Skip to content

Add C# BinaryFormatter and Ruby force_ssl security rules with tests #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Feb 5, 2025
Merged

Add C# BinaryFormatter and Ruby force_ssl security rules with tests #148

merged 17 commits into from
Feb 5, 2025

Conversation

ESS-ENN
Copy link
Contributor

@ESS-ENN ESS-ENN commented Feb 4, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features

    • Introduced a security rule for C# applications to discourage the use of an unsafe serialization method.
    • Added a security rule for Ruby applications that warns when SSL enforcement is disabled, helping to protect data transmission.

  • Tests

    • Implemented new test cases and snapshots to verify the proper functioning of the updated security validations.

Sakshis and others added 17 commits December 16, 2024 13:09
removed missing-secure-java
bb7b8e1
@ESS-ENN
Merge branch 'coderabbitai:main' into main
308e947
@ESS-ENN
Merge branch 'coderabbitai:main' into main
46efd55
@ESS-ENN
Merge branch 'coderabbitai:main' into main
3ac0204
@ESS-ENN
Merge branch 'coderabbitai:main' into main
7caba92
@ESS-ENN
Merge branch 'coderabbitai:main' into main
d3a2776
@ESS-ENN
Merge branch 'coderabbitai:main' into main
2e86380
@ESS-ENN
Merge branch 'coderabbitai:main' into main
b072db7
@ESS-ENN
Merge branch 'coderabbitai:main' into main
65dce29
@ESS-ENN
httponly-false-csharp
12bb3aa
@ESS-ENN
use-of-md5-digest-utils-java
2c5ea88
@ESS-ENN
removing use-of-md5-digest-utils and httponly-false-csharp
d3067f1
@ESS-ENN
Merge branch 'coderabbitai:main' into main
56d4011
@ESS-ENN
Merge branch 'coderabbitai:main' into main
f7f1d72
@ESS-ENN
Merge branch 'coderabbitai:main' into main
0d53f8e
@ESS-ENN
force-ssl-false-ruby
3422a00
@ESS-ENN
insecure-binaryformatter-deserialization-csharp
caa2e72
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Feb 4, 2025
edited
Loading

Walkthrough

This pull request introduces new security rules and corresponding tests for both C# and Ruby applications. A C# rule warns against using the insecure BinaryFormatter for deserialization by detecting its instantiation. Similarly, a Ruby rule flags configurations where config.force_ssl is set to false. Alongside these rule definitions, new test cases and snapshot entries have been added to validate the behavior of the rules in real code scenarios.

Changes

Files Change Summary
rules/.../insecure-binaryformatter-deserialization-csharp.yml
tests/.../insecure-binaryformatter-deserialization-csharp-test.yml		 Adds a C# security rule to detect unsafe BinaryFormatter deserialization via pattern matching and introduces a related test case validating its behavior.
rules/.../force-ssl-false-ruby.yml
tests/.../force-ssl-false-ruby-test.yml
tests/__snapshots__/force-ssl-false-ruby-snapshot.yml		 Adds a Ruby security rule to flag instances where config.force_ssl is set to false using an AST grep approach, along with tests and a snapshot to confirm its detection.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Analyzer as Static Analyzer
    participant Rule as BinaryFormatter Rule
    participant Matcher as Pattern Matcher

    Dev->>Analyzer: Commit code with new BinaryFormatter()
    Analyzer->>Rule: Execute BinaryFormatter rule check
    Rule->>Matcher: Scan for "new BinaryFormatter()"
    Matcher-->>Rule: Pattern detected
    Rule->>Analyzer: Emit warning (insecure-binaryformatter-deserialization-csharp)
Loading 
sequenceDiagram
    participant Dev as Developer
    participant Analyzer as Static Analyzer
    participant Rule as Force-SSL Rule
    participant AST as AST Grepper

    Dev->>Analyzer: Commit code with config.force_ssl = false
    Analyzer->>Rule: Run force_ssl rule check
    Rule->>AST: Parse AST for "config.force_ssl = false"
    AST-->>Rule: Match found
    Rule->>Analyzer: Issue warning (force-ssl-false-ruby)
Loading

Suggested reviewers

  • ganeshpatro321

Poem

I’m a rabbit hopping through lines of code,
Watching new rules lighten the security load.
From BinaryFormatter warnings in C#’s land,
To SSL flags in Ruby finely planned.
I nibble bugs with a joyful bound—
Happy hops where safe code is found! 🐇

Tip

🌐 Web search-backed reviews and chat
  • We have enabled web search-based reviews and chat for all users. This feature allows CodeRabbit to access the latest documentation and information on the web.
  • You can disable this feature by setting web_search: false in the knowledge_base settings.
  • Please share any feedback in the Discord discussion.
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ESS-ENN
❌ Sakshis

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@coderabbitai coderabbitai bot changed the title @coderabbitai Add C# BinaryFormatter and Ruby force_ssl security rules with tests Feb 4, 2025
coderabbitai[bot]
coderabbitai bot requested changes Feb 4, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (4)
tests/__snapshots__/force-ssl-false-ruby-snapshot.yml (1)

1-20: Snapshot Definition is Comprehensive

The snapshot entry for force-ssl-false-ruby captures the insecure configuration snippet precisely. The associated labels with source references and line numbers provide valuable context needed for validating the rule's behavior.

Suggestion: Consider adding inline comments or a short description next to each label to clarify what each range represents, which can improve future maintainability.

rules/ruby/security/force-ssl-false-ruby.yml (1)

13-24: AST Grep Utility Section: Consider Quoting Complex Keys

The utils section correctly defines an AST grep pattern for detecting assignments to config.force_ssl with a false value. However, the key config.force_ssl = $FAL: contains special characters (spaces, =, and $) which can sometimes lead to YAML parsing ambiguities.

Recommendation: Quote the key for clarity. For example:

-  config.force_ssl = $FAL:
+  "config.force_ssl = $FAL":

This will ensure the YAML parser treats it as a literal string.

tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml (1)

5-7: Remove Trailing Whitespace in Code Snippet
Line 5 shows a trailing space after the using directive. Removing extra spaces will help keep the YAML file clean and compliant with YAML lint guidelines.

Suggested diff:

-    using System.Runtime.Serialization.Formatters.Binary; 
+    using System.Runtime.Serialization.Formatters.Binary;
🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 5-5: trailing spaces

(trailing-spaces)

rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml (1)

42-44: Clean Up the Rule Declaration Section
In the rule block, specifically on line 44, there are trailing spaces that need to be removed. This will ensure that the YAML remains clean and compliant.

@@
-   matches: MATCH_PATTERN_BinaryFormatter
-     
+   matches: MATCH_PATTERN_BinaryFormatter
🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 44-44: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 26b3b09 and caa2e72.

📒 Files selected for processing (5)
  • rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml (1 hunks)
  • rules/ruby/security/force-ssl-false-ruby.yml (1 hunks)
  • tests/__snapshots__/force-ssl-false-ruby-snapshot.yml (1 hunks)
  • tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml (1 hunks)
  • tests/ruby/force-ssl-false-ruby-test.yml (1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.35.1)
tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml

[error] 5-5: trailing spaces

(trailing-spaces)

rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml

[warning] 18-18: wrong indentation: expected 4 but found 3

(indentation)

[warning] 20-20: wrong indentation: expected 5 but found 4

(indentation)

[error] 25-25: trailing spaces

(trailing-spaces)

[warning] 34-34: wrong indentation: expected 5 but found 4

(indentation)

[error] 41-41: trailing spaces

(trailing-spaces)

[error] 44-44: trailing spaces

(trailing-spaces)

🔇 Additional comments (11)
tests/ruby/force-ssl-false-ruby-test.yml (2)

1-7: Valid Test Case Block Looks Good

The valid configuration section correctly demonstrates a secure setup by assigning config.force_ssl = true in the bad_ssl method. This clear separation in the test helps ensure that secure configurations pass the new rule.

8-11: Invalid Test Case Accurately Captures the Security Issue

The invalid configuration block, where config.force_ssl is set to false, is well-structured. It will trigger the new security rule, making it an effective test for identifying insecure setups.

rules/ruby/security/force-ssl-false-ruby.yml (2)

1-12: Rule Metadata and Documentation are Clear

The header with id, language, severity, message, and note is well-documented. The message clearly explains the security risk and remediation, and the reference to CWE-311 reinforces the rationale.

25-29: Rule Matching Block is Well-Defined

The rule block properly outlines the detection logic by specifying an assignment that matches config.force_ssl = $FAL. This clear pattern-matching helps enforce the intended security rule.

tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml (4)

1-4: Clarify Test Fixture Metadata and Structure
The header section (lines 1–4) clearly defines the test ID and sets up an insecure deserialization example under the invalid key. This is appropriate for a test case targeting rule detection.

8-9: Verify Namespace and Class Formatting
The declaration of the namespace and the class (lines 6–9) is clear. Ensure that the inner indentation within the code snippet remains consistent with your project's C# formatting guidelines.

10-18: Review Insecure Deserialization Sample
The method BinaryFormatterDeserialization (lines 10–18) intentionally demonstrates insecure deserialization using BinaryFormatter. Although modern C# practices recommend using a using block for resource management, keep in mind that this code is provided as a negative example to trigger your security rule.

20-24: Assess Exception Handling Approach
The try-catch block (lines 20–24) is straightforward. If this sample is solely for testing the detection of insecure deserialization, then catching a generic Exception and logging it via Console.WriteLine is acceptable.

rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml (3)

1-9: Validate Rule Metadata and Message
The header (lines 1–9) correctly identifies the rule with an ID, severity level, language, and a detailed message explaining why using BinaryFormatter is dangerous. The information is clear and aligns with CWE-502.

9-12: Ensure Consistency in the Note Section
The note block (lines 9–12) includes a reference to CWE-502 and a documentation link. Verify that the formatting renders correctly in all documentation tools.

26-32: Review the Second List Item in the Utils Block
The second list item (lines 26–32) defining the pattern in a global statement appears correct. Verify that its indentation aligns with the revised structure from the previous diff.

@ganeshpatro321 ganeshpatro321 merged commit 6fa741b into coderabbitai:main Feb 5, 2025
1 of 2 checks passed
@coderabbitai coderabbitai bot mentioned this pull request Feb 6, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Mar 26, 2025
Merged
gatsby003 pushed a commit that referenced this pull request Jul 24, 2025
@ESS-ENN @gatsby003
Add C# BinaryFormatter and Ruby force_ssl security rules with tests (#…
5955416 
…148)

* removed missing-secure-java

* httponly-false-csharp

* use-of-md5-digest-utils-java

* removing use-of-md5-digest-utils and httponly-false-csharp

* force-ssl-false-ruby

* insecure-binaryformatter-deserialization-csharp

---------

Co-authored-by: Sakshis <sakshil@abc.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ganeshpatro321 ganeshpatro321 ganeshpatro321 approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ESS-ENN @CLAassistant @ganeshpatro321