Merge pull request #41 from trailofbits/mschwager-blog-rules

Add blog post Semgrep rules for generic, kotlin, and yaml

generic/container-privileged.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: container-privileged
+docker run --privileged hello-world
+
+# ruleid: container-privileged
+podman run --privileged hello-world
+
+# ok: container-privileged
+docker run hello-world
+
+# ok: container-privileged
+podman run hello-world

generic/container-privileged.yaml

@@ -0,0 +1,36 @@
+rules:
+  - id: container-privileged
+    message: Found container command with extended privileges
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://docs.docker.com/engine/reference/commandline/run/
+    pattern-either:
+      - pattern: docker ... --privileged
+      - pattern: docker ... --cap-add=ALL
+      - pattern: docker ... --cap-add=SYS_ADMIN
+      - pattern: docker ... --cap-add=SYS_MODULE
+      - pattern: docker ... --net=host
+      - pattern: docker ... --userns=host
+      - pattern: docker ... --pid=host
+      - pattern: docker ... --ipc=host
+      - pattern: docker ... --security-opt seccomp=unconfined
+      - pattern: docker ... --security-opt apparmor=unconfined
+      - pattern: podman ... --privileged
+      - pattern: podman ... --cap-add=ALL
+      - pattern: podman ... --cap-add=SYS_ADMIN
+      - pattern: podman ... --cap-add=SYS_MODULE
+      - pattern: podman ... --net=host
+      - pattern: podman ... --userns=host
+      - pattern: podman ... --pid=host
+      - pattern: podman ... --ipc=host
+      - pattern: podman ... --security-opt seccomp=unconfined
+      - pattern: podman ... --security-opt apparmor=unconfined

generic/container-user-root.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: container-user-root
+docker run -u root hello-world
+
+# ruleid: container-user-root
+podman run --user root hello-world
+
+# ok: container-user-root
+docker run hello-world
+
+# ok: container-user-root
+podman run hello-world

generic/container-user-root.yaml

@@ -0,0 +1,24 @@
+rules:
+  - id: container-user-root
+    message: Found container command running as root
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://docs.docker.com/engine/reference/commandline/run/
+    pattern-either:
+      - pattern: docker ... -u root
+      - pattern: docker ... -u 0
+      - pattern: docker ... --user root
+      - pattern: docker ... --user 0
+      - pattern: podman ... -u root
+      - pattern: podman ... --u 0
+      - pattern: podman ... --user root
+      - pattern: podman ... --user 0

generic/curl-insecure.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: curl-insecure
+curl -k https://google.com > /dev/null
+
+# ruleid: curl-insecure
+curl --insecure https://google.com > /dev/null
+
+# ok: curl-insecure
+curl --ksomeotherflag https://google.com > /dev/null
+
+# ok: curl-insecure
+curl https://google.com > /dev/null

generic/curl-insecure.yaml

@@ -0,0 +1,22 @@
+rules:
+  - id: curl-insecure
+    message: Found `curl` command disabling SSL verification
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://curl.se/docs/manpage.html
+    pattern-either:
+      # A space character was left at the end of some patterns to help ensure
+      # that the intended flag was used, and minimize the chance that another,
+      # longer flag that _starts with_ the intended flag results in a false
+      # positive
+      - pattern: "curl ... -k "
+      - pattern: "curl ... --insecure"

generic/curl-unencrypted-url.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# ruleid: curl-unencrypted-url
+curl http://google.com > /dev/null
+
+# ruleid: curl-unencrypted-url
+curl ftp://google.com > /dev/null
+
+# ok: curl-unencrypted-url
+curl https://google.com > /dev/null

generic/curl-unencrypted-url.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: curl-unencrypted-url
+    message: Found `curl` command with unencrypted URL (e.g. HTTP, FTP, etc.)
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://curl.se/docs/manpage.html
+    pattern-either:
+      - pattern: curl ... http://
+      - pattern: curl ... ftp://

generic/gpg-insecure-flags.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: gpg-insecure-flags
+gpg --skip-verify --output doc --decrypt doc.gpg
+
+# ok: gpg-insecure-flags
+gpg --output doc --decrypt doc.gpg

generic/gpg-insecure-flags.yaml

@@ -0,0 +1,27 @@
+rules:
+  - id: gpg-insecure-flags
+    message: Found `gpg` command using insecure flags
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://www.gnupg.org/gph/de/manual/r1023.html
+    pattern-either:
+      - pattern: gpg ... --allow-non-selfsigned-uid
+      - pattern: gpg ... --allow-freeform-uid
+      - pattern: gpg ... --allow-old-cipher-algos
+      - pattern: gpg ... --allow-weak-digest-algos
+      - pattern: gpg ... --allow-weak-key-signatures
+      - pattern: gpg ... --ignore-time-conflict
+      - pattern: gpg ... --ignore-valid-from
+      - pattern: gpg ... --ignore-crc-error
+      - pattern: gpg ... --ignore-mdc-error
+      - pattern: gpg ... --skip-verify
+      - pattern: gpg ... --no-require-cross-certification

generic/installer-allow-untrusted.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: installer-allow-untrusted
+sudo installer -pkg /path/to/package.pkg -target / -allowUntrusted
+
+# ok: installer-allow-untrusted
+sudo installer -pkg /path/to/package.pkg -target /

generic/installer-allow-untrusted.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: installer-allow-untrusted
+    message: Found `installer` command allowing untrusted installations
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-494: Download of Code Without Integrity Check"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      references:
+        - https://ss64.com/mac/installer.html
+    pattern: installer ... -allowUntrusted

generic/openssl-insecure-flags.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# ruleid: openssl-insecure-flags
+openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass pass:mysecretpass
+
+# ok: openssl-insecure-flags
+openssl genpkey -algorithm RSA -out private_key.pem --noencsomeotherflag
+
+# ok: openssl-insecure-flags
+openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass env:PASSVAR

generic/openssl-insecure-flags.yaml

@@ -0,0 +1,26 @@
+rules:
+  - id: openssl-insecure-flags
+    message: Found `openssl` command using insecure flags
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://www.openssl.org/docs/manmaster/man1/
+    pattern-either:
+      # A space character was left at the end of some patterns to help ensure
+      # that the intended flag was used, and minimize the chance that another,
+      # longer flag that _starts with_ the intended flag results in a false
+      # positive
+      - pattern: "openssl ... -pass pass:"
+      - pattern: "openssl ... -passin pass:"
+      - pattern: "openssl ... -passout pass:"
+      - pattern: "openssl ... -nodes "
+      - pattern: "openssl ... -noenc "
+      - pattern: "openssl ... -sha1 "

generic/ssh-disable-host-key-checking.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: ssh-disable-host-key-checking
+ssh -o StrictHostKeyChecking=no user@hostname
+
+# ok: ssh-disable-host-key-checking
+ssh user@hostname

generic/ssh-disable-host-key-checking.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: ssh-disable-host-key-checking
+    message: Found `ssh` command disabling host key checking
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://man7.org/linux/man-pages/man1/ssh.1.html
+    pattern: ssh ... StrictHostKeyChecking=no

generic/tar-insecure-flags.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: tar-insecure-flags
+tar -xvf --absolute-paths archive.tar
+
+# ruleid: tar-insecure-flags
+tar -xvf -P archive.tar
+
+# ok: tar-insecure-flags
+tar -xvf --Psomeotherflag archive.tar
+
+# ok: tar-insecure-flags
+tar -xvf archive.tar

generic/tar-insecure-flags.yaml

@@ -0,0 +1,24 @@
+rules:
+  - id: tar-insecure-flags
+    message: Found `tar` command using insecure flags
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-73: External Control of File Name or Path"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://man7.org/linux/man-pages/man1/tar.1.html
+    pattern-either:
+      # A space character was left at the end of some patterns to help ensure
+      # that the intended flag was used, and minimize the chance that another,
+      # longer flag that _starts with_ the intended flag results in a false
+      # positive
+      - pattern: "tar ... -P "
+      - pattern: "tar ... --absolute-paths"
+      - pattern: "tar ... --absolute-names"
+      - pattern: "tar ... --passphrase "

generic/wget-no-check-certificate.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# ruleid: wget-no-check-certificate
+wget --no-check-certificate https://google.com
+
+# ruleid: wget-no-check-certificate
+wget --no-hsts https://google.com
+
+# ok: wget-no-check-certificate
+wget https://google.com

generic/wget-no-check-certificate.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: wget-no-check-certificate
+    message: Found `wget` command disabling SSL verification
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://linux.die.net/man/1/wget
+    pattern-either:
+      - pattern: wget ... --no-check-certificate
+      - pattern: wget ... --no-hsts

generic/wget-unencrypted-url.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# ruleid: wget-unencrypted-url
+wget http://google.com
+
+# ruleid: wget-unencrypted-url
+wget ftp://google.com
+
+# ok: wget-unencrypted-url
+wget https://google.com

generic/wget-unencrypted-url.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: wget-unencrypted-url
+    message: Found `wget` command  with unencrypted URL (e.g. HTTP, FTP, etc.)
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://linux.die.net/man/1/wget
+    pattern-either:
+      - pattern: wget ... http://
+      - pattern: wget ... ftp://

jvm/gc-call.java

@@ -0,0 +1,6 @@
+class Test {
+    public static void main(String[] args) {
+        // ruleid: gc-call
+        System.gc();
+    }
+}

jvm/gc-call.kt

@@ -0,0 +1,4 @@
+fun main() {
+    // ruleid: gc-call
+    System.gc()
+}