Skip to content

Add C# BinaryFormatter and Ruby force_ssl security rules with tests #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Feb 5, 2025
Merged

Add C# BinaryFormatter and Ruby force_ssl security rules with tests #148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
bb7b8e1
removed missing-secure-java
Dec 16, 2024
308e947
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 6, 2025
46efd55
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
3ac0204
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
7caba92
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 9, 2025
d3a2776
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 10, 2025
2e86380
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 14, 2025
b072db7
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 20, 2025
65dce29
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 22, 2025
12bb3aa
httponly-false-csharp
ESS-ENN Jan 22, 2025
2c5ea88
use-of-md5-digest-utils-java
ESS-ENN Jan 22, 2025
d3067f1
removing use-of-md5-digest-utils and httponly-false-csharp
ESS-ENN Jan 22, 2025
56d4011
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 28, 2025
f7f1d72
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 29, 2025
0d53f8e
Merge branch 'coderabbitai:main' into main
ESS-ENN Feb 4, 2025
3422a00
force-ssl-false-ruby
ESS-ENN Feb 4, 2025
caa2e72
insecure-binaryformatter-deserialization-csharp
ESS-ENN Feb 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
id: insecure-binaryformatter-deserialization-csharp
severity: warning
language: csharp
message: >-
The BinaryFormatter type is dangerous and is not recommended for data
processing. Applications should stop using BinaryFormatter as soon as
possible, even if they believe the data they're processing to be
trustworthy. BinaryFormatter is insecure and can't be made secure.
note: >-
[CWE-502] Deserialization of Untrusted Data.
[REFERENCES]
- https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide

ast-grep-essentials: true

utils:
MATCH_PATTERN_BinaryFormatter:
pattern: new BinaryFormatter()
any:
- inside:
stopBy: end
follows:
stopBy: end
kind: using_directive
pattern: using System.Runtime.Serialization.Formatters.Binary;
- inside:
kind: global_statement
stopBy: end
follows:
stopBy: end
kind: using_directive
pattern: using System.Runtime.Serialization.Formatters.Binary
not:
inside:
kind: object_creation_expression
stopBy: end
not:
inside:
kind: variable_declarator
stopBy: end

rule:
matches: MATCH_PATTERN_BinaryFormatter

28 changes: 28 additions & 0 deletions rules/ruby/security/force-ssl-false-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
id: force-ssl-false-ruby
language: ruby
severity: warning
message: >-
Checks for configuration setting of force_ssl to false. Force_ssl
forces usage of HTTPS, which could lead to network interception of
unencrypted application traffic. To fix, set config.force_ssl = true.
note: >-
[CWE-311] Missing Encryption of Sensitive Data.
[REFERENCES]
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb

ast-grep-essentials: true

utils:
config.force_ssl = $FAL:
kind: assignment
all:
- has:
kind: call
pattern: config.force_ssl
- has:
regex: ^\s*false$

rule:
kind: assignment
any:
- matches: config.force_ssl = $FAL
19 changes: 19 additions & 0 deletions tests/__snapshots__/force-ssl-false-ruby-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
id: force-ssl-false-ruby
snapshots:
? |
def bad_ssl
config.force_ssl = false
end
: labels:
- source: config.force_ssl = false
style: primary
start: 12
end: 36
- source: config.force_ssl
style: secondary
start: 12
end: 28
- source: 'false'
style: secondary
start: 31
end: 36
26 changes: 26 additions & 0 deletions tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
id: insecure-binaryformatter-deserialization-csharp

invalid:
- |
using System.Runtime.Serialization.Formatters.Binary;
namespace InsecureDeserialization
{
public class InsecureBinaryFormatterDeserialization
{
public void BinaryFormatterDeserialization(string json)
{
try
{
BinaryFormatter binaryFormatter = new BinaryFormatter();

MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));
binaryFormatter.Deserialize(memoryStream);
memoryStream.Close();
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
}
11 changes: 11 additions & 0 deletions tests/ruby/force-ssl-false-ruby-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
id: force-ssl-false-ruby
valid:
- |
def bad_ssl
config.force_ssl = true
end
invalid:
- |
def bad_ssl
config.force_ssl = false
end