Merge pull request #2953 from returntocorp/merge-develop-to-release

Merge Develop into Release
semgrep · Jun 13, 2023 · a5745ac · a5745ac
2 parents 08ca2f0 + d1a06b3
commit a5745ac
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 2 deletions.
diff --git a/c/lang/security/function-use-after-free.yaml b/c/lang/security/function-use-after-free.yaml
@@ -13,6 +13,8 @@ rules:
           free($VAR);
           ...
       - pattern-not-inside:
+          free($VAR);
+          ...
           $VAR = NULL;
           ...
       - pattern-not-inside:

diff --git a/java/android/security/exported_activity.AndroidManifest.xml b/java/android/security/exported_activity.AndroidManifest.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.Demo_web"
+        tools:targetApi="31">
+        <!-- ok: exported_activity -->
+        <activity
+            android:name=".cool"
+            android:exported="false">
+            <meta-data
+                android:name="android.app.lib_name"
+                android:value="" />
+        </activity>
+        <!-- ruleid: exported_activity -->
+        <activity
+            android:name=".MainActivity2">
+            <intent-filter>
+                <action android:name="android.intent.action.GET_CONTENT"/>
+            </intent-filter>
+            <meta-data
+                android:name="android.app.lib_name"
+                android:value="" />
+        </activity>
+        <!-- ruleid: exported_activity -->
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+
+            <meta-data
+                android:name="android.app.lib_name"
+                android:value="" />
+        </activity>
+    </application>
+
+</manifest>
diff --git a/java/android/security/exported_activity.yaml b/java/android/security/exported_activity.yaml
@@ -0,0 +1,41 @@
+rules:
+- id: exported_activity
+  patterns:
+  - pattern-not-inside: <activity ... android:exported="false" ... />
+  - pattern-inside: "<activity  ... /> \n"
+  - pattern-either:
+    - pattern: |
+        <activity ... android:exported="true" ... />
+    - pattern: |
+        <activity ... <intent-filter> ... />
+  message: Use of Exported Activity
+  languages:
+  - generic
+  severity: WARNING
+  paths:
+    exclude:
+    - sources/
+    - classes3.dex
+    - '*.so'
+    include:
+    - '*AndroidManifest.xml'
+  metadata:
+    vulnerability: Use of exported components
+    Description: >-
+      The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. 
+      Ensure that any exported activities do not have privileged access to your application's control plane.
+    Severity: HIGH
+    category: security
+    subcategory:
+    - vuln
+    cwe:
+    - 'CWE-926: Improper Export of Android Application Components'
+    confidence: MEDIUM
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp:
+    - A5:2021 Security Misconfiguration
+    technology:
+    - Android
+    references:
+    - https://cwe.mitre.org/data/definitions/926.html
diff --git a/ruby/rails/security/injection/tainted-sql-string.rb b/ruby/rails/security/injection/tainted-sql-string.rb
@@ -92,5 +92,12 @@ def ok_test5
     redirect_to "#{authenticator_domain}/application-name/landing?redirect_path=#{redirect_url}"
   end
 
+  def ok_test6
+    # ok:tainted-sql-string
+    user = User.where(user_id: params[:user_id])[0]
+    # ok:tainted-sql-string
+    user = User.where(params.slice(:user_id))[0]
+  end
 
 end
+
diff --git a/ruby/rails/security/injection/tainted-sql-string.yaml b/ruby/rails/security/injection/tainted-sql-string.yaml
@@ -38,8 +38,11 @@ rules:
     - pattern-either:
       - patterns:
         - pattern-either:
-          - pattern: |
-              $RECORD.where($X,...)
+          - patterns:
+            - pattern: |
+                $RECORD.where($X,...)
+            - pattern-not: |
+                $RECORD.where($PARAMS.slice(...), ...)
           - pattern: |
               $RECORD.find(..., :conditions => $X,...)
         - focus-metavariable: $X