Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge Develop into Release #3510

Merged
merged 30 commits into from
Nov 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
b756568
Be consistent with using .fixed.test.yaml not .test.fixed.yaml (#3471)
Sep 18, 2024
6d1b466
PHP tainted exec (#3468)
Sjord Sep 19, 2024
7427b82
Upload dockerd socket mount detection rule and test file (#3360)
r0075h3ll Sep 19, 2024
be389ac
Switch to osemgrep test --experimental (from 3min to 21s) (#3472)
Sep 19, 2024
46fc340
remove fingerprints/fingerprints.yaml (#3474)
Sep 19, 2024
8ce8781
chore: Fix some wrong annotations (#3476)
Sep 23, 2024
de1405b
Run osemgrep test --pro on apex/ and elixir/ too (#3478)
Sep 23, 2024
959c893
Named metavariable bug was fixed (#3477)
mjambon Sep 25, 2024
81e40c5
Fix test annotation in conn_recv.py (#3479)
p4p3r Sep 25, 2024
ecba02c
run osemgrep validate --pro (#3481)
Sep 26, 2024
ed75fb1
Rule: OpenAI isConsequential flag set to false for state changing ope…
aabashkin Oct 5, 2024
6364d2b
Include GitHub discussions as user input source. (#3483)
bananabr Oct 7, 2024
ca45011
Exclude Slack webhook sample URL (#3482)
dbarlett Oct 7, 2024
5aa4f20
New Published Rules - semgrep.check-is-none-explicitly (#3480)
semgrep-dev-pr-bot[bot] Oct 7, 2024
0da2dce
todoruleid: -> proruleid: for solidity test (#3484)
Oct 7, 2024
b4eb008
go: reverseproxy-director and shared-url-struct-mutation (#3486)
alxjsn Oct 15, 2024
c865e0c
Add rules around Node.js crypto module (#3357)
Starkteetje Oct 15, 2024
153588f
add sanitizer and update message of dangerous subprocess rule (#3487)
0xDC0DE Oct 15, 2024
cd697bc
fix workflow condition being interpreted as a string (#3489)
0xDC0DE Oct 17, 2024
5583c92
Fix for osemgrep test --pro with DeepScan too (often deepruleid: -> d…
Oct 18, 2024
966d1ba
Revert "Fix for osemgrep test --pro with DeepScan too (often deeprule…
Oct 18, 2024
97bd5b0
Fix annots for osemgrep test --pro with DeepScan (#3492)
Oct 21, 2024
0bba56c
Remove scripts/run-test to simplify, call just osemgrep test (#3493)
Oct 22, 2024
aa55fb5
remove redundant rules for HTML templates (#3349)
inkz Oct 24, 2024
e91dd3f
Update stacktrace-disclosure rule and test (#3495)
p4p3r Oct 24, 2024
157ae47
Remove redundant rule python.lang.security.audit.ftplib (#3496)
p4p3r Oct 24, 2024
116b0bd
Delete python/lang/security/audit/ftplib.py
ajbt200128 Oct 29, 2024
2ad051c
Merge pull request #3504 from semgrep/austin/remove-ftplib-py
ajbt200128 Oct 29, 2024
178f46e
Fix openai-consequential-action-false metadata (#3509)
p4p3r Nov 4, 2024
73d6cde
Merge branch 'release' into merge-develop-to-release
p4p3r Nov 4, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .codemapignore
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
!libsonnet/
!scripts/
!stats/
# restore also fingerprints/ ? trusted_python/ ?

# do not skip the rules
![a-z]*/**/*.yaml
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/semgrep-rule-lints.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,5 +45,4 @@ jobs:
--exclude *.test.yaml \
--exclude contrib/ \
--exclude stats/ \
--exclude fingerprints/ \
--exclude yaml/semgrep/
31 changes: 15 additions & 16 deletions .github/workflows/semgrep-rules-test-develop.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# Running the tests in the repo using `semgrep test` (osemgrep) and
# the semgrep/semgrep:pro-develop docker image (the bleeding edge!).

name: semgrep-rules-test-develop
on:
pull_request:
Expand All @@ -9,26 +12,22 @@ on:
- develop
- release
jobs:
# Note: if you change this test there will likely need to be a
# corresponding change in returntocorp/semgrep
test-develop:
name: rules-test-develop
# alt: use directly the semgrep/semgrep:pro-develop container here so we
# don't need the calls to 'docker run ...' below
runs-on: ubuntu-20.04
# TODO: remove the with: path: below to simplify
steps:
- uses: actions/checkout@v2
with:
path: semgrep-rules
- name: delete stats directory
run: rm -rf semgrep-rules/stats
- name: delete fingerprints directory
run: rm -rf semgrep-rules/fingerprints
- name: delete rules requiring Semgrep Pro
run: rm -rf semgrep-rules/apex semgrep-rules/elixir
- name: validate rules
run: |
export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src returntocorp/semgrep:develop semgrep"
make -C "$GITHUB_WORKSPACE"/semgrep-rules validate
- name: test with semgrep develop branch
run: |
export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src returntocorp/semgrep:develop semgrep"
make -C "$GITHUB_WORKSPACE"/semgrep-rules test-only
# alt: call 'make validate' but would require 'make' in the docker image
# alt: export SEMGREP="docker run --rm -w ... semgrep"
# make -C "$GITHUB_WORKSPACE"/semgrep-rules validate
#TODO: this actually currently fails because of errors in stats/ but GHA
# still continue, weird
- name: run osemgrep validate --pro
run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep validate --pro .
- name: run osemgrep test --pro
run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep test --pro .
2 changes: 0 additions & 2 deletions .github/workflows/semgrep-rules-test-historical.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,6 @@ jobs:
run: pip3 install semgrep
- name: delete stats directory
run: rm -rf semgrep-rules/stats
- name: delete fingerprints directory
run: rm -rf semgrep-rules/fingerprints
- name: delete rules requiring Semgrep Pro
run: rm -rf semgrep-rules/apex semgrep-rules/elixir
# TODO: remove this in the future, there was a regression in semgrep that
Expand Down
14 changes: 4 additions & 10 deletions .github/workflows/semgrep-rules-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,13 @@ jobs:
- uses: actions/setup-python@v2
with:
python-version: 3.9.2
- name: install semgrep
- name: install semgrep via pip
run: pip3 install semgrep
- name: remove stats directory
run: rm -rf stats
- name: remove fingerprints from testing
run: rm -rf fingerprints
- name: remove .github from testing
run: rm -rf .github
- name: remove pre-commit-config.yaml
run: rm -f .pre-commit-config.yaml
- name: remove rules requiring Semgrep Pro
run: rm -rf apex elixir
- name: validate rules
run: semgrep --validate --config .
- name: run semgrep
run: semgrep --test --test-ignore-todo
run: semgrep validate .
- name: run semgrep test
run: semgrep test .
6 changes: 2 additions & 4 deletions .github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
env:
HEAD_REF: ${{ github.head_ref }}
run: |
CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|contrib|fingerprints|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ')
CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ')
echo "changed_files=$CHANGED_FILES" >> $GITHUB_ENV
- id: print-changed-files
name: debugging step - print changed files
Expand Down Expand Up @@ -52,8 +52,6 @@ jobs:
HEAD_REF: ${{ github.head_ref }}
REPO_NAME: ${{ github.event.repository.name }}
PR_HEAD_SHA: ${{github.event.pull_request.head.sha}}
if: |
github.event_name == 'pull_request' &&
env.changed_lang_count > 0
if: github.event_name == 'pull_request' && env.changed_lang_count > 0
run: |
curl -X POST https://argoworkflows-dev2.corp.r2c.dev/api/v1/events/security-research/initiate-scan-argo -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"branch\" : \"$HEAD_REF\", \"repo\" : \"$REPO_NAME\", \"commit\" : \"$PR_HEAD_SHA\", \"changed_files\" : \"$CHANGED_FILES\" , \"langs\" : \"$CHANGED_LANGS\"}"
58 changes: 53 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,17 +1,65 @@
#
# Check rule validity and check that semgrep finds the expected findings.
# See https://semgrep.dev/docs/writing-rules/testing-rules for more info.
#
# The semgrep repo also runs this as part of its CI for consistency.
# The semgrep repo (and now semgrep-pro repo) also runs those tests as part
# of its CI for consistency.
#
.PHONY: test
test:
$(MAKE) validate
$(MAKE) test-only

.PHONY: validate
validate:
./scripts/run-tests validate
# Use the SEMGREP env variable to specify a non-standard semgrep command
SEMGREP ?= semgrep

.PHONY: test-only
#old: pysemgrep --test was also using flags below but not needed
# --test-ignore-todo --strict --disable-version-check --metrics=off --verbose
test-only:
./scripts/run-tests test
$(SEMGREP) test --pro .

# TODO: semgrep validate use a different targeting than 'semgrep test'
# so we unfortunately need this whitelist of dirs because it reports
# errors on stats/ and scripts/ (and .github/workflows/) files otherwise
# (we also skip libsonnet/ and trusted_python/ which do not contain rules)
LANG_DIRS=\
bash \
c \
clojure \
csharp \
dockerfile \
generic \
go \
html \
java \
javascript \
json \
kotlin \
ocaml \
php \
python \
ruby \
rust \
scala \
solidity \
swift \
terraform \
typescript \
yaml
PRO_DIRS=apex elixir
OTHER_DIRS=ai problem-based-packs
DIRS=$(LANG_DIRS) $(PRO_DIRS) $(OTHER_DIRS)

.PHONY: validate
#old: pysemgrep --validate was also using the flags below but not needed
# --strict --disable-version-check --metrics=off --verbose
validate:
$(SEMGREP) validate --pro $(DIRS)

.PHONY: test-oss-only
test-oss-only:
@for dir in $(LANG_DIRS) $(OTHER_DIRS); do \
echo "processing $$dir"; \
$(SEMGREP) test $$dir; \
done
26 changes: 13 additions & 13 deletions csharp/dotnet/security/use_ecb_mode.cs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ public class Encryption
{
public void EncryptWithAesEcb() {
Aes key = Aes.Create();
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var encryptor = key.CreateEncryptor();
byte[] msg = new byte[32];
Expand All @@ -15,27 +15,27 @@ public void EncryptWithAesEcb() {
public void EncryptWithAesEcb2() {
Aes key = Aes.Create();
byte[] msg = new byte[32];
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
}

public void DecryptWithAesEcb(byte[] cipherText) {
Aes key = Aes.Create();
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var decryptor = key.CreateDecryptor();
var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
}

public void DecryptWithAesEcb2(byte[] cipherText) {
Aes key = Aes.Create();
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
}

public void EncryptWith3DESEcb() {
TripleDES key = TripleDES.Create();
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var encryptor = key.CreateEncryptor();
byte[] msg = new byte[32];
Expand All @@ -45,26 +45,26 @@ public void EncryptWith3DESEcb() {
public void EncryptWith3DESEcb2() {
TripleDES key = TripleDES.Create();
byte[] msg = new byte[32];
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
}

public void DecryptWith3DESEcb(byte[] cipherText) {
TripleDES key = TripleDES.Create();
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var decryptor = key.CreateDecryptor();
var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
}

public void DecryptWith3DESEcb2(byte[] cipherText) {
TripleDES key = TripleDES.Create();
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
}

public void EncryptWithEcb(SymmetricAlgorithm key) {
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var encryptor = key.CreateEncryptor();
byte[] msg = new byte[32];
Expand All @@ -73,19 +73,19 @@ public void EncryptWithEcb(SymmetricAlgorithm key) {

public void EncryptWithEcb2(SymmetricAlgorithm key) {
byte[] msg = new byte[32];
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
}

public void DecryptWithEcb(SymmetricAlgorithm key, byte[] cipherText) {
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var decryptor = key.CreateDecryptor();
var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
}

public void DecryptWithEcb2(SymmetricAlgorithm key, byte[] cipherText) {
//ruleid: use_ecb_mode
//ruleid: deeptodoruleid: use_ecb_mode
var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
}

Expand Down Expand Up @@ -124,4 +124,4 @@ public static void Main()
{
Console.WriteLine("Hello World");
}
}
}
2 changes: 1 addition & 1 deletion csharp/dotnet/security/use_weak_rng_for_keygeneration.cs
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ public void GenerateBadKey() {
byte[] key = new byte[16];
rng.NextBytes(key);
SymmetricAlgorithm cipher = Aes.Create();
// ruleid: use_weak_rng_for_keygeneration
// ruleid: deeptodoruleid: use_weak_rng_for_keygeneration
cipher.Key = key;
}

Expand Down
7 changes: 7 additions & 0 deletions csharp/lang/security/stacktrace-disclosure.cs
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,10 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
app.UseExceptionHandler("/Error");
}
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
// ok: stacktrace-disclosure
app.UseDeveloperExceptionPage();
}
2 changes: 0 additions & 2 deletions csharp/lang/security/stacktrace-disclosure.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ rules:
- pattern: $APP.UseDeveloperExceptionPage(...);
- pattern-not-inside: |
if ($ENV.IsDevelopment(...)) {
...
$APP.UseDeveloperExceptionPage(...);
...
}
message: >-
Expand Down
11 changes: 11 additions & 0 deletions dockerfile/security/dockerd-socket-mount.dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
FROM docker:latest

WORKDIR /app

# ruleid: dockerfile-dockerd-socket-mount
VOLUME /var/run/docker.sock:/var/run/docker.sock

# ok: dockerfile-dockerd-socket-mount
VOLUME ./app/main.py:/main.py

CMD ["docker", "images"]
36 changes: 36 additions & 0 deletions dockerfile/security/dockerd-socket-mount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
rules:
- id: dockerfile-dockerd-socket-mount
message: >-
The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container
to escape container and execute arbitrary commands on the host machine.
languages:
- dockerfile
- yaml
severity: ERROR
metadata:
cwe:
- "CWE-862: Missing Authorization"
- "CWE-269: Improper Privilege Management"
confidence: HIGH
likelihood: MEDIUM
impact: HIGH
subcategory:
- audit
technology:
- dockerfile
category: security
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
- https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/
- https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html
pattern-either:
- patterns:
- pattern: VOLUME $X
- metavariable-regex:
metavariable: $X
regex: "/var/run/docker.sock"
- patterns:
- pattern-regex: '- "/var/run/docker.sock:.*"'
- pattern-inside: |
volumes:
...
3 changes: 1 addition & 2 deletions dockerfile/security/missing-user-entrypoint.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,5 @@ RUN pip3 install semgrep
# ruleid: missing-user-entrypoint
ENTRYPOINT semgrep -f p/xss

# TODO: metavar bug
# ok: missing-user-entrypoint
# ruleid: missing-user-entrypoint
ENTRYPOINT ["semgrep", "--config", "localfile", "targets"]
4 changes: 2 additions & 2 deletions dockerfile/security/missing-user-entrypoint.fixed.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ RUN pip3 install semgrep
USER non-root
ENTRYPOINT semgrep -f p/xss

# TODO: metavar bug
# ok: missing-user-entrypoint
# ruleid: missing-user-entrypoint
USER non-root
ENTRYPOINT ["semgrep", "--config", "localfile", "targets"]
3 changes: 1 addition & 2 deletions dockerfile/security/missing-user.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,5 @@ CMD semgrep -f p/xss
# ruleid: missing-user
CMD semgrep --config localfile targets

# TODO: metavar ellipses bug
# ok: missing-user
# ruleid: missing-user
CMD ["semgrep", "--version"]
4 changes: 2 additions & 2 deletions dockerfile/security/missing-user.fixed.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@ CMD semgrep -f p/xss
USER non-root
CMD semgrep --config localfile targets

# TODO: metavar ellipses bug
# ok: missing-user
# ruleid: missing-user
USER non-root
CMD ["semgrep", "--version"]
Loading
Loading