forked from snowflakedb/snowflake-ingest-java
-
Notifications
You must be signed in to change notification settings - Fork 1
/
.semgrep.yml
425 lines (425 loc) · 18.2 KB
/
.semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
rules:
- id: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion
metadata:
cwe: 'CWE-704: Incorrect Type Conversion or Cast'
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION
message: |
This mistake weakens the hash value computed since it introduces more collisions.
In this situation, the method Integer.toHexString() should be replaced with String.format().
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#bad-hexa-conversion
severity: WARNING
languages: [java]
pattern: |-
$X $METHOD(...) {
...
MessageDigest $MD = ...;
...
$MD.digest(...);
...
Integer.toHexString(...);
}
- id: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle
message: |
Using CBC with PKCS5Padding is susceptible to padding orcale attacks. A malicious actor
could discern the difference between plaintext with valid or invalid padding. Further,
CBC mode does not include any integrity checks (https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY).
Use 'AES/GCM/NoPadding' instead.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#cbc-padding-oracle
metadata:
cwe: 'CWE-696: Incorrect Behavior Order'
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE
references:
- https://capec.mitre.org/data/definitions/463.html
severity: WARNING
patterns:
- pattern: $CIPHER.getInstance("=~/.*\/CBC\/PKCS5Padding/");
fix: $CIPHER.getInstance("AES/GCM/NoPadding");
languages:
- java
- id: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call
patterns:
- pattern-either:
- pattern: $RUNTIME.exec($X + $Y);
- pattern: $RUNTIME.exec(String.format(...));
- pattern: $RUNTIME.loadLibrary($X + $Y);
- pattern: $RUNTIME.loadLibrary(String.format(...));
message: |
A formatted or concatenated string was detected as input to a java.lang.Runtime call.
This is dangerous if a variable is controlled by user input and could result in a
command injection. Ensure your variables are not controlled by users or sufficiently sanitized.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#command-injection-formatted-runtime-call
metadata:
cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command\
\ ('OS Command Injection')"
owasp: 'A1: Injection'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.
severity: WARNING
languages:
- java
- id: java.lang.security.audit.script-engine-injection.script-engine-injection
message: |
Potential code injection when using Script Engine.
Ensure that untrusted data is not being passed to this function or otherwise ensure that proper sandboxing is being performed.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#script-engine-injection
metadata:
cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp: 'A1: Injection'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION
severity: WARNING
languages: [java]
patterns:
- pattern-either:
- pattern-inside: |
class $CLASS {
...
ScriptEngine $SE;
...
}
- pattern-inside: |
class $CLASS {
...
ScriptEngine $SE = ...;
...
}
- pattern-inside: |
$X $METHOD(...) {
...
ScriptEngine $SE = ...;
...
}
- pattern: |
$X $METHOD(...) {
...
$SE.eval(...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$SE.eval("...");
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$SE.eval($S);
...
}
- id: java.lang.security.audit.weak-ssl-context.weak-ssl-context
metadata:
cwe: 'CWE-326: Inadequate Encryption Strength'
owasp: 'A3: Sensitive Data Exposure'
source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT
references:
- https://tools.ietf.org/html/rfc7568
- https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
message: |
An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions
are considered weak encryption and are deprecated.
Use SSLContext.getInstance("TLSv1.2") or SSLContext.getInstance("TLSv1.3") for the best security.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#weak-ssl-context
severity: WARNING
languages: [java]
patterns:
- pattern-not: SSLContext.getInstance("TLS1.3")
- pattern-not: SSLContext.getInstance("TLS1.2")
- pattern: SSLContext.getInstance("...")
- id: java.lang.security.audit.xml-decoder.xml-decoder
message: |
XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution.
Ensure that only trusted data is being parsed using XMLDecoder.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#xml-decoder
metadata:
cwe: 'CWE-611: Improper Restriction of XML External Entity Reference'
owasp: 'A4: XML External Entities (XXE)'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XML_DECODER
severity: WARNING
languages: [java]
patterns:
- pattern: |
$X $METHOD(...) {
...
new XMLDecoder(...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
new XMLDecoder("...");
...
}
- pattern-not: |-
$X $METHOD(...) {
...
String $STR = "...";
...
new XMLDecoder($STR);
...
}
- id: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure
metadata:
owasp: 'A7: Cross-Site Scripting (XSS)'
cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site\
\ Scripting')"
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER
message: |
It looks like you're using an implementation of XSSRequestWrapper from dzone.
(https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html)
The XSS filtering in this code is not secure and can be bypassed by malicious actors.
It is recommended to use a stack that automatically escapes in your view or templates
instead of filtering yourself.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#xssrequestwrapper-is-insecure
severity: WARNING
patterns:
- pattern-either:
- pattern: |
class XSSRequestWrapper extends HttpServletRequestWrapper {
...
}
- pattern: |-
$P = $X.compile("</script>", $X.CASE_INSENSITIVE);
$V = $P.matcher(...).replaceAll("");
languages:
- java
- id: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly
metadata:
cwe: "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE
message: |
A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag
for cookies instructs the browser to forbid client-side scripts from reading the
cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#cookie-missing-httponly
severity: WARNING
languages: [java]
patterns:
- pattern-not-inside: $COOKIE.setValue(""); ...
- pattern-either:
- pattern: $COOKIE.setHttpOnly(false);
- patterns:
- pattern-not-inside: $COOKIE.setHttpOnly(...); ...
- pattern: $RESPONSE.addCookie($COOKIE);
- id: java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite
metadata:
cwe: 'CWE-352: Cross-Site Request Forgery (CSRF)'
owasp: 'A6: Security Misconfiguration'
references:
- https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application
message: |
Detected cookie without the SameSite attribute.
Set the SameSite attributed on the cookie.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#cookie-missing-samesite
severity: WARNING
languages: [java]
patterns:
- pattern-not-inside: |
$RETURNTYPE $METHOD(..., HttpServletResponse $RESP, ...) {
...
$RESP.setHeader("Set-Cookie", "=~/.*SameSite=.*/");
...
}
- pattern-either:
- pattern: $RESP.addCookie(...);
- pattern: $RESP.setHeader("Set-Cookie", ...);
- id: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag
metadata:
cwe: "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE
message: |
A cookie was detected without setting the 'secure' flag. The 'secure' flag
for cookies prevents the client from transmitting the cookie over insecure
channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#cookie-missing-secure-flag
severity: WARNING
languages: [java]
patterns:
- pattern-not-inside: $COOKIE.setValue(""); ...
- pattern-either:
- pattern: (Cookie $COOKIE).setSecure(false);
- patterns:
- pattern-not-inside: (Cookie $COOKIE).setSecure(...); ...
- pattern: $RESPONSE.addCookie($COOKIE);
- id: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector
message: |
Initialization Vectors (IVs) for block ciphers should be randomly generated
each time they are used. Using a static IV means the same plaintext
encrypts to the same ciphertext every time, weakening the strength
of the encryption.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#no-static-initialization-vector
metadata:
cwe: 'CWE-329: Not Using a Random IV with CBC Mode'
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#STATIC_IV
references:
- https://cwe.mitre.org/data/definitions/329.html
severity: WARNING
languages: [java]
patterns:
- pattern-either:
- pattern: |
byte[] $IV = {
...
};
...
new IvParameterSpec($IV, ...);
- pattern: |
class $CLASS {
byte[] $IV = {
...
};
...
$METHOD(...) {
...
new IvParameterSpec($IV, ...);
...
}
}
- id: java.lang.security.audit.crypto.weak-hash.use-of-sha1
message: |
Use of weak cryptographic primitive SHA1
Use SHA256 at minimum for signature verification and use PBKDF2 for hashing passwords.
For more informations, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#use-of-sha1
languages: [java]
severity: WARNING
metadata:
owasp: 'A9: Using Components with Known Vulnerabilities'
cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1
pattern-either:
- pattern: |
MessageDigest $VAR = $MD.getInstance("SHA1");
- pattern: |
$DU.getSha1Digest().digest(...)
- id: java.lang.security.audit.crypto.weak-hash.use-of-md5
message: |
Use of weak cryptographic primitive MD5
Use SHA256 at minimum for signature verification and use PBKDF2 for hashing passwords.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#use-of-md5
languages: [java]
severity: WARNING
metadata:
owasp: 'A9: Using Components with Known Vulnerabilities'
cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5
pattern-either:
- pattern: |
MessageDigest $VAR = $MD.getInstance("MD5");
- pattern: |
$DU.getMd5Digest().digest(...)
- id: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher
pattern: new NullCipher(...);
metadata:
cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER
message: |
NullCipher was detected. This will not encrypt anything;
the cipher text will be the same as the plain text. Use
a valid, secure cipher: Cipher.getInstance("AES/GCM/NoPadding").
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#no-null-cipher
severity: WARNING
languages:
- java
- id: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests
metadata:
cwe: 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms
message: |
Cryptographic algorithms are notoriously difficult to get right. By implementing
a custom message digest, you risk introducing security issues into your program.
Use one of the many sound message digests already available to you:
MessageDigest sha256Digest = MessageDigest.getInstance("SHA256");
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#avoid-implementing-custom-digests
severity: WARNING
languages: [java]
pattern: |-
class $CLASS extends MessageDigest {
...
}
- id: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated
metadata:
cwe: 'CWE-326: Inadequate Encryption Strength'
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT
message: |
DefaultHttpClient is deprecated. Further, it does not support connections
using TLS1.2, which makes using DefaultHttpClient a security hazard.
Use SystemDefaultHttpClient instead, which supports TLS1.2.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#defaulthttpclient-is-deprecated
severity: WARNING
languages: [java]
pattern: new DefaultHttpClient(...);
- id: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier
message: |
Insecure HostnameVerifier implementation detected. This will accept
any SSL certificate with any hostname, which creates the possibility
for man-in-the-middle attacks.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#insecure-hostname-verifier
metadata:
cwe: 'CWE-295: Improper Certificate Validation'
owasp: 'A6: Security Misconfiguration'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER
severity: WARNING
languages: [java]
patterns:
- pattern-either:
- pattern: |
class $CLASS implements HostnameVerifier {
...
public boolean verify(...) { return true; }
}
- pattern: |-
new HostnameVerifier(...){
public boolean verify(...) {
return true;
}
}
- id: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager
metadata:
cwe: 'CWE-295: Improper Certificate Validation'
owasp: 'A3: Sensitive Data Exposure'
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER
references:
- https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
message: |
Detected empty trust manager implementations. This is dangerous because it accepts any
certificate, enabling man-in-the-middle attacks. Consider using a KeyStore
and TrustManagerFactory isntead.
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#insecure-trust-manager
severity: WARNING
languages: [java]
patterns:
- pattern-inside: |
class $CLASS implements X509TrustManager {
...
}
- pattern-not: public void checkClientTrusted(...) { $SOMETHING; }
- pattern-not: public void checkServerTrusted(...) { $SOMETHING; }
- pattern-either:
- pattern: public void checkClientTrusted(...) {}
- pattern: public void checkServerTrusted(...) {}
- pattern: public X509Certificate[] getAcceptedIssuers(...) { return null; }
- id: java.lang.correctness.eqeq.eqeq
patterns:
- pattern-not-inside: assert $X;
- pattern-not-inside: |
assert $X : $Y;
- pattern-either:
- pattern: $X == $X
- pattern: $X != $X
- pattern-not: 1 == 1
message: |
'`$X == $X` or `$X != $X` is a useless comparison unless the value compared
is a float or double. To test if `$X` is not-a-number, use `Double.isNaN($X)`.'
For more information, please refer to https://snowflakecomputing.atlassian.net/wiki/spaces/CLO/pages/1127713128/Semgrep+Finding+Remediation#eqeq
languages: [java]
severity: ERROR