Merge pull request #39 from PavelBansky/master

Master

rules/default/security/api/deserialization.json

@@ -40,8 +40,8 @@
         "rule_info": "DS425000.md",
         "patterns": [
             {
-                "pattern": ".readObject\\(",
-                "type": "substring",
+                "pattern": "\\.readObject\\(",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],
@@ -66,7 +66,7 @@
         "patterns": [
             {
                 "pattern": "unserialize\\(",
-                "type": "string",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],
@@ -96,7 +96,15 @@
                     "code"
                 ],
                 "_comment": ""
-            }
+            },
+            {
+                "pattern": "(YAML|Syck|Marshal)::load",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            }            
         ]
     },
     {

rules/default/security/api/tests/DS108330.test

@@ -0,0 +1,10 @@
+line: 5
+=====
+int main ()
+{
+  char str1[20];
+  char str2[20];
+  strncat (str1, str2, 6);
+
+  return 0;
+}

rules/default/security/api/tests/DS111237.test

@@ -0,0 +1,12 @@
+line: 7
+====
+int main ()
+{
+  char str1[]= "To be or not to be";
+  char str2[40];
+  char str3[40];
+
+  strncpy ( str2, str1, sizeof(str2) );
+
+  return 0;
+}

rules/default/security/api/tests/DS121708.test

@@ -0,0 +1,8 @@
+line: 5
+=====
+int main () {
+   const char src[50] = "www.tutorialspoint.com";
+   char dest[50];
+
+   memcpy(dest, src, 20);
+}

rules/default/security/api/tests/DS140021.test

@@ -0,0 +1,6 @@
+line: 3
+======
+int main () {
+   const char src[50] = "www.tutorialspoint.com";
+   int a = strlen(src)+1;
+}

rules/default/security/api/tests/DS141863.test

@@ -0,0 +1,8 @@
+line: 4
+====
+int main ()
+{
+  char str[80];  
+  strcat (str,"strings ");
+  return 0;
+}

rules/default/security/api/tests/DS154189.test

@@ -0,0 +1,11 @@
+line: 5
+line: 6
+=====
+int main ()
+{
+  char buffer [50];
+  int n, a=5, b=3;
+  n=sprintf (buffer, "%d plus %d is %d", a, b, a+b);
+  printf ("[%s] is a string %d chars long\n",buffer,n);
+  return 0;
+}

rules/default/security/api/tests/DS161085.test

@@ -0,0 +1,8 @@
+line: 5
+=======
+int main () {
+   char *str;
+
+   /* Following line should be hit */
+   str = (char *) malloc(15);
+}

rules/default/security/api/tests/DS181021.test

@@ -0,0 +1,10 @@
+line: 5
+=====
+int main()
+{
+  char string [256];
+
+  gets (string);     // warning: unsafe (see fgets instead)
+
+  return 0;
+}

rules/default/security/api/tests/DS185832.test

@@ -0,0 +1,13 @@
+line: 6
+line: 7
+=====
+int main ()
+{
+  char str1[]="Sample string";
+  char str2[40];
+  char str3[40];
+  strcpy (str2,str1);
+  strcpy (str3,"copy successful");
+
+  return 0;
+}

rules/default/security/api/tests/DS425000.test

@@ -0,0 +1,3 @@
+line: 1
+=====
+favorite_color = pickle.load( open( "save.p", "rb" ) )

rules/default/security/api/tests/DS425010.test

@@ -0,0 +1,6 @@
+line: 3
+=====
+private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {
+    in.defaultReadObject();
+    this.author = (String)in.readObject();
+}

rules/default/security/api/tests/DS425020.test

@@ -0,0 +1,3 @@
+line: 1
+=====
+$session_data = unserialize($tmp[0]);

rules/default/security/api/tests/DS425030.test

@@ -0,0 +1,7 @@
+line: 1
+line: 2
+line: 3
+=====
+thing = YAML.load_file('some.yml')
+obj = Marshal.load(data)
+ruby_obj = YAML::load( yaml_obj )

rules/default/security/api/tests/DS425040.test

@@ -0,0 +1,24 @@
+line: 3
+line: 8
+line: 13
+line: 18
+====
+Stockholder newStockholder = JsonConvert.DeserializeObject<Stockholder>(jsonTypeNameAuto, new JsonSerializerSettings
+{
+    TypeNameHandling = TypeNameHandling.Auto
+});
+
+newStockholder = JsonConvert.DeserializeObject<Stockholder>(jsonTypeNameAuto, new JsonSerializerSettings
+{
+    TypeNameHandling = TypeNameHandling.Objects
+});
+
+newStockholder = JsonConvert.DeserializeObject<Stockholder>(jsonTypeNameAuto, new JsonSerializerSettings
+{
+    TypeNameHandling = TypeNameHandling.Arrays
+});
+
+newStockholder = JsonConvert.DeserializeObject<Stockholder>(jsonTypeNameAuto, new JsonSerializerSettings
+{
+    TypeNameHandling = TypeNameHandling.All
+});

rules/default/security/attack_surface/tests/DS137038.test

@@ -0,0 +1,3 @@
+line: 1
+=====
+res = Net::HTTP.get_response(uri)

rules/default/security/control_flow/format_string.json

@@ -22,7 +22,7 @@
                     "code"
                 ],
                 "_comment": ""
-            }
+            }        
         ],
         "fix_its": [
             {

rules/default/security/control_flow/tests/DS104456.test

@@ -0,0 +1,3 @@
+line: 1
+====
+$IsWow64Process = GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)

rules/default/security/control_flow/tests/DS113286.TODO

@@ -0,0 +1,3 @@
+line: 1
+====
+NSString *string1 = [NSString stringWithFormat:@"A string: %@, a float: %1.2f", @"string", 31415.9265];

rules/default/security/control_flow/tests/DS113853.test

@@ -0,0 +1,3 @@
+line: 1
+====
+Set-ExecutionPolicy RemoteSigned

rules/default/security/control_flow/tests/DS165746.test

@@ -0,0 +1,3 @@
+line: 1
+====
+NSString *title = [webView stringByEvaluatingJavaScriptFromString:@"document.title"]; 

rules/default/security/cryptography/certificate.json

@@ -68,14 +68,6 @@
                 ],
                 "_comment": ""
             },
-            {
-                "pattern": "setValidatesSecureCertificate:\\s*NO",
-                "type": "regex",
-                "scopes": [
-                    "code"
-                ],
-                "_comment": ""
-            },
             {
                 "pattern": "validatesSecureCertificate\\s*=\\s*NO",
                 "type": "regex",
@@ -160,7 +152,7 @@
             },
             {
                 "pattern": "disable_ssl_certificate_validation\\s*=\\s*True",
-                "type": "string",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],
@@ -249,31 +241,31 @@
         "rule_info": "DS114352.md",
         "patterns": [
             {
-                "pattern": "certificateValidationMode=\"None\"",
-                "type": "string",
+                "pattern": "certificateValidationMode\\s*=\\s*\"None\"",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],
                 "_comment": ""
             },
             {
-                "pattern": "checkCertificateName=\"false\"",
-                "type": "string",
+                "pattern": "checkCertificateName\\s*=\\s*\"false\"",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],
                 "_comment": ""
             },
             {
-                "pattern": "checkCertificateRevocationList=\"false\"",
-                "type": "string",
+                "pattern": "checkCertificateRevocationList\\s*=\\s*\"false\"",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],
                 "_comment": ""
             },
             {
-                "pattern": "encryptionPolicy=\"(AllowNoEncryption|NoEncryption)",
+                "pattern": "encryptionPolicy\\s*=\\s*\"(AllowNoEncryption|NoEncryption)",
                 "type": "regex",
                 "scopes": [
                     "code"
@@ -414,23 +406,23 @@
         "rule_info": "DS114352.md",
         "patterns": [
             {
-                "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*delegate\\s*{\\s*return true;\\s*};",
+                "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*delegate\\s*{\\s*return true;\\s*};",
                 "type": "regex",
                 "scopes": [
                     "code"
                 ],
                 "_comment": ""
             },
             {
-                "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*\\(?[^\\)]+\\)\\s*=>\\s*{\\s*return true;\\s*};",
+                "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*\\(?[^\\)]+\\)\\s*=>\\s*{\\s*return true;\\s*};",
                 "type": "regex",
                 "scopes": [
                     "code"
                 ],
                 "_comment": ""
             },
             {
-                "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*\\(+[^\\)]+\\)\\s*=>\\s*true",
+                "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*\\(+[^\\)]+\\)\\s*=>\\s*true",
                 "type": "regex",
                 "scopes": [
                     "code"

rules/default/security/cryptography/ciphers.json

@@ -16,7 +16,7 @@
         "patterns": [
             {
                 "pattern": "mcrypt",
-                "type": "string",
+                "type": "substring",
                 "scopes": [
                     "code"
                 ],

rules/default/security/cryptography/general.json

@@ -12,16 +12,16 @@
         "rule_info": "DS101155.md",
         "patterns": [
             {
-                "pattern": "encrypt=false",
-                "type": "string",
+                "pattern": "encrypt\\s*=\\s*false",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],
                 "_comment": ""
             },
             {
-                "pattern": "encryption=false",
-                "type": "string",
+                "pattern": "encryption\\s*=\\s*false",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ],

rules/default/security/cryptography/hash_algorithm.json

@@ -128,7 +128,7 @@
         "rule_info": "DS128420.md",
         "patterns": [
             {
-                "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
+                "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)",
                 "type": "regex",
                 "scopes": [
                     "code"
@@ -143,7 +143,7 @@
                 "_comment": "",
                 "replacement": "hash('sha256'$2);",
                 "pattern": {
-                    "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
+                    "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)",
                     "type": "regex",
                     "scopes": [
                         "code"
@@ -171,10 +171,13 @@
         "name": "Do not use broken/weak cryptographic hash algorithms",
         "id": "DS108647",
         "description": "Avoid using broken or weak hash algorithms.",
-        "recommendation": "Use Digest::SHA256 or Digest::SHA512",
+        "recommendation": "Use Digest::SHA256 or Digest::SHA512",                
         "applies_to": [
             "ruby"
         ],
+        "overrides": [
+            "DS126858"
+            ],        
         "tags": [
             "Cryptography.HashAlgorithm.BrokenOrWeak"
         ],
@@ -352,6 +355,7 @@
         "patterns": [
             {
                 "pattern": "(MD4|MD5|(SHA(1|224|256|384|512))).*Time",
+                "modifiers" : ["i"],
                 "type": "regex",
                 "scopes": [
                     "code"