diff --git a/.codemapignore b/.codemapignore
index 0d77320097..4d725e3c70 100644
--- a/.codemapignore
+++ b/.codemapignore
@@ -10,7 +10,6 @@
!libsonnet/
!scripts/
!stats/
-# restore also fingerprints/ ? trusted_python/ ?
# do not skip the rules
![a-z]*/**/*.yaml
diff --git a/.github/workflows/semgrep-rule-lints.yaml b/.github/workflows/semgrep-rule-lints.yaml
index 9114b485ac..034af3014c 100644
--- a/.github/workflows/semgrep-rule-lints.yaml
+++ b/.github/workflows/semgrep-rule-lints.yaml
@@ -45,5 +45,4 @@ jobs:
--exclude *.test.yaml \
--exclude contrib/ \
--exclude stats/ \
- --exclude fingerprints/ \
--exclude yaml/semgrep/
diff --git a/.github/workflows/semgrep-rules-test-develop.yml b/.github/workflows/semgrep-rules-test-develop.yml
index 190bb44484..911b306cc6 100644
--- a/.github/workflows/semgrep-rules-test-develop.yml
+++ b/.github/workflows/semgrep-rules-test-develop.yml
@@ -1,3 +1,6 @@
+# Running the tests in the repo using `semgrep test --experimental` and
+# the semgrep/semgrep:pro-develop docker image (the bleeding edge!).
+
name: semgrep-rules-test-develop
on:
pull_request:
@@ -9,8 +12,6 @@ on:
- develop
- release
jobs:
- # Note: if you change this test there will likely need to be a
- # corresponding change in returntocorp/semgrep
test-develop:
name: rules-test-develop
runs-on: ubuntu-20.04
@@ -18,17 +19,20 @@ jobs:
- uses: actions/checkout@v2
with:
path: semgrep-rules
- - name: delete stats directory
+ - name: run osemgrep test --pro
+ run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep test --pro .
+ #TODO: we can delete all the rest below and also scripts/run-tests
+ - name: delete directories not containing rules
run: rm -rf semgrep-rules/stats
- - name: delete fingerprints directory
- run: rm -rf semgrep-rules/fingerprints
- name: delete rules requiring Semgrep Pro
run: rm -rf semgrep-rules/apex semgrep-rules/elixir
+ # TODO: this takes 1m20 in CI and could be optimized by switching to osemgrep
- name: validate rules
run: |
- export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src returntocorp/semgrep:develop semgrep"
+ export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep"
make -C "$GITHUB_WORKSPACE"/semgrep-rules validate
- - name: test with semgrep develop branch
+ # this now takes 21s with osemgrep instead of 3min with pysemgrep
+ - name: test with semgrep pro develop branch and with --experimental
run: |
- export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src returntocorp/semgrep:develop semgrep"
+ export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep --experimental"
make -C "$GITHUB_WORKSPACE"/semgrep-rules test-only
diff --git a/.github/workflows/semgrep-rules-test-historical.yml b/.github/workflows/semgrep-rules-test-historical.yml
index 55ecab1ac3..071ef8271f 100644
--- a/.github/workflows/semgrep-rules-test-historical.yml
+++ b/.github/workflows/semgrep-rules-test-historical.yml
@@ -32,8 +32,6 @@ jobs:
run: pip3 install semgrep
- name: delete stats directory
run: rm -rf semgrep-rules/stats
- - name: delete fingerprints directory
- run: rm -rf semgrep-rules/fingerprints
- name: delete rules requiring Semgrep Pro
run: rm -rf semgrep-rules/apex semgrep-rules/elixir
# TODO: remove this in the future, there was a regression in semgrep that
diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml
index dccca89c1e..5854d24a32 100644
--- a/.github/workflows/semgrep-rules-test.yml
+++ b/.github/workflows/semgrep-rules-test.yml
@@ -21,8 +21,6 @@ jobs:
run: pip3 install semgrep
- name: remove stats directory
run: rm -rf stats
- - name: remove fingerprints from testing
- run: rm -rf fingerprints
- name: remove .github from testing
run: rm -rf .github
- name: remove pre-commit-config.yaml
diff --git a/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml b/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
index 91aff30daa..0c29a8c1fe 100644
--- a/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
+++ b/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
@@ -21,7 +21,7 @@ jobs:
env:
HEAD_REF: ${{ github.head_ref }}
run: |
- CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|contrib|fingerprints|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ')
+ CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ')
echo "changed_files=$CHANGED_FILES" >> $GITHUB_ENV
- id: print-changed-files
name: debugging step - print changed files
diff --git a/dockerfile/security/dockerd-socket-mount.dockerfile b/dockerfile/security/dockerd-socket-mount.dockerfile
new file mode 100644
index 0000000000..a1b0574974
--- /dev/null
+++ b/dockerfile/security/dockerd-socket-mount.dockerfile
@@ -0,0 +1,11 @@
+FROM docker:latest
+
+WORKDIR /app
+
+# ruleid: dockerfile-dockerd-socket-mount
+VOLUME /var/run/docker.sock:/var/run/docker.sock
+
+# ok: dockerfile-dockerd-socket-mount
+VOLUME ./app/main.py:/main.py
+
+CMD ["docker", "images"]
diff --git a/dockerfile/security/dockerd-socket-mount.yaml b/dockerfile/security/dockerd-socket-mount.yaml
new file mode 100644
index 0000000000..49a3c34ebc
--- /dev/null
+++ b/dockerfile/security/dockerd-socket-mount.yaml
@@ -0,0 +1,36 @@
+rules:
+ - id: dockerfile-dockerd-socket-mount
+ message: >-
+ The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container
+ to escape container and execute arbitrary commands on the host machine.
+ languages:
+ - dockerfile
+ - yaml
+ severity: ERROR
+ metadata:
+ cwe:
+ - "CWE-862: Missing Authorization"
+ - "CWE-269: Improper Privilege Management"
+ confidence: HIGH
+ likelihood: MEDIUM
+ impact: HIGH
+ subcategory:
+ - audit
+ technology:
+ - dockerfile
+ category: security
+ references:
+ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
+ - https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/
+ - https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html
+ pattern-either:
+ - patterns:
+ - pattern: VOLUME $X
+ - metavariable-regex:
+ metavariable: $X
+ regex: "/var/run/docker.sock"
+ - patterns:
+ - pattern-regex: '- "/var/run/docker.sock:.*"'
+ - pattern-inside: |
+ volumes:
+ ...
diff --git a/fingerprints/fingerprints.yaml b/fingerprints/fingerprints.yaml
deleted file mode 100644
index 96472bb79a..0000000000
--- a/fingerprints/fingerprints.yaml
+++ /dev/null
@@ -1,826 +0,0 @@
-rules:
- - id: cai-generic-technology-docker-compose
- languages:
- - generic
- message:
- Detected a docker-compose.yml file. This likely indicates that Docker and
- docker-compose are in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - docker-compose.yml
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-generic-technology-dockerfile
- languages:
- - generic
- message: Detected a Dockerfile file. This likely indicates that Docker is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - Dockerfile
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-generic-technology-kubernetes
- languages:
- - generic
- message:
- Detected a Kubernetes configuration file. This likely indicates that Kubernetes
- is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.yaml"
- - "*.yml"
- pattern: "apiVersion: ...\nkind: ...\nmetadata:\n ...\nspec:\n ...\n"
- severity: INVENTORY
- - id: cai-generic-technology-travis
- languages:
- - generic
- message:
- Detected a .travis.yml file. This likely indicates that TravisCI is in
- use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - .travis.yml
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-generic-technology-circleci
- languages:
- - generic
- message: Detected a CircleCI file. This likely indicates that CircleCI is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - .circleci/config.yml
- - circle.yml
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-generic-technology-github-actions
- languages:
- - generic
- message:
- Detected a Github Actions file. This likely indicates that Github Actions
- is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - .github/workflows/*.yaml
- - .github/workflows/*.yml
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-generic-technology-gitlab
- languages:
- - generic
- message: Detected a GitLab file. This likely indicates that GitLab is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - .gitlab-ci.yml
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-java-dependency-spring
- languages:
- - generic
- message: "Detected `spring` as a dependency in a pom.xml file.
-
- This likely indicates that Spring framework is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - pom.xml
- patterns:
- - pattern:
- "\n ...\n spring-...\n \
- \ ...\n\n"
- - pattern-not-inside: "\n ...\n\n"
- severity: INVENTORY
- - id: cai-java-framework-spring
- languages:
- - java
- message:
- Detected `spring` being imported, indicating this app uses the Java spring
- web framework
- metadata:
- license: Semgrep Registry License
- pattern: "import org.springframework.$PATH;
-
- "
- severity: INVENTORY
- - id: cai-javascript-dependency-angular-core-yarn
- languages:
- - generic
- message: "Detected `angular-core` as a dependency in a yarn.lock file.
-
- This likely indicates that Angular frontend framework is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: "@angular/core@$VERSION"
- - pattern: "@angular/core@^$VERSION"
- - pattern: "@angular/core@~$VERSION"
- - pattern: "@angular/core@>$VERSION"
- - pattern: "@angular/core@<$VERSION"
- - pattern: "@angular/core@>=$VERSION"
- - pattern: "@angular/core@<=$VERSION"
- severity: INVENTORY
- - id: cai-javascript-dependency-angular-core
- languages:
- - json
- message: "Detected `angular-core` as a dependency in a package.json file.
-
- This likely indicates that Angular frontend framework is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"@angular/core\"\
- : $VERSION\n }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"@angular/core\"\
- : $VERSION\n }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-dependency-angular-yarn
- languages:
- - generic
- message: "Detected `angular` as a dependency in a yarn.lock file.
-
- This likely indicates that Angular frontend framework is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: angular@$VERSION
- - pattern: angular@^$VERSION
- - pattern: angular@~$VERSION
- - pattern: angular@>$VERSION
- - pattern: angular@<$VERSION
- - pattern: angular@>=$VERSION
- - pattern: angular@<=$VERSION
- severity: INVENTORY
- - id: cai-javascript-dependency-angular
- languages:
- - json
- message: "Detected `angular` as a dependency in a package.json file.
-
- This likely indicates that Angular frontend framework is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"angular\": $VERSION\n\
- \ }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"angular\": $VERSION\n\
- \ }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-dependency-vue-yarn
- languages:
- - generic
- message: "Detected `vue` as a dependency in a yarn.lock file.
-
- This likely indicates that vue - a JS MVC framework. is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: vue@$VERSION
- - pattern: vue@^$VERSION
- - pattern: vue@~$VERSION
- - pattern: vue@>$VERSION
- - pattern: vue@<$VERSION
- - pattern: vue@>=$VERSION
- - pattern: vue@<=$VERSION
- severity: INVENTORY
- - id: cai-javascript-dependency-vue
- languages:
- - json
- message: "Detected `vue` as a dependency in a package.json file.
-
- This likely indicates that vue - a JS MVC framework. is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"vue\": $VERSION\n\
- \ }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"vue\": $VERSION\n\
- \ }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-dependency-expressjs-yarn
- languages:
- - generic
- message: "Detected `expressjs` as a dependency in a yarn.lock file.
-
- This likely indicates that NodeJS web framework Express JS is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: express@$VERSION
- - pattern: express@^$VERSION
- - pattern: express@~$VERSION
- - pattern: express@>$VERSION
- - pattern: express@<$VERSION
- - pattern: express@>=$VERSION
- - pattern: express@<=$VERSION
- severity: INVENTORY
- - id: cai-javascript-dependency-expressjs
- languages:
- - json
- message: "Detected `expressjs` as a dependency in a package.json file.
-
- This likely indicates that NodeJS web framework Express JS is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"express\": $VERSION\n\
- \ }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"express\": $VERSION\n\
- \ }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-dependency-jsonwebtoken-yarn
- languages:
- - generic
- message: "Detected `jsonwebtoken` as a dependency in a yarn.lock file.
-
- This likely indicates that JWT is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: jsonwebtoken@$VERSION
- - pattern: jsonwebtoken@^$VERSION
- - pattern: jsonwebtoken@~$VERSION
- - pattern: jsonwebtoken@>$VERSION
- - pattern: jsonwebtoken@<$VERSION
- - pattern: jsonwebtoken@>=$VERSION
- - pattern: jsonwebtoken@<=$VERSION
- severity: INVENTORY
- - id: cai-javascript-dependency-jsonwebtoken
- languages:
- - json
- message: "Detected `jsonwebtoken` as a dependency in a package.json file.
-
- This likely indicates that JWT is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"jsonwebtoken\":\
- \ $VERSION\n }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"jsonwebtoken\"\
- : $VERSION\n }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-dependency-pug-yarn
- languages:
- - generic
- message: "Detected `pug` as a dependency in a yarn.lock file.
-
- This likely indicates that Pug template engine is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: pug@$VERSION
- - pattern: pug@^$VERSION
- - pattern: pug@~$VERSION
- - pattern: pug@>$VERSION
- - pattern: pug@<$VERSION
- - pattern: pug@>=$VERSION
- - pattern: pug@<=$VERSION
- severity: INVENTORY
- - id: cai-javascript-dependency-pug
- languages:
- - json
- message: "Detected `pug` as a dependency in a package.json file.
-
- This likely indicates that Pug template engine is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"pug\": $VERSION\n\
- \ }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"pug\": $VERSION\n\
- \ }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-dependency-puppeteer-yarn
- languages:
- - generic
- message: "Detected `puppeteer` as a dependency in a yarn.lock file.
-
- This likely indicates that headless-browser is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: puppeteer@$VERSION
- - pattern: puppeteer@^$VERSION
- - pattern: puppeteer@~$VERSION
- - pattern: puppeteer@>$VERSION
- - pattern: puppeteer@<$VERSION
- - pattern: puppeteer@>=$VERSION
- - pattern: puppeteer@<=$VERSION
- severity: INVENTORY
- - id: cai-javascript-dependency-puppeteer
- languages:
- - json
- message: "Detected `puppeteer` as a dependency in a package.json file.
-
- This likely indicates that headless-browser is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"puppeteer\": $VERSION\n\
- \ }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"puppeteer\":\
- \ $VERSION\n }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-dependency-react-yarn
- languages:
- - generic
- message: "Detected `react` as a dependency in a yarn.lock file.
-
- This likely indicates that React frontend framework is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - yarn.lock
- pattern-either:
- - pattern: react@$VERSION
- - pattern: react@^$VERSION
- - pattern: react@~$VERSION
- - pattern: react@>$VERSION
- - pattern: react@<$VERSION
- - pattern: react@>=$VERSION
- - pattern: react@<=$VERSION
- severity: INVENTORY
- - id: cai-javascript-dependency-react
- languages:
- - json
- message: "Detected `react` as a dependency in a package.json file.
-
- This likely indicates that React frontend framework is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - package.json
- patterns:
- - pattern-either:
- - pattern:
- "{\n ...,\n \"dependencies\": {\n ...,\n \"react\": $VERSION\n\
- \ }\n}\n"
- - pattern:
- "{\n ...,\n \"devDependencies\": {\n ...,\n \"react\": $VERSION\n\
- \ }\n}\n"
- severity: INVENTORY
- - id: cai-javascript-framework-expressjs
- languages:
- - javascript
- message:
- Detected `express` being required and used, meaning this app uses the ExpressJS
- web framework.
- metadata:
- license: Semgrep Registry License
- pattern: 'var $IMPORT = require("express");
-
- ...
-
- var $APP = $IMPORT();
-
- '
- severity: INVENTORY
- - id: cai-python-dependency-boto
- languages:
- - generic
- message: "Detected `boto` as a dependency in a requirements.txt file.
-
- This likely indicates that AWS SDK for Python is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - requirements.txt
- - requirements.in
- - setup.py
- pattern-regex: boto([3|core])*
- severity: INVENTORY
- - id: cai-python-dependency-django
- languages:
- - generic
- message: "Detected `django` as a dependency in a requirements.txt file.
-
- This likely indicates that Detected `django` as a dependency in a requirements.txt
- file. This likely indicates that the Python web framework Django is being used.
- is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - requirements.txt
- - requirements.in
- - setup.py
- pattern-regex: "[d|D]jango"
- severity: INVENTORY
- - id: cai-python-dependency-fastapi
- languages:
- - generic
- message: "Detected `fastapi` as a dependency in a requirements.txt file.
-
- This likely indicates that Python web framework FastAPI is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - requirements.txt
- - requirements.in
- - setup.py
- pattern-regex: fastapi
- severity: INVENTORY
- - id: cai-python-dependency-flask
- languages:
- - generic
- message: "Detected `flask` as a dependency in a requirements.txt file.
-
- This likely indicates that Detected `flask` as a dependency in a requirements.txt
- file. This likely indicates that the Python web framework Flask is being used.
- is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - requirements.txt
- - requirements.in
- - setup.py
- patterns:
- - pattern-regex: "[Ff]lask"
- - pattern-not-regex: "[Ff]lask-"
- - pattern-not-regex: -[Ff]lask
- severity: INVENTORY
- - id: cai-python-dependency-jinja
- languages:
- - generic
- message: "Detected `jinja` as a dependency in a requirements.txt file.
-
- This likely indicates that Jinja template engine is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - requirements.txt
- - requirements.in
- - setup.py
- pattern-regex: "[Jj]inja"
- severity: INVENTORY
- - id: cai-python-dependency-sqlalchemy
- languages:
- - generic
- message: "Detected `sqlalchemy` as a dependency in a requirements.txt file.
-
- This likely indicates that database is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - requirements.txt
- - requirements.in
- - setup.py
- pattern-regex: "[Ss][Qq][Ll][Aa]lchemy"
- severity: INVENTORY
- - id: cai-python-framework-django
- languages:
- - python
- message:
- Detected `django.http` being imported, indicating this app uses the Python
- Django web framework
- metadata:
- license: Semgrep Registry License
- pattern: "import django.http.$FOO
-
- "
- severity: INVENTORY
- - id: cai-python-framework-flask
- languages:
- - python
- message:
- Detected `Flask()` being instantiated, indicating this app uses the Python
- Flask web framework
- metadata:
- license: Semgrep Registry License
- pattern: "$FLASK = Flask(...)
-
- "
- severity: INVENTORY
- - id: cai-ocaml-technology-opam
- languages:
- - generic
- message: Detected a OPAM file. This likely indicates OCaml and OPAM are being used.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.opam"
- pattern-regex: ^.*
- severity: INVENTORY
- - id: cai-ocaml-technology-dune
- languages:
- - generic
- message: Detected a dune file. This likely indicates OCaml and dune are being used.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - dune
- - dune-project
- pattern-regex: ^.*
- severity: INVENTORY
- - id: cai-ruby-dependency-rails
- languages:
- - generic
- message: "Detected `rails` as a dependency in a Gemfile file.
-
- This likely indicates that Ruby web framework Rails is being used."
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - Gemfile
- pattern-regex: gem ['"]rails
- severity: INVENTORY
- - id: cai-ruby-framework-rails
- languages:
- - ruby
- message:
- Detected a rails route being created, indicating this app uses the Ruby
- rails web framework
- metadata:
- license: Semgrep Registry License
- pattern: "Rails.application.routes.draw do \n ...\nend\n"
- severity: INVENTORY
- - id: cai-generic-technology-nginx
- languages:
- - generic
- message: Detected a .conf file. This likely indicates that Nginx is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.conf"
- pattern: "location ... {\n ...\n ...\n ...\n}\n"
- severity: INVENTORY
- - id: cai-hcl-technology-terraform
- languages:
- - generic
- message: Detected a .tf file. This likely indicates that Terraform is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.tf"
- pattern: "terraform {\n ...\n ...\n ...\n}\n"
- severity: INVENTORY
- - id: cai-shell-technology-bash
- languages:
- - generic
- message: Detected a bash script. This likely indicates bash is being used.
- metadata:
- license: Semgrep Registry License
- pattern-either:
- - pattern: "#!/bin/bash"
- - pattern: "#!/usr/bin/env ... bash"
- severity: INVENTORY
- - id: cai-shell-technology-sh
- languages:
- - generic
- message: Detected a sh script. This likely indicates sh is being used.
- metadata:
- license: Semgrep Registry License
- pattern-either:
- - pattern: "#!/bin/sh"
- - pattern: "#!/usr/bin/env ... sh"
- severity: INVENTORY
- - id: cai-c-technology-c
- languages:
- - generic
- message: Detected a .c file. This likely indicates C is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.c"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-csharp-technology-csharp
- languages:
- - generic
- message: Detected a .cs file. This likely indicates C is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.cs"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-go-technology-go
- languages:
- - generic
- message: Detected a .go file. This likely indicates Go is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.go"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-html-technology-html
- languages:
- - generic
- message: Detected a .html file. This likely indicates html is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.html"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-java-technology-java
- languages:
- - generic
- message: Detected a .java file. This likely indicates Java is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.java"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-javascript-technology-javascript
- languages:
- - generic
- message: Detected a .js file. This likely indicates JavaScript is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.js"
- - "*.javascript"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-kotlin-technology-kotlin
- languages:
- - generic
- message: Detected a .kt file. This likely indicates Kotlin is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.kt"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-ocaml-technology-ocaml
- languages:
- - generic
- message: Detected a .ml file. This likely indicates Ocaml is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.ml"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-php-technology-php
- languages:
- - generic
- message: Detected a .php file. This likely indicates PHP is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.phtml"
- - "*.php"
- - "*.php3"
- - "*.php4"
- - "*.php5"
- - "*.phps"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-python-technology-python
- languages:
- - generic
- message: Detected a .py file. This likely indicates py is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.py"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-ruby-technology-ruby
- languages:
- - generic
- message: Detected a .rb file. This likely indicates Ruby is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.rb"
- - "*.erb"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-scala-technology-scala
- languages:
- - generic
- message: Detected a .scala file. This likely indicates Scala is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.scala"
- - "*.sc"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-terraform-technology-terraform
- languages:
- - generic
- message: Detected a .tf file. This likely indicates Terraform is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.tf"
- pattern-regex: ^.
- severity: INVENTORY
- - id: cai-typescript-technology-typescript
- languages:
- - generic
- message: Detected a .ts file. This likely indicates TypeScript is in use.
- metadata:
- license: Semgrep Registry License
- paths:
- include:
- - "*.ts"
- - "*.typescript"
- pattern-regex: ^.
- severity: INVENTORY
diff --git a/php/lang/security/injection/tainted-exec.php b/php/lang/security/injection/tainted-exec.php
new file mode 100644
index 0000000000..9f4c123250
--- /dev/null
+++ b/php/lang/security/injection/tainted-exec.php
@@ -0,0 +1,21 @@
+-
+ User input is passed to a function that executes a shell command. This can lead to remote code execution.
+ metadata:
+ cwe:
+ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+ category: security
+ technology:
+ - php
+ owasp:
+ - A03:2021 - Injection
+ references:
+ - https://owasp.org/Top10/A03_2021-Injection
+ subcategory:
+ - vuln
+ impact: HIGH
+ likelihood: MEDIUM
+ confidence: MEDIUM
+ mode: taint
+ pattern-sources:
+ - patterns:
+ - pattern-either:
+ - pattern: $_GET
+ - pattern: $_POST
+ - pattern: $_COOKIE
+ - pattern: $_REQUEST
+ - pattern: file_get_contents('php://input')
+ pattern-sanitizers:
+ - patterns:
+ - pattern-either:
+ - pattern: escapeshellcmd(...)
+ - pattern: escapeshellarg(...)
+ pattern-sinks:
+ - patterns:
+ - pattern-either:
+ - pattern: exec(...)
+ - pattern: system(...)
+ - pattern: passthru(...)
+ - patterns:
+ - pattern: proc_open(...)
+ - pattern-not: proc_open([...], ...)
+ - pattern: popen(...)
+ - pattern: expect_popen(...)
+ - pattern: shell_exec(...)
+ - pattern: |
+ `...`
+
diff --git a/python/lang/security/audit/conn_recv.py b/python/lang/security/audit/conn_recv.py
index 1a517ecde1..231dd4ffdd 100644
--- a/python/lang/security/audit/conn_recv.py
+++ b/python/lang/security/audit/conn_recv.py
@@ -12,5 +12,5 @@
output = {}
connection.send(output)
-# toodoruleid:multiprocessing.recv
+# todoruleid:multiprocessing.recv
rx = connection.recv()
diff --git a/python/lang/security/deserialization/pickle.py b/python/lang/security/deserialization/pickle.py
index 436f34b45b..5a1e8655ec 100644
--- a/python/lang/security/deserialization/pickle.py
+++ b/python/lang/security/deserialization/pickle.py
@@ -17,9 +17,6 @@ def serialize_exploit():
# Application insecurely deserializes the attacker's serialized data
def insecure_deserialization(exploit_code):
- # todok: avoid-pickle
- # _pickle.loads(exploit_code)
-
# ruleid: avoid-pickle
_pickle.loads(exploit_code)
diff --git a/scripts/run-tests b/scripts/run-tests
index 05fc9be54f..c17e5f18d1 100755
--- a/scripts/run-tests
+++ b/scripts/run-tests
@@ -45,7 +45,7 @@ fi
#
set_rule_folders() {
rule_folders=$(find . -mindepth 1 -maxdepth 1 -type d \
- | grep -v '^./\(\..*\|stats\|trusted_python\|fingerprints\|scripts\|libsonnet\|apex\|elixir\)/\?$' \
+ | grep -v '^./\(\..*\|stats\|trusted_python\|scripts\|libsonnet\|apex\|elixir\)/\?$' \
| sort)
if [[ -z "$rule_folders" ]]; then
error "Cannot find any rule folders to scan in $(pwd)"