Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Rules for File Permissions and Hard-Coded Secrets Detection #113

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
+925 −0
Open

Add Security Rules for File Permissions and Hard-Coded Secrets Detection #113

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0d5a1e2
python-webrepl-hardcoded-secret-python
Dec 12, 2024
80ad8ff
world-writable-file-c
Dec 12, 2024
a2ce77a
world-writable-file-cpp
Dec 12, 2024
f870053
modified code of python-webrepl-hardcoded-secret
Dec 12, 2024
e653726
modified world-writable-file-c
Dec 16, 2024
73e4245
modified world-writable-file-cpp
Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 172 additions & 0 deletions rules/c/security/world-writable-file-c.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
id: world-writable-file-c
language: c
severity: warning
message: >-
This call makes a world-writable file which allows any user on a
machine to write to the file. This may allow attackers to influence the
behaviour of this process by writing to the file.
note: >-
[CWE-732]: Incorrect Permission Assignment for Critical Resource
[REFERENCES]
- https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions
utils:
match_identifier_with_stringliteral_mode:
kind: identifier
pattern: $MODE
follows:
stopBy: end
kind: string_literal
has:
stopBy: end
kind: string_content
inside:
stopBy: end
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
regex: ^(chmod|fchmod|fchmodat|open|openat|creat)$
inside:
kind: expression_statement
follows:
stopBy: end
kind: declaration
all:
- has:
kind: type_identifier
- has:
kind: init_declarator
all:
- has:
kind: identifier
field: declarator
pattern: $MODE
- has:
kind: number_literal
field: value
pattern: $BINARY
match_identifier_with_identifier_mode:
kind: identifier
pattern: $MODE
inside:
stopBy: end
kind: argument_list
has:
stopBy: end
kind: identifier
inside:
stopBy: end
kind: call_expression
has:
stopBy: end
kind: identifier
regex: "^fchmod$"
inside:
stopBy: end
kind: expression_statement
follows:
stopBy: end
kind: declaration
all:
- has:
kind: type_identifier
- has:
kind: init_declarator
all:
- has:
kind: identifier
field: declarator
pattern: $MODE
- has:
kind: number_literal
field: value
pattern: $BINARY
match_binary_expression:
kind: binary_expression
all:
- has:
kind: binary_expression
has:
kind: identifier
regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IROTH|S_IRUSR|S_IWOTH)$
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove redundant patterns in regex

The regex patterns contain duplicate entries:

regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IROTH|S_IRUSR|S_IWOTH)$
regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IRUSR|S_IWOTH)$

S_IWOTH appears twice in both patterns.

-            regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IROTH|S_IRUSR|S_IWOTH)$
+            regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IROTH|S_IRUSR)$
-          regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IRUSR|S_IWOTH)$
+          regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IRUSR)$

Also applies to: 95-95

- has:
kind: identifier
regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IRUSR|S_IWOTH)$
inside:
stopBy: end
kind: call_expression
has:
kind: identifier
regex: (chmod|fchmod|fchmodat|open|openat)
inside:
kind: expression_statement
match_binary_with_identifier:
kind: identifier
regex: "^S_IWOTH$"
follows:
stopBy: end
kind: string_literal
has:
kind: string_content
inside:
stopBy: end
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
inside:
kind: expression_statement
match_binary_with_two_identifier:
kind: binary_expression
all:
- has:
kind: identifier
regex: ^(S_IWUSR)$
- has:
kind: identifier
regex: ^(S_IWOTH)$
inside:
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
regex: ^(open)$
match_binary_expression_with_three_identifier:
kind: binary_expression
all:
- has:
kind: binary_expression
all:
- has:
kind: identifier
regex: ^(S_IWOTH)$
- has:
kind: identifier
regex: ^(S_IUSR)$
- has:
kind: identifier
regex: ^(S_IGRP)$
inside:
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
regex: ^(openat)$
inside:
kind: expression_statement

rule:
any:
- matches: match_identifier_with_stringliteral_mode
- matches: match_identifier_with_identifier_mode
- matches: match_binary_expression
- matches: match_binary_with_identifier
- matches: match_binary_with_two_identifier
- matches: match_binary_expression_with_three_identifier
constraints:
BINARY:
regex: ^0[0-7]*[2367]$
Comment on lines +170 to +171
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Strengthen binary constraint regex pattern

The current regex ^0[0-7]*[2367]$ might miss some world-writable combinations. Consider:

  1. Adding explicit length validation
  2. Handling all possible world-writable combinations
-    regex: ^0[0-7]*[2367]$
+    regex: ^0[0-7]{0,3}[2367]$
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
BINARY:
regex: ^0[0-7]*[2367]$
BINARY:
regex: ^0[0-7]{0,3}[2367]$

172 changes: 172 additions & 0 deletions rules/cpp/security/world-writable-file-cpp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
id: world-writable-file-cpp
language: cpp
severity: warning
message: >-
This call makes a world-writable file which allows any user on a
machine to write to the file. This may allow attackers to influence the
behaviour of this process by writing to the file.
note: >-
[CWE-732]: Incorrect Permission Assignment for Critical Resource
[REFERENCES]
- https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions
utils:
match_identifier_with_stringliteral_mode:
kind: identifier
pattern: $MODE
follows:
stopBy: end
kind: string_literal
has:
stopBy: end
kind: string_content
inside:
stopBy: end
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
regex: ^(chmod|fchmod|fchmodat|open|openat|creat)$
inside:
kind: expression_statement
follows:
stopBy: end
kind: declaration
all:
- has:
kind: type_identifier
- has:
kind: init_declarator
all:
- has:
kind: identifier
field: declarator
pattern: $MODE
- has:
kind: number_literal
field: value
pattern: $BINARY
match_identifier_with_identifier_mode:
kind: identifier
pattern: $MODE
inside:
stopBy: end
kind: argument_list
has:
stopBy: end
kind: identifier
inside:
stopBy: end
kind: call_expression
has:
stopBy: end
kind: identifier
regex: "^fchmod$"
inside:
stopBy: end
kind: expression_statement
follows:
stopBy: end
kind: declaration
all:
- has:
kind: type_identifier
- has:
kind: init_declarator
all:
- has:
kind: identifier
field: declarator
pattern: $MODE
- has:
kind: number_literal
field: value
pattern: $BINARY
match_binary_expression:
kind: binary_expression
all:
- has:
kind: binary_expression
has:
kind: identifier
regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IROTH|S_IRUSR|S_IWOTH)$
- has:
kind: identifier
regex: ^(S_IWOTH|S_IWUSR|S_IGRP|S_IRUSR|S_IWOTH)$
inside:
stopBy: end
kind: call_expression
has:
kind: identifier
regex: (chmod|fchmod|fchmodat|open|openat)
inside:
kind: expression_statement
match_binary_with_identifier:
kind: identifier
regex: "^S_IWOTH$"
follows:
stopBy: end
kind: string_literal
has:
kind: string_content
inside:
stopBy: end
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
inside:
kind: expression_statement
match_binary_with_two_identifier:
kind: binary_expression
all:
- has:
kind: identifier
regex: ^(S_IWUSR)$
- has:
kind: identifier
regex: ^(S_IWOTH)$
inside:
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
regex: ^(open)$
match_binary_expression_with_three_identifier:
kind: binary_expression
all:
- has:
kind: binary_expression
all:
- has:
kind: identifier
regex: ^(S_IWOTH)$
- has:
kind: identifier
regex: ^(S_IUSR)$
- has:
kind: identifier
regex: ^(S_IGRP)$
inside:
kind: argument_list
inside:
kind: call_expression
has:
kind: identifier
regex: ^(openat)$
inside:
kind: expression_statement

rule:
any:
- matches: match_identifier_with_stringliteral_mode
- matches: match_identifier_with_identifier_mode
- matches: match_binary_expression
- matches: match_binary_with_identifier
- matches: match_binary_with_two_identifier
- matches: match_binary_expression_with_three_identifier
constraints:
BINARY:
regex: ^0[0-7]*[2367]$
Loading