-regex:
+        metavariable: $VERSION
+        regex: 3.*
+    - pattern: |
+        $SECURITY_SCHEME:
+          ...
+          type: apiKey
+          ...
+          in: query
+          
+    metadata:
+      category: security
+      subcategory: 
+        - vuln
+      technology: 
+        - openapi
+      likelihood: MEDIUM
+      impact: HIGH
+      confidence: HIGH
+      cwe: 'CWE-598: Use of GET Request Method With Sensitive Query Strings'
+      owasp: 
+        - 'A04:2021 Insecure Design'
+        - 'A07:2021 Identification and Authentication Failures'
+      references:
+        - https://datatracker.ietf.org/doc/html/rfc6749
+        - https://cwe.mitre.org/data/definitions/598.html
+        - https://owasp.org/Top10/A04_2021-Insecure_Design/
+        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
diff --git a/yaml/openapi/security/use-of-basic-authentication.yaml b/yaml/openapi/security/use-of-basic-authentication.yaml
@@ -24,7 +24,8 @@ rules:
           scheme: basic
     metadata:
       category: security
-      subcategory: vuln
+      subcategory:
+      - vuln
       technology: 
         - openapi
       likelihood: MEDIUM