Merge pull request #63 from PavelBansky/master

Master

src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
@@ -9,7 +9,7 @@
     <ApplicationIcon />
     <PackageId>Microsoft.DevSkim.CLI</PackageId>
     <Product>Microsoft DevSkim Command Line Interface</Product>
-    <Version>0.1.10</Version>
+    <Version>0.1.11</Version>
     <Authors>Microsoft</Authors>
     <Company>Microsoft</Company>
     <Copyright>(c) Microsoft Corporation. All rights reserved</Copyright>

src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Properties/launchSettings.json

@@ -2,7 +2,7 @@
   "profiles": {
     "Microsoft.DevSkim.CLI": {
       "commandName": "Project",
-      "commandLineArgs": " analyze d:\\GitHub\\DevSkim soubor.txt  -f sarif"
+      "commandLineArgs": "analyze d:\\t"
     }
   }
 }

src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Resources/devskim-rules.json

@@ -796,7 +796,7 @@
     "rule_info": "DS137138.md",
     "patterns": [
       {
-        "pattern": "http:",
+        "pattern": "http:/",
         "type": "regex",
         "modifiers": [
           "i"
@@ -3594,6 +3594,49 @@
     "conditions": [],
     "fix_its": null
   },
+  {
+    "id": "DS113854",
+    "name": "Do not extract untrusted zip archives",
+    "overrides": null,
+    "schema_version": 0,
+    "tags": [
+      "CSharp.DangerousFunctionCall"
+    ],
+    "applies_to": [
+      "csharp"
+    ],
+    "severity": "manual-review",
+    "description": "Zip archive can contain file names with directory stepping sequence",
+    "recommendation": "Make sure that ZipArchiveEntry.FullName doesn't directory stepping characters ..\\",
+    "rule_info": "DS113854.md",
+    "patterns": [
+      {
+        "pattern": "ExtractToFile",
+        "type": "regex",
+        "modifiers": null,
+        "scopes": [
+          "code",
+          "code"
+        ]
+      }
+    ],
+    "conditions": [
+      {
+        "pattern": {
+          "pattern": "ZipArchiveEntry",
+          "type": "regex",
+          "modifiers": null,
+          "scopes": [
+            "code",
+            "code"
+          ]
+        },
+        "search_in": "finding-region(-15,0)",
+        "negate_finding": false
+      }
+    ],
+    "fix_its": null
+  },
   {
     "id": "DS165348",
     "name": "Do not attempt to access device UDID",

src/Microsoft.DevSkim/Microsoft.DevSkim/Microsoft.DevSkim.csproj

@@ -1,9 +1,9 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFrameworks>netstandard2.0;net45</TargetFrameworks>    
     <PackageId>Microsoft.DevSkim</PackageId>
-    <PackageVersion>0.3.7</PackageVersion>
+    <PackageVersion>0.3.8</PackageVersion>
     <Authors>Microsoft</Authors>
     <PackageTags>Security Linter</PackageTags>
     <GeneratePackageOnBuild>false</GeneratePackageOnBuild>

src/Microsoft.DevSkim/Microsoft.DevSkim/TextContainer.cs

@@ -29,7 +29,7 @@ public TextContainer(string content, string language)
             {
                 if (++pos < _content.Length)
                 {
-                    pos = _content.IndexOf("\n", pos, StringComparison.Ordinal);
+                    pos = _content.IndexOf('\n', pos);
                     _lineEnds.Add(pos);
                 }
             }
@@ -167,6 +167,13 @@ private List<Boundary> MatchPattern(SearchPattern pattern, string text)
             return matchList;
         }
 
+        /// <summary>
+        /// Check whether the boundary in a text matches the scope of a search pattern (code, comment etc.)
+        /// </summary>
+        /// <param name="pattern">Pattern with scope</param>
+        /// <param name="boundary">Boundary in a text</param>
+        /// <param name="text">Text</param>
+        /// <returns>True if boundary is matching the pattern scope</returns>
         private bool ScopeMatch(SearchPattern pattern, Boundary boundary, string text)
         {
             string prefix = Language.GetCommentPrefix(_language);
@@ -176,12 +183,20 @@ private bool ScopeMatch(SearchPattern pattern, Boundary boundary, string text)
             if (pattern.Scopes.Contains(PatternScope.All) || string.IsNullOrEmpty(prefix))
                 return true;
 
-            bool isInComment = (  IsBetween(text, boundary.Index, Language.GetCommentPrefix(_language), Language.GetCommentSuffix(_language))
-                               || IsBetween(text, boundary.Index, Language.GetCommentInline(_language), "\n"));
+            bool isInComment = (  IsBetween(text, boundary.Index, prefix, suffix)
+                               || IsBetween(text, boundary.Index, inline, "\n"));
 
             return !(isInComment && !pattern.Scopes.Contains(PatternScope.Comment));
         }
 
+        /// <summary>
+        /// Checks if the index in the string lies between preffix and suffix
+        /// </summary>
+        /// <param name="text">Text</param>
+        /// <param name="index">Index to check</param>
+        /// <param name="prefix">Prefix</param>
+        /// <param name="suffix">Suffix</param>
+        /// <returns>True if the index is between prefix and suffix</returns>
         private bool IsBetween(string text, int index, string prefix, string suffix)
         {
             bool result = false;

src/Microsoft.DevSkim/build.bat

@@ -21,6 +21,8 @@ dotnet publish Microsoft.DevSkim.CLI --configuration Release --framework netcore
 dotnet publish Microsoft.DevSkim.CLI --configuration Release --framework netcoreapp2.0 --runtime linux-x64
 dotnet publish Microsoft.DevSkim.CLI --configuration Release --framework netcoreapp2.0 --runtime osx-x64
 
+rem d:\nuget pack Microsoft.DevSkim.CLI\Microsoft.DevSkim.CLI.nuspec -OutputDirectory Microsoft.DevSkim.CLI\bin\Release\netcoreapp2.0
+
 rem echo CREATING TEMP DIRECTORY FOR .DEB PACKAGE
 rem mkdir temp\devskim-ver_amd64
 rem xcopy Microsoft.DevSkim.CLI\Packaging\LinuxDeb\*.* temp\devskim-ver_amd64 /E