diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml
new file mode 100644
index 00000000..d177ad24
--- /dev/null
+++ b/rules/html/security/plaintext-http-link-html.yml
@@ -0,0 +1,80 @@
+id: plaintext-http-link-html
+language: html
+severity: warning
+message: >-
+ "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
+note: >-
+ [CWE-319] Authentication Bypass by Primary Weakness
+ [REFERENCES]
+ - https://cwe.mitre.org/data/definitions/319.html
+ast-grep-essentials: true
+
+rule:
+ not:
+ has:
+ stopBy: end
+ kind: ERROR
+ any:
+ - kind: element
+ not:
+ has:
+ kind: erroneous_end_tag
+ has:
+ nthChild: 1
+ kind: start_tag
+ all:
+ - has:
+ nthChild: 1
+ kind: tag_name
+ regex: ^a$
+ - has:
+ kind: attribute
+ not:
+ has:
+ stopBy: end
+ kind: ERROR
+ all:
+ - has:
+ stopBy: end
+ kind: attribute_name
+ regex: ^href$
+ - has:
+ stopBy: end
+ kind: attribute_value
+ regex: ^([Hh][Tt][Tt][Pp]://)
+ - kind: start_tag
+ all:
+ - any:
+ - all:
+ - has:
+ nthChild: 1
+ kind: tag_name
+ regex: ^a$
+ - inside:
+ kind: element
+ has:
+ kind: erroneous_end_tag
+ - all:
+ - inside:
+ kind: element
+ has:
+ kind: erroneous_end_tag
+ has:
+ kind: erroneous_end_tag_name
+ regex: ^a$
+ - has:
+ kind: attribute
+ not:
+ has:
+ stopBy: end
+ kind: ERROR
+ all:
+ - has:
+ stopBy: end
+ kind: attribute_name
+ regex: ^href$
+ - has:
+ stopBy: end
+ kind: attribute_value
+ regex: ^([Hh][Tt][Tt][Pp]://)
+
\ No newline at end of file
diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml
new file mode 100644
index 00000000..96c8c0bb
--- /dev/null
+++ b/rules/java/security/unencrypted-socket-java.yml
@@ -0,0 +1,23 @@
+id: unencrypted-socket-java
+language: java
+severity: info
+message: >-
+ "Detected use of a Java socket that is not encrypted. As a result, the
+ traffic could be read by an attacker intercepting the network traffic. Use
+ an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
+ instead."
+note: >-
+ [CWE-319] Cleartext Transmission of Sensitive Information
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+ast-grep-essentials: true
+
+rule:
+ any:
+ - pattern: new ServerSocket($$$)
+ - pattern: new Socket($$$)
+ not:
+ has:
+ stopBy: end
+ kind: ERROR
+
diff --git a/tests/__snapshots__/plaintext-http-link-html-snapshot.yml b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml
new file mode 100644
index 00000000..0acb1f49
--- /dev/null
+++ b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml
@@ -0,0 +1,191 @@
+id: plaintext-http-link-html
+snapshots:
+ ? |
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 52
+ - source: a
+ style: secondary
+ start: 1
+ end: 2
+ - source: href
+ style: secondary
+ start: 15
+ end: 19
+ - source: http://astgrep.dev
+ style: secondary
+ start: 21
+ end: 39
+ - source: href="http://astgrep.dev"
+ style: secondary
+ start: 15
+ end: 40
+ - source:
+ style: secondary
+ start: 0
+ end: 41
+ ? |
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 52
+ - source: a
+ style: secondary
+ start: 1
+ end: 2
+ - source: href
+ style: secondary
+ start: 15
+ end: 19
+ - source: http://astgrep.dev
+ style: secondary
+ start: 21
+ end: 39
+ - source: href='http://astgrep.dev'
+ style: secondary
+ start: 15
+ end: 40
+ - source:
+ style: secondary
+ start: 0
+ end: 41
+ ? |
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 48
+ - source: a
+ style: secondary
+ start: 1
+ end: 2
+ - source: href
+ style: secondary
+ start: 13
+ end: 17
+ - source: http://astgrep.dev
+ style: secondary
+ start: 18
+ end: 36
+ - source: href=http://astgrep.dev
+ style: secondary
+ start: 13
+ end: 36
+ - source:
+ style: secondary
+ start: 0
+ end: 37
+ ? |
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 40
+ - source: a
+ style: secondary
+ start: 1
+ end: 2
+ - source: href
+ style: secondary
+ start: 3
+ end: 7
+ - source: HTTP://ASTGREP.DEV
+ style: secondary
+ start: 9
+ end: 27
+ - source: href="HTTP://ASTGREP.DEV"
+ style: secondary
+ start: 3
+ end: 28
+ - source:
+ style: secondary
+ start: 0
+ end: 29
+ ? |
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 40
+ - source: a
+ style: secondary
+ start: 1
+ end: 2
+ - source: href
+ style: secondary
+ start: 3
+ end: 7
+ - source: http://astgrep.dev
+ style: secondary
+ start: 9
+ end: 27
+ - source: href="http://astgrep.dev"
+ style: secondary
+ start: 3
+ end: 28
+ - source:
+ style: secondary
+ start: 0
+ end: 29
+ ? |
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 40
+ - source: a
+ style: secondary
+ start: 1
+ end: 2
+ - source: href
+ style: secondary
+ start: 3
+ end: 7
+ - source: http://astgrep.dev
+ style: secondary
+ start: 9
+ end: 27
+ - source: href='http://astgrep.dev'
+ style: secondary
+ start: 3
+ end: 28
+ - source:
+ style: secondary
+ start: 0
+ end: 29
+ ? |
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 38
+ - source: a
+ style: secondary
+ start: 1
+ end: 2
+ - source: href
+ style: secondary
+ start: 3
+ end: 7
+ - source: http://astgrep.dev
+ style: secondary
+ start: 8
+ end: 26
+ - source: href=http://astgrep.dev
+ style: secondary
+ start: 3
+ end: 26
+ - source:
+ style: secondary
+ start: 0
+ end: 27
diff --git a/tests/__snapshots__/return-c-str-cpp-snapshot.yml b/tests/__snapshots__/return-c-str-cpp-snapshot.yml
index 56d09ba6..e577adf6 100644
--- a/tests/__snapshots__/return-c-str-cpp-snapshot.yml
+++ b/tests/__snapshots__/return-c-str-cpp-snapshot.yml
@@ -27,3 +27,12 @@ snapshots:
style: primary
start: 28
end: 57
+ ? |
+ char *return_namespace_directly() {
+ return std::string("foo").c_str();
+ }
+ : labels:
+ - source: return std::string("foo").c_str();
+ style: primary
+ start: 38
+ end: 72
diff --git a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml
new file mode 100644
index 00000000..e0becd2b
--- /dev/null
+++ b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml
@@ -0,0 +1,58 @@
+id: unencrypted-socket-java
+snapshots:
+ ? |
+ ServerSocket ssoc = new ServerSocket(1234);
+ : labels:
+ - source: new ServerSocket(1234)
+ style: primary
+ start: 20
+ end: 42
+ ? |
+ ServerSocket ssoc1 = new ServerSocket();
+ : labels:
+ - source: new ServerSocket()
+ style: primary
+ start: 21
+ end: 39
+ ? |
+ ServerSocket ssoc2 = new ServerSocket(1234, 10);
+ : labels:
+ - source: new ServerSocket(1234, 10)
+ style: primary
+ start: 21
+ end: 47
+ ? |
+ ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));
+ : labels:
+ - source: new ServerSocket(1234, 10, InetAddress.getByAddress(address))
+ style: primary
+ start: 21
+ end: 82
+ ? |
+ Socket soc = new Socket("www.google.com", 80);
+ : labels:
+ - source: new Socket("www.google.com", 80)
+ style: primary
+ start: 13
+ end: 45
+ ? |
+ Socket soc1 = new Socket("www.google.com", 80, true);
+ : labels:
+ - source: new Socket("www.google.com", 80, true)
+ style: primary
+ start: 14
+ end: 52
+ ? |
+ Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
+ : labels:
+ - source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337)
+ style: primary
+ start: 14
+ end: 88
+ ? |
+ Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
+ : labels:
+ - source: new Socket(InetAddress.getByAddress(remoteAddress), 80)
+ style: primary
+ start: 14
+ end: 69
diff --git a/tests/html/plaintext-http-link-html-test.yml b/tests/html/plaintext-http-link-html-test.yml
new file mode 100644
index 00000000..dd6be12e
--- /dev/null
+++ b/tests/html/plaintext-http-link-html-test.yml
@@ -0,0 +1,23 @@
+id: plaintext-http-link-html
+valid:
+ - |
+ Astgrep
+ - |
+ Astgrep
+ - |
+ Astgrep
+invalid:
+ - |
+ Astgrep
+ - |
+ Astgrep
+ - |
+ Astgrep
+ - |
+ Astgrep
+ - |
+ Astgrep
+ - |
+ Astgrep
+ - |
+ Astgrep
diff --git a/tests/java/unencrypted-socket-java-test.yml b/tests/java/unencrypted-socket-java-test.yml
new file mode 100644
index 00000000..d023debf
--- /dev/null
+++ b/tests/java/unencrypted-socket-java-test.yml
@@ -0,0 +1,23 @@
+id: unencrypted-socket-java
+valid:
+ - |
+ Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443);
+ - |
+ ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234);
+invalid:
+ - |
+ Socket soc = new Socket("www.google.com", 80);
+ - |
+ Socket soc1 = new Socket("www.google.com", 80, true);
+ - |
+ Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
+ - |
+ Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
+ - |
+ ServerSocket ssoc = new ServerSocket(1234);
+ - |
+ ServerSocket ssoc1 = new ServerSocket();
+ - |
+ ServerSocket ssoc2 = new ServerSocket(1234, 10);
+ - |
+ ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));