Merge pull request #3204 from semgrep/merge-develop-to-release

Merge Develop into Release

generic/secrets/security/detected-sonarqube-docs-api-key.yaml

@@ -5,6 +5,19 @@ rules:
   languages: [regex]
   message: SonarQube Docs API Key detected
   severity: ERROR
+  paths:
+    exclude:
+      - "*.svg"
+      - "*go.sum"
+      - "*cargo.lock"
+      - "*package.json"
+      - "*yarn.lock"
+      - "*package-lock.json"
+      - "*bundle.js"
+      - "*pnpm-lock*"
+      - "*Podfile.lock"
+      - "*/openssl/*.h"
+      - "*.xcscmblueprint"
   metadata:
     cwe:
     - 'CWE-798: Use of Hard-coded Credentials'

java/spring/security/injection/tainted-system-command.yaml

@@ -8,6 +8,8 @@ rules:
   - pattern: (StringBuilder $STRB).append($INPUT)
     from: $INPUT
     to: $STRB
+    label: CONCAT
+    requires: INPUT
   pattern-sources:
   - patterns:
     - pattern-either:
@@ -31,7 +33,6 @@ rules:
     - pattern-either:
       - pattern: $X + $SOURCE
       - pattern: $SOURCE + $Y
-      - pattern: (StringBuilder $STRB).append($SOURCE)
       - pattern: String.format("...", ..., $SOURCE, ...)
       - pattern: String.join("...", ..., $SOURCE, ...)
       - pattern: (String $STR).concat($SOURCE)

javascript/jsonwebtoken/security/jwt-hardcode.yaml

@@ -43,8 +43,13 @@ rules:
             $VALUE = '$Y' 
             ...
         - pattern: $VALUE
-      - pattern-inside: $JWT.sign($VALUE, '$Y',...)
-      - pattern-inside: $JWT.verify($VALUE, '$Y',...)
+      - patterns:
+        - pattern-either:
+          - pattern-inside: $JWT.sign($VALUE, $Y,...)
+          - pattern-inside: $JWT.verify($VALUE, $Y,...)
+        - focus-metavariable: $Y
+        - pattern: >
+            '...'
       - patterns:
         - pattern-inside: |
             $SECRET = "$Y"

php/lang/security/tainted-exec.php

@@ -0,0 +1,38 @@
+<?php
+
+$username = $_COOKIE['username'];
+//ruleid: tainted-exec
+exec("wto -n \"$username\" -g", $ret);
+
+
+$fullpath = $_POST['fullpath'];
+//ok: tainted-exec
+$filesize = trim(shell_exec('stat -c %s ' . escapeshellarg($fullpath)));
+
+
+$jobName = $_REQUEST['jobName'];
+$cmd = sprintf("rsyncmd -l \"$xmlPath\" -r %s >/dev/null", $jobName);
+//ruleid: tainted-exec
+system($cmd);
+
+
+$errorCode = escapeshellarg($_POST['errorCode']);
+$func = escapeshellarg($_POST['func']);
+$uuid = str_replace(PHP_EOL, '', file_get_contents("/proc/sys/kernel/random/uuid"));
+$logsCmd = sprintf('%s%s%s',
+  "wdlog -l INFO -s 'adminUI' -m 'firmware_upload_page' function:string=$func ",
+  "status:string='updateFail' errorCode:string=$errorCode ",
+  "corid:string='AUI:$uuid' >/dev/null 2>&1"
+);
+//ok: tainted-exec
+exec($logsCmd);
+
+
+$arg = $_POST['arg'];
+$cmd = "logwdweb --post_migration_onboarding -%s %s";
+$cmd_logwdweb = "logwdweb --post_migration_onboarding --page %s %s";
+$_arg = sprintf("--status %s", $arg);
+$cmd = sprintf($cmd_logwdweb, "raidRoaming", $_arg);
+//ruleid: tainted-exec
+pclose(popen($cmd, 'r'));
+?>

php/lang/security/tainted-exec.yaml

@@ -0,0 +1,41 @@
+rules:
+- id: tainted-exec
+  mode: taint
+  pattern-sources:
+  - pattern: $_REQUEST
+  - pattern: $_GET
+  - pattern: $_POST
+  - pattern: $_COOKIE
+  pattern-sinks:
+  - pattern: exec(...)
+  - pattern: system(...)
+  - pattern: popen(...)
+  - pattern: passthru(...)
+  - pattern: shell_exec(...)
+  - pattern: pcntl_exec(...)
+  - pattern: proc_open(...)
+  pattern-sanitizers:
+  - pattern: escapeshellarg(...)
+  message: >-
+    Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command.
+  metadata:
+    cwe:
+    - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    references:
+    - https://www.stackhawk.com/blog/php-command-injection/
+    - https://brightsec.com/blog/code-injection-php/
+    - https://www.acunetix.com/websitesecurity/php-security-2/
+    category: security
+    technology:
+    - php
+    owasp:
+    - A03:2021 - Injection
+    cwe2022-top25: true
+    subcategory:
+    - vuln
+    likelihood: HIGH
+    impact: HIGH
+    confidence: MEDIUM
+  languages: [php]
+  severity: ERROR
+

terraform/aws/security/insecure-load-balancer-tls-version.tf

@@ -206,3 +206,17 @@ resource "aws_alb_listener" "tls_fs_1_1" {
     target_group_arn = var.aws_lb_target_group_arn
   }
 }
+
+resource "aws_alb_listener" "tls_1_3" {
+  load_balancer_arn = var.aws_lb_arn
+  protocol          = "TLS"
+  port              = "8080"
+  # ok: insecure-load-balancer-tls-version
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-068"
+  certificate_arn   = var.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = var.aws_lb_target_group_arn
+  }
+}

terraform/aws/security/insecure-load-balancer-tls-version.yaml

@@ -4,9 +4,9 @@ rules:
   - pattern-either:
     - patterns:
       - pattern: ssl_policy = $ANYTHING
-      - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
-      - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08"
-      - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08"
+      # See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies
+      - pattern-not-regex: "ELBSecurityPolicy-TLS13-1-[23]-[0-9-]+"
+      - pattern-not-regex: "ELBSecurityPolicy-FS-1-2-[(Res)0-9-]+"
     - patterns:
       - pattern: protocol = "HTTP"
       - pattern-not-inside: |
@@ -39,7 +39,7 @@ rules:
     Detected an AWS load balancer with an insecure TLS version.
     TLS versions less than 1.2 are considered insecure because they
     can be broken. To fix this, set your `ssl_policy` to
-    `"ELBSecurityPolicy-FS-1-2-Res-2019-08"`, or include a default action
+    `"ELBSecurityPolicy-TLS13-1-2-2021-06"`, or include a default action
     to redirect to HTTPS.
   metadata:
     category: security