Add security rules for detecting plaintext HTTP links and unencrypted sockets

[ESS-ENN]

Summary by CodeRabbit

• New Features

  • Added security rule to detect plaintext HTTP links in HTML
  • Added security rule to detect unencrypted Java sockets
  • Introduced new test cases and snapshots for both security rules

• Tests

  • Added comprehensive test configurations for HTML link validation
  • Added test cases for secure socket connections in Java

[coderabbitai]

Walkthrough

This pull request introduces two new security-focused rules: one for detecting plaintext HTTP links in HTML and another for identifying unencrypted socket connections in Java. The changes include creating corresponding rule definitions, test configurations, and snapshot files to validate the new security checks. These additions aim to enhance code security by flagging potential vulnerabilities related to insecure network communications and link protocols.

Changes

File	Change Summary
rules/html/security/plaintext-http-link-html.yml	New rule to detect HTTP links in HTML, warning about potential security risks
rules/java/security/unencrypted-socket-java.yml	New rule to identify unencrypted Java socket connections
tests/__snapshots__/plaintext-http-link-html-snapshot.yml	Added snapshot for testing HTML link rendering variations
tests/__snapshots__/unencrypted-socket-java-snapshot.yml	New snapshot for unencrypted socket connection scenarios
tests/html/plaintext-http-link-html-test.yml	Test configuration for HTML link validation
tests/java/unencrypted-socket-java-test.yml	Test cases for Java socket connection security
tests/__snapshots__/return-c-str-cpp-snapshot.yml	Added a new method for testing C-style string returns

Sequence Diagram

sequenceDiagram
    participant Code as Source Code
    participant Rule as Security Rule
    participant Analyzer as Static Analysis Tool
    
    Code->>Analyzer: Submit code for analysis
    Analyzer->>Rule: Apply security checks
    alt Insecure HTTP Link
        Rule-->>Analyzer: Generate warning for HTTP link
    end
    alt Unencrypted Socket
        Rule-->>Analyzer: Generate info message about socket security
    end
    Analyzer->>Code: Report potential security issues

Loading

Possibly related PRs

• Add security rules for cookie settings and XML processing in YAML config #66: Rule for detecting insecure cookie settings
• Add security rules for cookie handling in Java applications #67: Identifying cookies without 'HttpOnly' flag
• Add Security Rules for Detecting RC2 and RC4 Cryptographic Algorithms #127: Security rules for cryptographic algorithms
• Add security rules for C++ and Go to prevent use-after-free and interface binding risks #130: Vulnerability prevention in C++ and Go applications

Suggested reviewers

• ganeshpatro321

Poem

🐰 Secure links hop, sockets encrypt tight,
No plaintext paths to give attackers might!
HTTP bows down to HTTPS's grace,
Our code now dances with security's embrace.
Safe travels, little packets, take flight! 🔒

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (8)

tests/html/plaintext-http-link-html-test.yml (1)

9-23: LGTM! Thorough coverage of invalid cases.

The invalid test cases comprehensively cover:

• Different quote styles (double, single, unquoted)
• Links with additional attributes
• Case sensitivity (HTTP vs http)

Fix trailing spaces in the file.

Remove trailing spaces from lines 12, 14, 16, 18, 20, and 22 to address the yamllint warnings.

🧰 Tools

🪛 yamllint (1.35.1)

[error] 12-12: trailing spaces

(trailing-spaces)

---

[error] 14-14: trailing spaces

(trailing-spaces)

---

[error] 16-16: trailing spaces

(trailing-spaces)

---

[error] 18-18: trailing spaces

(trailing-spaces)

---

[error] 20-20: trailing spaces

(trailing-spaces)

---

[error] 22-22: trailing spaces

(trailing-spaces)

rules/html/security/plaintext-http-link-html.yml (3)

1-10: Enhance rule metadata for better clarity and accuracy.

Consider the following improvements:

1. The message could better explain the security implications
2. CWE-319 is about cleartext transmission in general. Consider also referencing CWE-650 (Trusting HTTP Permission Methods) for HTML-specific context.

 message: >-
-  "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
+  "This link uses an unencrypted HTTP URL, which could expose sensitive data during transmission. Use HTTPS to ensure secure communication."
 note: >-
   [CWE-319] Authentication Bypass by Primary Weakness
+  [CWE-650] Trusting HTTP Permission Methods
   [REFERENCES]
       -  https://cwe.mitre.org/data/definitions/319.html
+      -  https://cwe.mitre.org/data/definitions/650.html

---

44-44: Simplify and strengthen the HTTP URL pattern matching.

The current regex pattern ^([Hh][Tt][Tt][Pp]://) could be simplified and made more robust:

1. Use case-insensitive flag instead of character classes
2. Add validation for common HTTP URL patterns

-                      regex: ^([Hh][Tt][Tt][Pp]://)
+                      regex: ^(?i)(http://[^\s<>"']+)

Also applies to: 79-79

---

11-11: Fix YAML formatting issues.

The static analysis tool identified several formatting issues:

1. Trailing spaces on lines 11, 56, 61, 64, and 80
2. Inconsistent indentation on lines 31 and 66
3. Missing newline at end of file

-ast-grep-essentials: true      
+ast-grep-essentials: true
-                kind: attribute
+              kind: attribute
-                      kind: erroneous_end_tag   
+                      kind: erroneous_end_tag
-                      kind: erroneous_end_tag  
+                      kind: erroneous_end_tag
-                        regex: ^a$                                         
+                        regex: ^a$
-              kind: attribute
+            kind: attribute
-                    regex: ^([Hh][Tt][Tt][Pp]://)                          
+                    regex: ^([Hh][Tt][Tt][Pp]://)
+

Also applies to: 31-31, 56-56, 61-61, 64-64, 66-66, 80-80

🧰 Tools

🪛 yamllint (1.35.1)

[error] 11-11: trailing spaces

(trailing-spaces)

rules/java/security/unencrypted-socket-java.yml (1)

4-12: Enhance the security context in the message.

While the current message explains the risk and solution well, consider adding:

1. Examples of sensitive data that could be intercepted (passwords, tokens, etc.)
2. Specific attack vectors (man-in-the-middle attacks)
3. Additional secure alternatives (TLS configuration best practices)

tests/java/unencrypted-socket-java-test.yml (2)

2-6: Enhance SSL/TLS test coverage in valid cases.

Consider adding test cases for:

1. Explicit TLS version configuration
2. Custom SSLSocketFactory implementations
3. Socket upgrade scenarios (from plain to SSL)

---

7-23: Add more real-world invalid test scenarios.

Consider adding test cases for:

1. Socket reuse patterns
2. Connection pooling scenarios
3. Socket wrapper classes
4. Factory method patterns

tests/__snapshots__/unencrypted-socket-java-snapshot.yml (1)

1-58: LGTM! Comprehensive snapshot coverage.

The snapshots provide good coverage of various socket creation patterns with accurate label positioning.

Consider adding snapshots for:

1. Socket creation through factory methods
2. Custom socket wrapper classes
3. Connection pooling scenarios

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56e9aa5 and 69e9c17.

📒 Files selected for processing (7)

• rules/html/security/plaintext-http-link-html.yml (1 hunks)
• rules/java/security/unencrypted-socket-java.yml (1 hunks)
• tests/__snapshots__/plaintext-http-link-html-snapshot.yml (1 hunks)
• tests/__snapshots__/return-c-str-cpp-snapshot.yml (1 hunks)
• tests/__snapshots__/unencrypted-socket-java-snapshot.yml (1 hunks)
• tests/html/plaintext-http-link-html-test.yml (1 hunks)
• tests/java/unencrypted-socket-java-test.yml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• tests/snapshots/plaintext-http-link-html-snapshot.yml

🧰 Additional context used

🪛 yamllint (1.35.1)

rules/html/security/plaintext-http-link-html.yml

[error] 11-11: trailing spaces

(trailing-spaces)

---

[warning] 31-31: wrong indentation: expected 14 but found 16

(indentation)

---

[error] 56-56: trailing spaces

(trailing-spaces)

---

[error] 61-61: trailing spaces

(trailing-spaces)

---

[error] 64-64: trailing spaces

(trailing-spaces)

---

[warning] 66-66: wrong indentation: expected 12 but found 14

(indentation)

---

[error] 80-80: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 80-80: trailing spaces

(trailing-spaces)

tests/html/plaintext-http-link-html-test.yml

[error] 12-12: trailing spaces

(trailing-spaces)

---

[error] 14-14: trailing spaces

(trailing-spaces)

---

[error] 16-16: trailing spaces

(trailing-spaces)

---

[error] 18-18: trailing spaces

(trailing-spaces)

---

[error] 20-20: trailing spaces

(trailing-spaces)

---

[error] 22-22: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)

tests/html/plaintext-http-link-html-test.yml (1)

2-8: LGTM! Comprehensive coverage of valid cases.

The valid test cases effectively cover HTTPS links, HTTP strings in paths, and JavaScript protocol usage.

rules/java/security/unencrypted-socket-java.yml (1)

15-22: Verify pattern coverage for socket creation.

The current patterns might miss some cases:

1. Socket creation through factory methods
2. Socket creation through reflection
3. Socket wrapper classes

Let's verify the coverage:

✅ Verification successful

Current socket creation patterns are sufficient ✅

The verification shows that the current patterns new Socket($$$) and new ServerSocket($$$) provide adequate coverage. No evidence was found of alternative socket creation patterns such as factory methods, reflection-based creation, or socket wrapper classes in the codebase.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for additional socket creation patterns that might need coverage
rg -l "Socket.*create|createSocket|getSocket" | grep -v "test|snapshot"

# Search for custom socket wrapper classes
ast-grep --pattern 'class $_ extends Socket { $$$ }'

Length of output: 220

---

Script:

#!/bin/bash
# Search for reflection-based socket creation and factory patterns
rg -l "Socket\.class|SocketFactory|SSLSocketFactory"

# Search for general Socket instantiation patterns
ast-grep --pattern 'new Socket($$$)'
ast-grep --pattern 'new ServerSocket($$$)'

# Search for SSL socket patterns
rg -l "javax\.net\.ssl"

Length of output: 636

tests/__snapshots__/return-c-str-cpp-snapshot.yml (1)

30-38: Verify the relevance of C++ snapshot changes.

This file appears to be unrelated to the socket security rule changes. Consider moving these changes to a separate PR focused on C++ string handling.

Let's check if there are related changes: