From baf68d71778e2390b618149951233eb11475cb6a Mon Sep 17 00:00:00 2001
From: "r2c-argo[bot]" <89167470+r2c-argo[bot]@users.noreply.github.com>
Date: Thu, 5 Sep 2024 09:48:09 +0200
Subject: [PATCH] Merge Develop into Release (#3466)

* Added Onfido API token detection to recognize this type of secrets (#3463)

* PHP tainted-callable (#3464)

A callable is the name of a function, or an array with a class/object and a method. Basing these on user input makes it possible to call arbitrary functions.

Co-authored-by: Pieter De Cremer (Semgrep) <pieter@r2c.dev>

---------

Co-authored-by: lucasan1 <70696858+lucasan1@users.noreply.github.com>
Co-authored-by: Sjoerd Langkemper <sjoerd-github@linuxonly.nl>
Co-authored-by: Pieter De Cremer (Semgrep) <pieter@r2c.dev>
---
 .../detected-onfido-live-api-token.txt        |   8 ++
 .../detected-onfido-live-api-token.yaml       |  20 +++
 .../security/injection/tainted-callable.php   |  12 ++
 .../security/injection/tainted-callable.yaml  | 115 ++++++++++++++++++
 4 files changed, 155 insertions(+)
 create mode 100644 generic/secrets/security/detected-onfido-live-api-token.txt
 create mode 100644 generic/secrets/security/detected-onfido-live-api-token.yaml
 create mode 100644 php/lang/security/injection/tainted-callable.php
 create mode 100644 php/lang/security/injection/tainted-callable.yaml

diff --git a/generic/secrets/security/detected-onfido-live-api-token.txt b/generic/secrets/security/detected-onfido-live-api-token.txt
new file mode 100644
index 0000000000..e5df356ef3
--- /dev/null
+++ b/generic/secrets/security/detected-onfido-live-api-token.txt
@@ -0,0 +1,8 @@
+# ruleid: detected-onfido-live-api-token
+api_live.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
+
+# ruleid: detected-onfido-live-api-token
+api_live_ca.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
+
+# ruleid: detected-onfido-live-api-token
+api_live_us.abc123ABC-_.abc123ABC-_abc123ABC-_abc123ABC-
diff --git a/generic/secrets/security/detected-onfido-live-api-token.yaml b/generic/secrets/security/detected-onfido-live-api-token.yaml
new file mode 100644
index 0000000000..be579fa82c
--- /dev/null
+++ b/generic/secrets/security/detected-onfido-live-api-token.yaml
@@ -0,0 +1,20 @@
+rules:
+- id: detected-onfido-live-api-token
+  pattern-regex: (?:api_live(?:_[a-zA-Z]{2})?\.[a-zA-Z0-9-_]{11}\.[-_a-zA-Z0-9]{32})
+  languages: [regex]
+  message: Onfido live API Token detected
+  severity: ERROR
+  metadata:
+    cwe:
+    - 'CWE-798: Use of Hard-coded Credentials'
+    category: security
+    technology:
+    - secrets
+    - onfido
+    confidence: HIGH
+    references:
+    - https://documentation.onfido.com/api/latest/#api-tokens
+    subcategory:
+    - audit
+    likelihood: HIGH
+    impact: HIGH
\ No newline at end of file
diff --git a/php/lang/security/injection/tainted-callable.php b/php/lang/security/injection/tainted-callable.php
new file mode 100644
index 0000000000..9bd6fa095d
--- /dev/null
+++ b/php/lang/security/injection/tainted-callable.php
@@ -0,0 +1,12 @@
+<?php
+
+$foo = [2, 1, 3];
+
+// ok: tainted-callable
+var_dump(usort($foo, 'strcmp'));
+
+// ok: tainted-callable
+var_dump(usort($_GET['array'], 'strcmp'));
+
+// ruleid: tainted-callable
+var_dump(usort($foo, $_GET['sortfunc']));
diff --git a/php/lang/security/injection/tainted-callable.yaml b/php/lang/security/injection/tainted-callable.yaml
new file mode 100644
index 0000000000..89d834c970
--- /dev/null
+++ b/php/lang/security/injection/tainted-callable.yaml
@@ -0,0 +1,115 @@
+rules:
+- id: tainted-callable
+  severity: WARNING
+  message: >-
+    Callable based on user input risks remote code execution.
+  metadata:
+    technology:
+    - php
+    category: security
+    cwe:
+    - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    owasp:
+    - A03:2021 - Injection
+    references:
+    - https://www.php.net/manual/en/language.types.callable.php
+    subcategory:
+    - vuln
+    impact: HIGH
+    likelihood: MEDIUM
+    confidence: MEDIUM
+  languages: [php]
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: $_GET
+      - pattern: $_POST
+      - pattern: $_COOKIE
+      - pattern: $_REQUEST
+      - pattern: file_get_contents('php://input')
+  pattern-sinks:
+  - patterns:
+    - pattern: $CALLABLE
+    - pattern-either:
+      - pattern-inside: $ARRAYITERATOR->uasort($CALLABLE)
+      - pattern-inside: $ARRAYITERATOR->uksort($CALLABLE)
+      - pattern-inside: $EVENTHTTP->setCallback($CALLABLE, ...)
+      - pattern-inside: $EVENTHTTPCONNECTION->setCloseCallback($CALLABLE, ...)
+      - pattern-inside: $EVLOOP->fork($CALLABLE, ...)
+      - pattern-inside: $EVLOOP->idle($CALLABLE, ...)
+      - pattern-inside: $EVLOOP->prepare($CALLABLE, ...)
+      - pattern-inside: $EVWATCHER->setCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setClientCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setCompleteCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setCreatedCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setDataCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setExceptionCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setFailCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setStatusCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setWarningCallback($CALLABLE)
+      - pattern-inside: $GEARMANCLIENT->setWorkloadCallback($CALLABLE)
+      - pattern-inside: $IMAGICK->setProgressMonitor($CALLABLE)
+      - pattern-inside: $OAUTHPROVIDER->consumerHandler($CALLABLE)
+      - pattern-inside: $OAUTHPROVIDER->tokenHandler($CALLABLE)
+      - pattern-inside: $PDO->sqliteCreateCollation($NAME, $CALLABLE)
+      - pattern-inside: $PDOSTATEMENT->fetchAll(PDO::FETCH_FUNC, $CALLABLE)
+      - pattern-inside: $SQLITE3->createCollation($NAME, $CALLABLE)
+      - pattern-inside: $SQLITE3->setAuthorizer($CALLABLE)
+      - pattern-inside: $ZIPARCHIVE->registerCancelCallback($CALLABLE)
+      - pattern-inside: $ZIPARCHIVE->registerProgressCallback($RATE, $CALLABLE)
+      - pattern-inside: $ZMQDEVICE->setIdleCallback($CALLABLE, ...)
+      - pattern-inside: $ZMQDEVICE->setTimerCallback($CALLABLE, ...)
+      - pattern-inside: apcu_entry($KEY, $CALLABLE, ...)
+      - pattern-inside: array_filter($ARRAY, $CALLABLE, ...)
+      - pattern-inside: array_map($CALLABLE, ...)
+      - pattern-inside: array_reduce($ARRAY, $CALLABLE, ...)
+      - pattern-inside: array_walk_recursive($ARRAY, $CALLABLE, ...)
+      - pattern-inside: array_walk($ARRAY, $CALLABLE, ...)
+      - pattern-inside: call_user_func_array($CALLABLE, ...)
+      - pattern-inside: call_user_func($CALLABLE, ...)
+      - pattern-inside: Closure::fromCallable($CALLABLE)
+      - pattern-inside: createCollation($NAME, $CALLABLE)
+      - pattern-inside: eio_grp($CALLABLE, ...)
+      - pattern-inside: eio_nop($PRI, $CALLABLE, ...)
+      - pattern-inside: eio_sync($PRI, $CALLABLE, ...)
+      - pattern-inside: EvPrepare::createStopped($CALLABLE, ...)
+      - pattern-inside: fann_set_callback($ANN, $CALLABLE)
+      - pattern-inside: fdf_enum_values($FDF_DOCUMENT, $CALLABLE, ...)
+      - pattern-inside: forward_static_call_array($CALLABLE, ...)
+      - pattern-inside: forward_static_call($CALLABLE, ...)
+      - pattern-inside: header_register_callback($CALLABLE)
+      - pattern-inside: ibase_set_event_handler($CALLABLE, ...)
+      - pattern-inside: IntlChar::enumCharTypes($CALLABLE)
+      - pattern-inside: iterator_apply($ITERATOR, $CALLABLE)
+      - pattern-inside: ldap_set_rebind_proc($LDAP, $CALLABLE)
+      - pattern-inside: libxml_set_external_entity_loader($CALLABLE, ...)
+      - pattern-inside: new CallbackFilterIterator($ITERATOR, $CALLABLE)
+      - pattern-inside: new EvCheck($CALLABLE, ...)
+      - pattern-inside: new EventHttpRequest($CALLABLE, ...)
+      - pattern-inside: new EvFork($CALLABLE, ...)
+      - pattern-inside: new EvIdle($CALLABLE, ...)
+      - pattern-inside: new Fiber($CALLABLE)
+      - pattern-inside: new Memcached($PERSISTENT_ID, $CALLABLE, ...)
+      - pattern-inside: new RecursiveCallbackFilterIterator($ITERATOR, $CALLABLE)
+      - pattern-inside: new Zookeeper($HOST, $CALLABLE, ...)
+      - pattern-inside: ob_start($CALLABLE, ...)
+      - pattern-inside: oci_register_taf_callback($CONNECTION, $CALLABLE)
+      - pattern-inside: readline_callback_handler_install($PROMPT, $CALLABLE)
+      - pattern-inside: readline_completion_function($CALLABLE)
+      - pattern-inside: register_shutdown_function($CALLABLE, ...)
+      - pattern-inside: register_tick_function($CALLABLE, ...)
+      - pattern-inside: rnp_ffi_set_pass_provider($FFI, $CALLABLE)
+      - pattern-inside: sapi_windows_set_ctrl_handler($CALLABLE, ...)
+      - pattern-inside: set_error_handler($CALLABLE, ...)
+      - pattern-inside: set_exception_handler($CALLABLE)
+      - pattern-inside: setAuthorizer($CALLABLE)
+      - pattern-inside: spl_autoload_register($CALLABLE, ...)
+      - pattern-inside: uasort($ARRAY, $CALLABLE)
+      - pattern-inside: uksort($ARRAY, $CALLABLE)
+      - pattern-inside: usort($ARRAY, $CALLABLE)
+      - pattern-inside: xml_set_character_data_handler($PARSER, $CALLABLE)
+      - pattern-inside: xml_set_default_handler($PARSER, $CALLABLE)
+      - pattern-inside: xml_set_element_handler($PARSER, $CALLABLE, $CALLABLE)
+      - pattern-inside: xml_set_notation_decl_handler($PARSER, $CALLABLE)
+      - pattern-inside: Yar_Concurrent_Client::loop($CALLABLE, ...)