Merge pull request #2963 from returntocorp/merge-develop-to-release

Merge Develop into Release

csharp/lang/correctness/double/double-epsilon-equality.yaml

@@ -5,7 +5,7 @@ rules:
         $V1 - $V2
     - pattern-either:
       - pattern-inside: |
-          ... <= Double.Epsilon;
+          ... <= Double.Epsilon
       - pattern-inside: | 
           Double.Epsilon <= ...
     - pattern-not-inside: |

csharp/lang/security/regular-expression-dos/regular-expression-dos.yaml

@@ -32,14 +32,14 @@ rules:
         {
           Regex $Y = new Regex($P);
           ...
-          $Y.Match($X)
+          $Y.Match($X);
         }
     - pattern: |
         public $T $F($X)
         {
           Regex $Y = new Regex($P, $O);
           ...
-          $Y.Match($X)
+          $Y.Match($X);
         }
     - pattern: |
         public $T $F($X)

csharp/lang/security/sqli/csharp-sqli.yaml

@@ -61,7 +61,7 @@ rules:
       $S.$PATTERN = "..." + "...";
   - pattern-not-inside: |
       ...
-      $S.Parameters
+      <... $S.Parameters ...>;
   message: >-
     Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the
     SQL statement are not properly sanitized.

csharp/lang/security/ssrf/http-client.yaml

@@ -34,7 +34,7 @@ rules:
         ...
         HttpClient $Y = new HttpClient();
         ...
-        ... $Y.GetAsync(<... $X ...>, ...)
+        ... $Y.GetAsync(<... $X ...>, ...);
         }
     - pattern: |
         $T $F(..., $X, ...)
@@ -44,15 +44,15 @@ rules:
         ...
         HttpClient $Y = new HttpClient();
         ...
-        ... $Y.GetAsync($B, ...)
+        ... $Y.GetAsync($B, ...);
         }
     - pattern: |
         $T $F(..., $X, ...)
         {
         ...
         HttpClient $Y = new HttpClient();
         ...
-        ... $Y.GetStringAsync(<... $X ...>)
+        ... $Y.GetStringAsync(<... $X ...>);
         }
     - pattern: |
         $T $F(..., $X, ...)
@@ -62,5 +62,5 @@ rules:
         ...
         HttpClient $Y = new HttpClient();
         ...
-        ... $Y.GetStringAsync($B)
+        ... $Y.GetStringAsync($B);
         }

csharp/lang/security/ssrf/rest-client.yaml

@@ -32,13 +32,13 @@ rules:
         $T $F(..., $X, ...)
         {
         ...
-        ... new RestClient(<... $X ...>)
+        ... new RestClient(<... $X ...>);
         }
     - pattern: |
         $T $F(..., $X, ...)
         {
         ...
         $A $B = <... $X ...>;
         ...
-        ... new RestClient($B)
+        ... new RestClient($B);
         }

csharp/lang/security/ssrf/web-client.yaml

@@ -34,7 +34,7 @@ rules:
         ...
         WebClient $Y = new WebClient();
         ...
-        ... $Y.OpenRead(<... $X ...>)
+        ... $Y.OpenRead(<... $X ...>);
         }
     - pattern: |
         $T $F(..., $X, ...)
@@ -44,15 +44,15 @@ rules:
         ...
         WebClient $Y = new WebClient();
         ...
-        ... $Y.OpenRead($B)
+        ... $Y.OpenRead($B);
         }
     - pattern: |
         $T $F(..., $X, ...)
         {
         ...
         WebClient $Y = new WebClient();
         ...
-        ... $Y.OpenReadAsync(<... $X ...>, ...)
+        ... $Y.OpenReadAsync(<... $X ...>, ...);
         }
     - pattern: |
         $T $F(..., $X, ...)
@@ -62,15 +62,15 @@ rules:
         ...
         WebClient $Y = new WebClient();
         ...
-        ... $Y.OpenReadAsync($B, ...)
+        ... $Y.OpenReadAsync($B, ...);
         }
     - pattern: |
         $T $F(..., $X, ...)
         {
         ...
         WebClient $Y = new WebClient();
         ...
-        ... $Y.DownloadString(<... $X ...>)
+        ... $Y.DownloadString(<... $X ...>);
         }
     - pattern: |
         $T $F(..., $X, ...)
@@ -80,5 +80,5 @@ rules:
         ...
         WebClient $Y = new WebClient();
         ...
-        ... $Y.DownloadString($B)
+        ... $Y.DownloadString($B);
         }

generic/secrets/security/detected-artifactory-password.txt

@@ -7,6 +7,18 @@ AP2xxxxxxxxxx
 # ruleid: detected-artifactory-password
 artifactoryx:_password=AP6xxxxxxxxxx
 
+# ok: detected-artifactory-password
+integrity sha512-AP1AyUTbi2szylgr+O0OB7gkIxEGzySLITZ2GpsaoX72YMCGI2jYAc+WUhPfvUnZYiauF4zTnN4V4TGuvFjJlw==
+
+# ok: detected-artifactory-password
+integrity_hash_css: "sha256-AP1AyUTbi2szylgr+hmNHrzRCf9tD/miZyoHS5obTRR9BMY="
+
+# ok: detected-artifactory-password
+ImageID: "SHA256:AP1AyUTbi2szylgr266fcae00707e67a2545ef34f9a29354585f93dac906749"
+
+# ok: detected-artifactory-password
+ - hasql-1.6.0.1@sha256:AP1AyUTbi2szylgr+422a3bb776a12d5cf2bb83303778f343106f9a1cc2b4fcdf73,6628
+
 # ruleid: detected-artifactory-password
 artifactoryx_password:AP6xxxxxxxxxx
 
@@ -16,6 +28,7 @@ X-JFrog-Art-Api: $PASSWORD
 # ok: detected-artifactory-password
 go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 
+
 # ok: detected-artifactory-password
 JSoKCQoCB0ASA38IKAoKCgMHQAISA3oHIwoKCgMHQAQSA38IEAoKCgMHQAUSA38RFwoKCgM
 HQAESA38YHwoKCgMHQAMSA38iJwoKCgIHQRIEgAEIKQoKCgMHQQISA3oHIwoLCgMHQQQSBI

generic/secrets/security/detected-artifactory-password.yaml

@@ -1,44 +1,54 @@
 rules:
-- id: detected-artifactory-password
-  options:
-    generic_engine: aliengrep
-  patterns:
-    - pattern: $ITEM
-    - metavariable-regex:
-        metavariable: $ITEM
-        regex: \bAP[\dABCDEF][a-zA-Z0-9]{8,}
-    - metavariable-pattern:
-        metavariable: $ITEM
-        language: regex
-        patterns:
-          - pattern-not-regex: |
-              sha(128|256|512).*
-    - pattern-not-inside: |
-        -BEGIN ...-
-        -END ...-
-    - metavariable-analysis:
-        analyzer: entropy
-        metavariable: $ITEM
-  languages:
-    - generic
-  message: Artifactory token detected
-  severity: ERROR
-  metadata:
-    cwe:
-    - 'CWE-798: Use of Hard-coded Credentials'
-    source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py
-    category: security
-    technology:
-    - secrets
-    - artifactory
-    confidence: LOW
-    owasp:
-    - A07:2021 - Identification and Authentication Failures
-    references:
-    - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
-    cwe2022-top25: true
-    cwe2021-top25: true
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: HIGH
+  - id: detected-artifactory-password
+    options:
+      generic_engine: aliengrep
+      generic_multiline: false
+      generic_caseless: true
+    patterns:
+      - pattern: $ITEM
+      - metavariable-regex:
+          metavariable: $ITEM
+          regex: \bAP[\dABCDEF][a-zA-Z0-9]{8,}
+      - pattern-not-inside: |
+          sha1...
+      - pattern-not-inside: |
+          sha2...
+      - pattern-not-inside: |
+          sha3...
+      - pattern-not-inside: |
+          sha118...
+      - pattern-not-inside: |
+          sha256...
+      - pattern-not-inside: |
+          sha512...
+      - pattern-not-inside: |
+          -BEGIN ...-
+          ...
+          -END ...-
+      - metavariable-analysis:
+          analyzer: entropy
+          metavariable: $ITEM
+    languages:
+      - generic
+    message: Artifactory token detected
+    severity: ERROR
+    metadata:
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py
+      category: security
+      technology:
+        - secrets
+        - artifactory
+      confidence: LOW
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+      cwe2022-top25: true
+      cwe2021-top25: true
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: HIGH
+      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

java/lang/security/audit/formatted-sql-string.yaml

@@ -26,6 +26,9 @@ rules:
     likelihood: HIGH
     impact: MEDIUM
     confidence: MEDIUM
+  options:
+    taint_assume_safe_numbers: true
+    taint_assume_safe_booleans: true
   message: >-
     Detected a formatted string in a SQL statement. This could lead to SQL
     injection if variables in the SQL statement are not properly sanitized.
@@ -81,10 +84,6 @@ rules:
   pattern-sanitizers:
   - patterns:
     - pattern: (CriteriaBuilder $CB).$ANY(...)
-  - patterns:
-    - pattern-either:
-      - pattern: $X != $Y
-      - pattern: $X == $Y
   severity: ERROR
   languages:
   - java

java/lang/security/audit/sqli/tainted-sql-from-http-request.yaml

@@ -30,6 +30,9 @@ rules:
     - spring
   languages: [java]
   mode: taint
+  options:
+    taint_assume_safe_numbers: true
+    taint_assume_safe_booleans: true
   pattern-sources:
   - patterns:
     - pattern-either:
@@ -69,7 +72,4 @@ rules:
             regex: (?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)
         - metavariable-regex:
             metavariable: $SQLCMD
-            regex: (execute|query|executeUpdate)
-  pattern-sanitizers:
-  - pattern: (int $X)
-  - pattern: (boolean $X)
+            regex: (execute|query|executeUpdate)

java/spring/security/audit/spring-sqli.yaml

@@ -13,8 +13,6 @@ rules:
       - focus-metavariable: $A
       - pattern-inside: |
           new $TYPE(...,$A,...);
-    - pattern: (boolean $X)
-    - pattern: (int $X)
   pattern-sinks:
   - patterns:
     - pattern-either:
@@ -46,6 +44,9 @@ rules:
     can obtain a PreparedStatement using 'connection.prepareStatement'.
   languages: [java]
   severity: WARNING
+  options:
+    taint_assume_safe_numbers: true
+    taint_assume_safe_booleans: true
   metadata:
     cwe:
     - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"

java/spring/security/injection/tainted-sql-string.java

@@ -141,3 +141,69 @@ ResultSet ok6(@RequestBody String name) {
         return rs;
     }
 }
+
+class Bar {
+  int x;
+
+  public int getX() {
+    return x;
+  }
+}
+
+class Foo {
+  List<Bar> bars;
+
+  public List<Bar> getBars(String name) {
+    return bars;
+  }
+}
+
+class Test {
+  @RequestMapping(value = "/testok6", method = RequestMethod.POST, produces = "plain/text")
+  public ResultSet ok7(@RequestBody String name, Foo foo) {
+        var v = foo.getBars(name).get(0).getX();
+        String sql = "SELECT * FROM table WHERE name = ";
+        // ok in pro engine
+        // ruleid: tainted-sql-string
+        sql += v + ";";
+        Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:8080", "guest", "password");
+        Statement stmt = conn.createStatement();
+        ResultSet rs = stmt.execute(sql);
+        return rs;
+  }
+}
+
+@Getter
+@Setter
+public class SiteModel {
+	private List<PrefixSiteIds> prefixes;
+    public List<PrefixSiteIds> getPrefixes(String name) {
+        return prefixes;
+    }
+}
+
+@Getter
+@Setter
+public class PrefixSiteIds {
+
+	public SiteIds sites;
+}
+@Getter
+@Setter
+public class SiteIds {
+	public Set<Integer> ids = new HashSet<>();
+}
+
+class Test2 {
+  @RequestMapping(value = "/testok8", method = RequestMethod.POST, produces = "plain/text")
+  public ResultSet ok8(@RequestBody String name, SiteModel sitemodel) {
+        var v = sitemodel.getPrefixes(name).sites.ids.get(0);
+        String sql = "SELECT * FROM table WHERE name = ";
+        // ok in pro-engine
+        // ruleid: tainted-sql-string
+        sql += v + ";";
+        Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:8080", "guest", "password");
+        Statement stmt = conn.createStatement();
+        ResultSet rs = stmt.execute(sql);
+        return rs;
+}