Skip to content

Commit

Permalink
fix(naming-regressions): more updates to semgrep-rules (#3455)
Browse files Browse the repository at this point in the history
* Close saf-1008: taint diff

* resolve saf-1015

* maybe contributes to saf-1016

* not deep only but alos floss

* move findings to be pro only

* With brandons fix: a lot of sym prop is no possible to do

* Add Iago note to java test

---------

Co-authored-by: Yosef Alsuhaibani <[email protected]>
  • Loading branch information
yosefAlsuhaibani and Yosef Alsuhaibani authored Aug 27, 2024
1 parent 7e9aa19 commit e2df3ce
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 4 deletions.
25 changes: 23 additions & 2 deletions java/lang/security/audit/xss/no-direct-response-writer.java
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,25 @@
* @created 2015
*/

/** From: Iago
Java/tainting:
This is a test that comes from the OWASP Benchmark v1.2.
Here DeepSemgrep doesn't report lines 56, 128, and 195.
But these are actually false positives! This benchmark tries
to confuse analyzers into reporting these false positives.
It does this in two ways, 1) by using a third-function
`doSomething` that receives tainted data, even though it
returns safe data; and 2) by putting both safe and unsafe
data into a `HashMap`, but ultimately only returning the
safe data. FOSS Semgrep falls into the first trap.
DeepSemgrep does inter-procedural analysis so it is only
affected by the second trap, but it seems to not fall
into it because we are lacking a `pattern-propagators` spec
for `HashMap`s. If we told DeepSemgrep that `HashMap`s
store/propagate taint, then it should report the same
false positives.
*/

package org.owasp.benchmark.testcode;

import java.io.IOException;
Expand Down Expand Up @@ -52,7 +71,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr

response.setHeader("X-XSS-Protection", "0");
Object[] obj = { "a", bar};
// ruleid: no-direct-response-writer
// NOTE: see comment at start of file
// ruleid: deepok: no-direct-response-writer
response.getWriter().printf(java.util.Locale.US,"Formatted like: %1$s and %2$s.",obj);
} // end doPost

Expand Down Expand Up @@ -191,7 +211,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", bar};
// ruleid: no-direct-response-writer
// NOTE: see comment at start of file
// ruleid: deepok: no-direct-response-writer
response.getWriter().printf(java.util.Locale.US, "Formatted like: %1$s and %2$s.", obj);
} // end doPost

Expand Down
4 changes: 2 additions & 2 deletions java/spring/security/injection/tainted-system-command.java
Original file line number Diff line number Diff line change
Expand Up @@ -41,14 +41,14 @@ StringBuilder getResponseFromPingCommand(String ipAddress, boolean isValid) thro
if (isValid) {
Process process;
if (!isWindows) {
// proruleid: tainted-system-command
process =
// deepruleid: tainted-system-command
new ProcessBuilder(new String[] {"sh", "-c", "ping -c 2 " + ipAddress})
.redirectErrorStream(true)
.start();
} else {
// proruleid: tainted-system-command
process =
// deepruleid: tainted-system-command
new ProcessBuilder(new String[] {"cmd", "/c", "ping -n 2 " + ipAddress})
.redirectErrorStream(true)
.start();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,12 @@
bs = pycrypto_blowfish.block_size
# ruleid:insecure-cipher-algorithm-blowfish
cipher = pycrypto_blowfish.new(key, pycrypto_blowfish.MODE_CBC, iv)
# deepruleid:insecure-cipher-algorithm-blowfish
msg = iv + cipher.encrypt(plaintext + padding)
bs = pycryptodomex_blowfish.block_size
# ruleid:insecure-cipher-algorithm-blowfish
cipher = pycryptodomex_blowfish.new(key, pycryptodomex_blowfish.MODE_CBC, iv)
# deepruleid:insecure-cipher-algorithm-blowfish
msg = iv + cipher.encrypt(plaintext + padding)

key = b'Sixteen byte key'
Expand Down
2 changes: 2 additions & 0 deletions python/pycryptodome/security/insecure-cipher-algorithm-des.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,13 @@
ctr = Counter.new(pycrypto_des.block_size*8/2, prefix=nonce)
# ruleid:insecure-cipher-algorithm-des
cipher = pycrypto_des.new(key, pycrypto_des.MODE_CTR, counter=ctr)
# deepruleid:insecure-cipher-algorithm-des
msg = nonce + cipher.encrypt(plaintext)
nonce = Random.new().read(pycryptodomex_des.block_size/2)
ctr = Counter.new(pycryptodomex_des.block_size*8/2, prefix=nonce)
# ruleid:insecure-cipher-algorithm-des
cipher = pycryptodomex_des.new(key, pycryptodomex_des.MODE_CTR, counter=ctr)
# deepruleid:insecure-cipher-algorithm-des
msg = nonce + cipher.encrypt(plaintext)


Expand Down
2 changes: 2 additions & 0 deletions python/pycryptodome/security/insecure-cipher-algorithm-rc2.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,11 @@
iv = Random.new().read(pycrypto_arc2.block_size)
# ruleid:insecure-cipher-algorithm-rc2
cipher = pycrypto_arc2.new(key, pycrypto_arc2.MODE_CFB, iv)
# deepruleid:insecure-cipher-algorithm-rc2
msg = iv + cipher.encrypt(b'Attack at dawn')
# ruleid:insecure-cipher-algorithm-rc2
cipher = pycryptodomex_arc2.new(key, pycryptodomex_arc2.MODE_CFB, iv)
# deepruleid:insecure-cipher-algorithm-rc2
msg = iv + cipher.encrypt(b'Attack at dawn')

key = b'Sixteen byte key'
Expand Down
1 change: 1 addition & 0 deletions python/sqlalchemy/security/sqlalchemy-execute-raw-query.py
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,7 @@
# ok: sqlalchemy-execute-raw-query
engine = create_engine('postgresql://user@localhost/database')
query = select(literal_column("users.fullname", String) + ', ' + literal_column("addresses.email_address").label("title")).where(and_(literal_column("users.id") == literal_column("addresses.user_id"), text("users.name BETWEEN 'm' AND 'z'"), text("(addresses.email_address LIKE :x OR addresses.email_address LIKE :y)"))).select_from(table('users')).select_from(table('addresses'))
# deepruleid: sqlalchemy-execute-raw-query
conn.execute(query, {"x":"%@aol.com", "y":"%@msn.com"}).fetchall()


Expand Down

0 comments on commit e2df3ce

Please sign in to comment.