wasm support (#315)

* wasm support * wasm support * wasm support * wasm support
ShiftLeftSecurity · May 7, 2021 · 3277e83 · 3277e83
1 parent bb0558b
commit 3277e83
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 6 deletions.
diff --git a/lib/pyt/vulnerability_definitions/all_sources_sinks.pyt b/lib/pyt/vulnerability_definitions/all_sources_sinks.pyt
@@ -373,7 +373,8 @@
             "rpc_sync(": {},
             "rpc_async(": {},
             "rpc.remote(": {},
-            "mp.Process(": {}
+            "mp.Process(": {},
+            "linker.instantiate(": {}
         },
         "RequestSend": {
             "urllib.request.urlretrieve(": {},
@@ -464,7 +465,8 @@
             "resp.headers[": {},
             "response.headers[": {},
             "req.response_header(": {},
-            "append_header(": {}
+            "append_header(": {},
+            "SimpleCookie(": {}
         },
         "SQL": {
             "cursor.execute(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
@@ -600,7 +602,8 @@
             "yaml.load(": {},
             "pickle.Unpickler(": {},
             "marshal.load(": {},
-            "yaml.load_all(": {}
+            "yaml.load_all(": {},
+            "Module.from_file(": {}
         },
         "PrivateRef": {
             "objects.get(pk=": {}

diff --git a/lib/pyt/vulnerability_definitions/blackbox_mapping.json b/lib/pyt/vulnerability_definitions/blackbox_mapping.json
@@ -51,7 +51,15 @@
         "validate_arguments",
         "environ_property",
         "UserSerializer",
-        "UserDeserializer"
+        "UserDeserializer",
+        "int",
+        "float",
+        "double",
+        "pop",
+        "AES.new",
+        "aes.encrypt",
+        "Encryption.unpad",
+        "aes.decrypt"
     ],
     "propagates": [
         "os.path.join",
@@ -78,7 +86,12 @@
         "serializers.serialize",
         "json.loads",
         "urlparse.unquote",
-        "pickle.dumps"
+        "pickle.dumps",
+        "push",
+        "instance.exports",
+        "Instance",
+        "Module.from_file",
+        "linker.instantiate"
     ],
     "safe_decorators": [
         "user_must_be_authorized",

diff --git a/tools_config/credscan-config.toml b/tools_config/credscan-config.toml
@@ -174,7 +174,7 @@ title = "gitleaks config"
 
 [[rules]]
 	description = "Env Var"
-	regex = '''(?i)(apikey|secret|password|certificate_osx_p12|certificate_password|codacy_project_token|coveralls_api_token|coveralls_repo_token|coveralls_token|coverity_scan_token|cypress_record_key|database_password|db_password|deploy_password|deploy_token|digitalocean_access_token|docker_hub_password|docker_password|dockerhub_password|sonatype_password|firebase_api_token|firebase_token|firefox_secret|flask_secret_key|fossa_api_key|gcloud_service_key|gcr_password|gh_api_key|gh_next_oauth_client_secret|gh_next_unstable_oauth_client_secret|gh_oauth_client_secret|gpg_private_key|gpg_passphrase|gpg_secret_keys|heroku_api_key|okta_client_token|pypi_password|sonatype_nexus_password|travis_token|refresh_token|client_id|client_secret)(.*)?[:=](\s)?['\"][0-9a-zA-Z-_!$^%=]{10,120}['\"]'''
+	regex = '''(?i)(apikey|secret|password|certificate_osx_p12|certificate_password|codacy_project_token|coveralls_api_token|coveralls_repo_token|coveralls_token|coverity_scan_token|cypress_record_key|database_password|db_password|deploy_password|deploy_token|digitalocean_access_token|docker_hub_password|docker_password|dockerhub_password|sonatype_password|firebase_api_token|firebase_token|firefox_secret|flask_secret_key|fossa_api_key|gcloud_service_key|gcr_password|gh_api_key|gh_next_oauth_client_secret|gh_next_unstable_oauth_client_secret|gh_oauth_client_secret|gpg_private_key|gpg_passphrase|gpg_secret_keys|heroku_api_key|okta_client_token|pypi_password|sonatype_nexus_password|travis_token|refresh_token|client_id|client_secret)(.*)?[(:=](\s)?['\"][0-9a-zA-Z-_!$^%=]{10,120}['\")]'''
     tags = ["key", "env"]
     [[rules.entropies]]
         Min = "4.2"
@@ -183,6 +183,15 @@ title = "gitleaks config"
 		regexes = ['''(?i)(expect|assert|Component|Control|passwd|attrgetter|itemgetter|ifloordiv|imatmul|itruediv|yourpassword|foo|bar|serial|mpan|secret_key)''']
 		description = "ignore default"
 
+[[rules]]
+	description = "Static key"
+	regex = '''(?i)(cookieParser)(.*)?[(](\s)?['\"][0-9a-zA-Z-_!$^%=]{5,20}['\")]'''
+    tags = ["key", "sign"]
+    file = '''\.(js|ts)$'''
+    [rules.allowlist]
+		regexes = ['''(?i)(require|import|expect|assert|Component|Control|passwd|attrgetter|itemgetter|ifloordiv|imatmul|itruediv|yourpassword|foo|bar|serial|mpan|secret_key)''']
+		description = "ignore default"
+
 [[rules]]
 	description = "High Entropy"
 	regex = '''[0-9a-zA-Z-_!=]{10,120}'''
@@ -224,6 +233,12 @@ title = "gitleaks config"
 	file = '''\.ovpn$'''
 	tags = ["file", "openvpn"]
 
+[[rules]]
+	description = "Unknown Key"
+	regex = '''.'''
+	file = '''\.key$'''
+	tags = ["file", "key"]
+
 [[rules]]
 	description = "Keychain file"
 	regex = '''.'''