-
Notifications
You must be signed in to change notification settings - Fork 115
Sample Rule
The following rule sample demonstrates the DevSkim rule format.
The rule detects unsafe content being generated as an output in PHP, such as form input variables that are displayed on the web page without proper HTML encoding. For example, echo($_POST["name"])
is considered unsafe because the user-controlled variable name
can contain malicious HTML/JavaScript content. Such content can be abused in Cross-Site Scripting Attacks (XSS).
Notice that the rule conditions prevent it from being triggered when a variable is properly encoded. For example, echo(htmlentities($_POST["name"]))
is considered safe, because the function htmlentities
will safely escape all HTML content in the variable.
The rule contains fix-it records, such as using the htmlentities
function to properly encode the variable before displaying it on the web page.
This is a sample custom rule file containing a single rule object.
[
{
"name": "XSS: Do not echo unencoded GET/POST/COOKIE values",
"id": "DS163877",
"description": "When using $_GET/POST/COOKIE values via echo, failure to encode the values will lead to Cross Site Scription (XSS), where a malicious party can inject script into the webpage.",
"recommendation": "HTML Entity Encode (for content going into HTML) or URL Encode (for content going into JavaScript variables) the data",
"applies_to": [
"php"
],
"tags": [
"Implementation.PHP"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS163877.md",
"patterns": [
{
"pattern": "\\becho.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\]).*;",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"conditions" : [
{
"pattern" :
{
"pattern": "\\b(htmlentities|htmlspecialchars|rawurlencode|urlencode)\\s*\\(.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\]).*\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
"search_in":"finding-only",
"negate_finding": true,
"_comment": ""
}
],
"fix_its": [
{
"name": "HTML Entity encode the data",
"type": "RegexReplace",
"_comment": "",
"replacement": "htmlentities($1)",
"pattern": {
"pattern": "(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\])",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "URL encode the data",
"type": "RegexReplace",
"_comment": "",
"replacement": "rawurlencode($1)",
"pattern": {
"pattern": "(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\])",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}
]
This list describes the purpose of the each of the top level fields in the sample rule above.
A short string representing a name for the rule
A semi-unique string that serves as an identifier for the rule. Can be used to search the default ruleset to identify the definition of a rule: https://github.com/microsoft/DevSkim/tree/main/rules/default. Also used to tie rules with DevSkim guidance files located at https://github.com/microsoft/DevSkim/tree/main/guidance.
A longer description of the purpose of the rule
A user facing recommendation for actions that may help to fix issues identified by the rule
A list of language names which the rule should apply to. If empty, the rule will apply to all languages
A list of tags/categories the rule falls into
An enum representing the seriousness of the issue detected
A field used for rule authors to add comments to the rule file
The name of the guidance markdown file in the DevSkim repository (if any) related to the rule
A list of patterns defining when the rule should apply
A list of conditions on the patterns to restrict when the rule will apply
A list of potential fixes that can be applied by DevSkim to fix the issue identified by the rule