-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add static analysis rules for C++ and Rust security checks (#128)
* removed missing-secure-java * sizeof-this-cpp * tokio-postgres-empty-password-rust * tokio-postgres-hardcoded-password-rust --------- Co-authored-by: Sakshis <[email protected]>
- Loading branch information
Showing
10 changed files
with
761 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| id: sizeof-this-cpp | ||
| language: cpp | ||
| severity: warning | ||
| message: >- | ||
| Do not use `sizeof(this)` to get the number of bytes of the object in | ||
| memory. It returns the size of the pointer, not the size of the object. | ||
| note: >- | ||
| [CWE-467]: Use of sizeof() on a Pointer Type | ||
| [REFERENCES] | ||
| - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array | ||
| utils: | ||
| match_sizeof_this: | ||
| kind: sizeof_expression | ||
| has: | ||
| kind: parenthesized_expression | ||
| has: | ||
| kind: this | ||
| regex: "^this$" | ||
| inside: | ||
| stopBy: end | ||
| kind: return_statement | ||
| inside: | ||
| kind: compound_statement | ||
| follows: | ||
| kind: function_declarator | ||
| inside: | ||
| kind: function_definition | ||
|
|
||
| rule: | ||
| kind: sizeof_expression | ||
| all: | ||
| - has: | ||
| stopBy: end | ||
| kind: this | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| any: | ||
| - nthChild: 2 | ||
| - kind: pointer_expression | ||
| - kind: ERROR | ||
| - kind: sizeof_expression | ||
|
|
||
|
|
248 changes: 248 additions & 0 deletions
248
rules/rust/security/tokio-postgres-empty-password-rust.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,248 @@ | ||
| id: tokio-postgres-empty-password-rust | ||
| language: rust | ||
| severity: warning | ||
| message: >- | ||
| The application uses an empty credential. This can lead to unauthorized | ||
| access by either an internal or external malicious actor. It is | ||
| recommended to rotate the secret and retrieve them from a secure secret | ||
| vault or Hardware Security Module (HSM), alternatively environment | ||
| variables can be used if allowed by your company policy. | ||
| note: >- | ||
| [CWE-287] Improper Authentication. | ||
| [REFERENCES] | ||
| - https://docs.rs/tokio-postgres/latest/tokio_postgres/ | ||
| - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures | ||
| utils: | ||
| MATCH_FOLLOW_1: | ||
| follows: | ||
| stopBy: end | ||
| any: | ||
| - kind: let_declaration | ||
| all: | ||
| - has: | ||
| kind: identifier | ||
| pattern: $CONFIG | ||
| - has: | ||
| kind: call_expression | ||
| regex: ^tokio_postgres::Config::new\(\)$ | ||
| - kind: let_declaration | ||
| all: | ||
| - has: | ||
| kind: identifier | ||
| pattern: $CONFIG | ||
| - has: | ||
| kind: call_expression | ||
| regex: ^Config::new\(\)$ | ||
| any: | ||
| - follows: | ||
| stopBy: end | ||
| kind: use_declaration | ||
| has: | ||
| stopBy: end | ||
| kind: scoped_identifier | ||
| regex: ^tokio_postgres::Config$ | ||
| - inside: | ||
| stopBy: end | ||
| follows: | ||
| stopBy: end | ||
| kind: use_declaration | ||
| has: | ||
| stopBy: end | ||
| kind: scoped_identifier | ||
| regex: ^tokio_postgres::Config$ | ||
|
|
||
|
|
||
| rule: | ||
| kind: call_expression | ||
| not: | ||
| has: | ||
| stopBy: end | ||
| kind: ERROR | ||
| any: | ||
| # CONFIG IS DIRECT AND PWD IS DIRECT | ||
| - all: | ||
| - has: | ||
| stopBy: end | ||
| kind: scoped_identifier | ||
| regex: ^tokio_postgres::Config::new()$ | ||
| - has: | ||
| kind: field_expression | ||
| regex: \.password$ | ||
| nthChild: 1 | ||
| - has: | ||
| kind: arguments | ||
| nthChild: 2 | ||
| has: | ||
| stopBy: end | ||
| kind: string_literal | ||
| not: | ||
| has: | ||
| kind: string_content | ||
| nthChild: 1 | ||
| all: | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| nthChild: 2 | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| any: | ||
| - kind: block | ||
| - kind: array_expression | ||
| # CONFIG IS DIRECT AND PWD IS INSTANCE | ||
| - all: | ||
| - has: | ||
| stopBy: end | ||
| kind: scoped_identifier | ||
| regex: ^tokio_postgres::Config::new()$ | ||
| - has: | ||
| kind: field_expression | ||
| regex: \.password$ | ||
| nthChild: 1 | ||
| - has: | ||
| kind: arguments | ||
| nthChild: 2 | ||
| has: | ||
| stopBy: end | ||
| kind: identifier | ||
| pattern: $PASSWORD | ||
| inside: | ||
| stopBy: end | ||
| follows: | ||
| stopBy: end | ||
| any: | ||
| - kind: let_declaration | ||
| has: | ||
| kind: identifier | ||
| pattern: $PASSWORD | ||
| precedes: | ||
| stopBy: end | ||
| kind: string_literal | ||
| not: | ||
| has: | ||
| kind: string_content | ||
| - kind: expression_statement | ||
| has: | ||
| kind: assignment_expression | ||
| has: | ||
| kind: identifier | ||
| pattern: $PASSWORD | ||
| precedes: | ||
| stopBy: end | ||
| kind: string_literal | ||
| not: | ||
| has: | ||
| kind: string_content | ||
|
|
||
| nthChild: 1 | ||
| all: | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| nthChild: 2 | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| any: | ||
| - kind: block | ||
| - kind: array_expression | ||
| # CONFIG IS INSTANCE AND PWD IS DIRECT | ||
| - all: | ||
| - has: | ||
| stopBy: end | ||
| kind: identifier | ||
| pattern: $CONFIG | ||
| any: | ||
| - inside: | ||
| stopBy: end | ||
| matches: MATCH_FOLLOW_1 | ||
| - has: | ||
| kind: field_expression | ||
| regex: \.password$ | ||
| nthChild: 1 | ||
| - has: | ||
| kind: arguments | ||
| nthChild: 2 | ||
| has: | ||
| stopBy: end | ||
| kind: string_literal | ||
| not: | ||
| has: | ||
| kind: string_content | ||
| nthChild: 1 | ||
| all: | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| nthChild: 2 | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| any: | ||
| - kind: block | ||
| - kind: array_expression | ||
| # CONFIG IS INSTANCE AND PWD IS INSTANCE | ||
| - all: | ||
| - has: | ||
| stopBy: end | ||
| kind: identifier | ||
| pattern: $CONFIG | ||
| any: | ||
| - inside: | ||
| stopBy: end | ||
| matches: MATCH_FOLLOW_1 | ||
| - has: | ||
| kind: field_expression | ||
| regex: \.password$ | ||
| nthChild: 1 | ||
| - has: | ||
| kind: arguments | ||
| nthChild: 2 | ||
| has: | ||
| stopBy: end | ||
| kind: identifier | ||
| pattern: $PASSWORD | ||
| nthChild: 1 | ||
| inside: | ||
| stopBy: end | ||
| follows: | ||
| stopBy: end | ||
| any: | ||
| - kind: let_declaration | ||
| all: | ||
| - has: | ||
| kind: identifier | ||
| pattern: $PASSWORD | ||
| - has: | ||
| kind: string_literal | ||
| not: | ||
| has: | ||
| kind: string_content | ||
| - kind: expression_statement | ||
| has: | ||
| kind: assignment_expression | ||
| all: | ||
| - has: | ||
| kind: identifier | ||
| pattern: $PASSWORD | ||
| - has: | ||
| kind: string_literal | ||
| not: | ||
| has: | ||
| kind: string_content | ||
|
|
||
| all: | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| nthChild: 2 | ||
| - not: | ||
| has: | ||
| stopBy: end | ||
| any: | ||
| - kind: block | ||
| - kind: array_expression | ||
|
|
Oops, something went wrong.