Skip to content

Add security rules for detecting plaintext HTTP links and unencrypted sockets #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Jan 20, 2025
Merged

Add security rules for detecting plaintext HTTP links and unencrypted sockets #133

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
bb7b8e1
removed missing-secure-java
Dec 16, 2024
308e947
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 6, 2025
46efd55
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
3ac0204
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
7caba92
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 9, 2025
d3a2776
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 10, 2025
2e86380
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 14, 2025
b072db7
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 20, 2025
035cb30
plaintest-http-link-html
ESS-ENN Jan 20, 2025
69e9c17
unencrypted-socket-java
ESS-ENN Jan 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions rules/html/security/plaintext-http-link-html.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
id: plaintext-http-link-html
language: html
severity: warning
message: >-
"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
note: >-
[CWE-319] Authentication Bypass by Primary Weakness
[REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html
ast-grep-essentials: true

rule:
not:
has:
stopBy: end
kind: ERROR
any:
- kind: element
not:
has:
kind: erroneous_end_tag
has:
nthChild: 1
kind: start_tag
all:
- has:
nthChild: 1
kind: tag_name
regex: ^a$
- has:
kind: attribute
not:
has:
stopBy: end
kind: ERROR
all:
- has:
stopBy: end
kind: attribute_name
regex: ^href$
- has:
stopBy: end
kind: attribute_value
regex: ^([Hh][Tt][Tt][Pp]://)
- kind: start_tag
all:
- any:
- all:
- has:
nthChild: 1
kind: tag_name
regex: ^a$
- inside:
kind: element
has:
kind: erroneous_end_tag
- all:
- inside:
kind: element
has:
kind: erroneous_end_tag
has:
kind: erroneous_end_tag_name
regex: ^a$
- has:
kind: attribute
not:
has:
stopBy: end
kind: ERROR
all:
- has:
stopBy: end
kind: attribute_name
regex: ^href$
- has:
stopBy: end
kind: attribute_value
regex: ^([Hh][Tt][Tt][Pp]://)

23 changes: 23 additions & 0 deletions rules/java/security/unencrypted-socket-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
id: unencrypted-socket-java
language: java
severity: info
message: >-
"Detected use of a Java socket that is not encrypted. As a result, the
traffic could be read by an attacker intercepting the network traffic. Use
an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
instead."
note: >-
[CWE-319] Cleartext Transmission of Sensitive Information
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
ast-grep-essentials: true

rule:
any:
- pattern: new ServerSocket($$$)
- pattern: new Socket($$$)
not:
has:
stopBy: end
kind: ERROR

191 changes: 191 additions & 0 deletions tests/__snapshots__/plaintext-http-link-html-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
id: plaintext-http-link-html
snapshots:
? |
<a class="foo" href="http://astgrep.dev">Astgrep</a>
: labels:
- source: <a class="foo" href="http://astgrep.dev">Astgrep</a>
style: primary
start: 0
end: 52
- source: a
style: secondary
start: 1
end: 2
- source: href
style: secondary
start: 15
end: 19
- source: http://astgrep.dev
style: secondary
start: 21
end: 39
- source: href="http://astgrep.dev"
style: secondary
start: 15
end: 40
- source: <a class="foo" href="http://astgrep.dev">
style: secondary
start: 0
end: 41
? |
<a class='foo' href='http://astgrep.dev'>Astgrep</a>
: labels:
- source: <a class='foo' href='http://astgrep.dev'>Astgrep</a>
style: primary
start: 0
end: 52
- source: a
style: secondary
start: 1
end: 2
- source: href
style: secondary
start: 15
end: 19
- source: http://astgrep.dev
style: secondary
start: 21
end: 39
- source: href='http://astgrep.dev'
style: secondary
start: 15
end: 40
- source: <a class='foo' href='http://astgrep.dev'>
style: secondary
start: 0
end: 41
? |
<a class=foo href=http://astgrep.dev>Astgrep</a>
: labels:
- source: <a class=foo href=http://astgrep.dev>Astgrep</a>
style: primary
start: 0
end: 48
- source: a
style: secondary
start: 1
end: 2
- source: href
style: secondary
start: 13
end: 17
- source: http://astgrep.dev
style: secondary
start: 18
end: 36
- source: href=http://astgrep.dev
style: secondary
start: 13
end: 36
- source: <a class=foo href=http://astgrep.dev>
style: secondary
start: 0
end: 37
? |
<a href="HTTP://ASTGREP.DEV">Astgrep</a>
: labels:
- source: <a href="HTTP://ASTGREP.DEV">Astgrep</a>
style: primary
start: 0
end: 40
- source: a
style: secondary
start: 1
end: 2
- source: href
style: secondary
start: 3
end: 7
- source: HTTP://ASTGREP.DEV
style: secondary
start: 9
end: 27
- source: href="HTTP://ASTGREP.DEV"
style: secondary
start: 3
end: 28
- source: <a href="HTTP://ASTGREP.DEV">
style: secondary
start: 0
end: 29
? |
<a href="http://astgrep.dev">Astgrep</a>
: labels:
- source: <a href="http://astgrep.dev">Astgrep</a>
style: primary
start: 0
end: 40
- source: a
style: secondary
start: 1
end: 2
- source: href
style: secondary
start: 3
end: 7
- source: http://astgrep.dev
style: secondary
start: 9
end: 27
- source: href="http://astgrep.dev"
style: secondary
start: 3
end: 28
- source: <a href="http://astgrep.dev">
style: secondary
start: 0
end: 29
? |
<a href='http://astgrep.dev'>Astgrep</a>
: labels:
- source: <a href='http://astgrep.dev'>Astgrep</a>
style: primary
start: 0
end: 40
- source: a
style: secondary
start: 1
end: 2
- source: href
style: secondary
start: 3
end: 7
- source: http://astgrep.dev
style: secondary
start: 9
end: 27
- source: href='http://astgrep.dev'
style: secondary
start: 3
end: 28
- source: <a href='http://astgrep.dev'>
style: secondary
start: 0
end: 29
? |
<a href=http://astgrep.dev>Astgrep</a>
: labels:
- source: <a href=http://astgrep.dev>Astgrep</a>
style: primary
start: 0
end: 38
- source: a
style: secondary
start: 1
end: 2
- source: href
style: secondary
start: 3
end: 7
- source: http://astgrep.dev
style: secondary
start: 8
end: 26
- source: href=http://astgrep.dev
style: secondary
start: 3
end: 26
- source: <a href=http://astgrep.dev>
style: secondary
start: 0
end: 27
9 changes: 9 additions & 0 deletions tests/__snapshots__/return-c-str-cpp-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,12 @@ snapshots:
style: primary
start: 28
end: 57
? |
char *return_namespace_directly() {
return std::string("foo").c_str();
}
: labels:
- source: return std::string("foo").c_str();
style: primary
start: 38
end: 72
58 changes: 58 additions & 0 deletions tests/__snapshots__/unencrypted-socket-java-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
id: unencrypted-socket-java
snapshots:
? |
ServerSocket ssoc = new ServerSocket(1234);
: labels:
- source: new ServerSocket(1234)
style: primary
start: 20
end: 42
? |
ServerSocket ssoc1 = new ServerSocket();
: labels:
- source: new ServerSocket()
style: primary
start: 21
end: 39
? |
ServerSocket ssoc2 = new ServerSocket(1234, 10);
: labels:
- source: new ServerSocket(1234, 10)
style: primary
start: 21
end: 47
? |
ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));
: labels:
- source: new ServerSocket(1234, 10, InetAddress.getByAddress(address))
style: primary
start: 21
end: 82
? |
Socket soc = new Socket("www.google.com", 80);
: labels:
- source: new Socket("www.google.com", 80)
style: primary
start: 13
end: 45
? |
Socket soc1 = new Socket("www.google.com", 80, true);
: labels:
- source: new Socket("www.google.com", 80, true)
style: primary
start: 14
end: 52
? |
Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
: labels:
- source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337)
style: primary
start: 14
end: 88
? |
Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
: labels:
- source: new Socket(InetAddress.getByAddress(remoteAddress), 80)
style: primary
start: 14
end: 69
23 changes: 23 additions & 0 deletions tests/html/plaintext-http-link-html-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
id: plaintext-http-link-html
valid:
- |
<a href="https://astgrep.dev">Astgrep</a>
- |
<a href="https://astgrep.dev/http://">Astgrep</a>
- |
<a href="javascript:alert(1)">Astgrep</a>
invalid:
- |
<a href="http://astgrep.dev">Astgrep</a>
- |
<a href='http://astgrep.dev'>Astgrep</a>
- |
<a href=http://astgrep.dev>Astgrep</a>
- |
<a class="foo" href="http://astgrep.dev">Astgrep</a>
- |
<a class='foo' href='http://astgrep.dev'>Astgrep</a>
- |
<a class=foo href=http://astgrep.dev>Astgrep</a>
- |
<a href="HTTP://ASTGREP.DEV">Astgrep</a>
Loading