Merge pull request #3310 from semgrep/merge-develop-to-release

Merge Develop into Release
semgrep · Feb 22, 2024 · 3775a40 · 3775a40
2 parents 6667002 + 3abb4d5
commit 3775a40
Show file tree

Hide file tree

Showing 12 changed files with 300 additions and 42 deletions.
diff --git a/go/jwt-go/security/jwt-none-alg.yaml b/go/jwt-go/security/jwt-none-alg.yaml
@@ -26,9 +26,13 @@ rules:
   languages: [go]
   severity: ERROR
   patterns:
-  - pattern-inside: |
-      import "github.com/dgrijalva/jwt-go"
-      ...
+  - pattern-either:
+    - pattern-inside: |
+        import "github.com/golang-jwt/jwt"
+        ...
+    - pattern-inside: |
+        import "github.com/dgrijalva/jwt-go"
+        ...
   - pattern-either:
     - pattern: |
         jwt.SigningMethodNone

diff --git a/ruby/lang/security/bad-deserialization-yaml.fixed.rb b/ruby/lang/security/bad-deserialization-yaml.fixed.rb
@@ -1,23 +1,43 @@
- def bad_deserialization
+def bad_deserialization
 
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ruleid: bad-deserialization-yaml
-    obj = Psych.safe_load(data)
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ruleid: bad-deserialization-yaml
+   obj = Psych.safe_load(data)
+end
 
- end
+def ok_deserialization
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(data, safe: true)
 
- def ok_deserialization
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ok: bad-deserialization-yaml
-    obj = YAML.load(data, safe: true)
+   filename = File.read("test.txt")
+   data = YAML.dump(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(filename)
 
-    filename = File.read("test.txt")
-    data = YAML.dump(filename)
-    # ok: bad-deserialization-yaml
-    YAML.load(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(File.read("test.txt"))
 
-    # ok: bad-deserialization-yaml
-    YAML.load(File.read("test.txt"))
- end
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")).result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")))
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml")).result
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template.result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(File.read(File.join(Pathname.pwd, "hello.yml")))
+end
diff --git a/ruby/lang/security/bad-deserialization-yaml.rb b/ruby/lang/security/bad-deserialization-yaml.rb
@@ -1,23 +1,43 @@
- def bad_deserialization
+def bad_deserialization
 
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ruleid: bad-deserialization-yaml
-    obj = YAML.load(data)
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ruleid: bad-deserialization-yaml
+   obj = YAML.load(data)
+end
 
- end
+def ok_deserialization
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(data, safe: true)
 
- def ok_deserialization
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ok: bad-deserialization-yaml
-    obj = YAML.load(data, safe: true)
+   filename = File.read("test.txt")
+   data = YAML.dump(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(filename)
 
-    filename = File.read("test.txt")
-    data = YAML.dump(filename)
-    # ok: bad-deserialization-yaml
-    YAML.load(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(File.read("test.txt"))
 
-    # ok: bad-deserialization-yaml
-    YAML.load(File.read("test.txt"))
- end
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")).result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")))
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml")).result
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template.result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(File.read(File.join(Pathname.pwd, "hello.yml")))
+end
diff --git a/ruby/lang/security/bad-deserialization-yaml.yaml b/ruby/lang/security/bad-deserialization-yaml.yaml
@@ -8,17 +8,29 @@ rules:
   - pattern-not: |
       YAML.load("...", ...)
   - pattern-not-inside: |
-      $FILE = File.read("...", ...)
+      YAML.load(..., File.read(...), ...)
+  - pattern-not-inside: |
+      $FILE = File.read(...)
       ...
       YAML.load(..., $FILE, ...)
   - pattern-not-inside: |
-      $FILENAME = "..."
+      $FILENAME = ...
       ...
       $FILE = File.read($FILENAME, ...)
       ...
       YAML.load(..., $FILE, ...)
   - pattern-not-inside: |
-      YAML.load(..., File.read("...", ...), ...)
+          YAML.load(..., $X.$Y(File.read(...)), ...)
+  - pattern-not-inside: |
+      YAML.load(..., $X.$Y(File.read(...)).$Z, ...)
+  - pattern-not-inside: |
+      $T = $MOD.$MET(File.read(...))
+      ...
+      YAML.load(..., $T, ...)
+  - pattern-not-inside: |
+      $T = $MOD.$MET(File.read(...))
+      ...
+      YAML.load(..., $T.$R, ...)
   fix: Psych.safe_load($...ARGS)
   message: >-
     Unsafe deserialization from YAML. Objects in Ruby can be serialized into strings,

diff --git a/terraform/lang/security/iam/no-iam-creds-exposure.tf b/terraform/lang/security/iam/no-iam-creds-exposure.tf
@@ -67,6 +67,26 @@ resource "aws_iam_policy" "policy" {
   })
 }
 
+resource "aws_iam_policy" "policy" {
+  name        = "test_policy"
+  path        = "/"
+  description = "My test policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # ok: no-iam-creds-exposure
+        Action = ["ec2:GetPasswordData"]
+        Effect   = "Deny"
+        Resource = "*"
+      },
+    ]
+  })
+}
+
 data aws_iam_policy_document "policy" {
    statement {
      # ruleid: no-iam-creds-exposure
@@ -78,3 +98,17 @@ data aws_iam_policy_document "policy" {
      resources = ["*"]
    }
 }
+
+data aws_iam_policy_document "policy" {
+   statement {
+     # ok: no-iam-creds-exposure
+     actions = ["chime:CreateApiKey"]
+     principals {
+       type        = "AWS"
+       identifiers = ["*"]
+     }
+     resources = ["*"]
+     effect = "Deny"
+   }
+}
+
diff --git a/terraform/lang/security/iam/no-iam-creds-exposure.yaml b/terraform/lang/security/iam/no-iam-creds-exposure.yaml
@@ -15,6 +15,20 @@ rules:
             })
             ...
           }
+      - pattern-not-inside: |
+          resource $TYPE "..." {
+            ...
+            policy = jsonencode({
+              ...
+              Statement = [
+                ...,
+                {... Effect = "Deny" ...},
+                ...
+              ]
+              ...
+            })
+            ...
+          }
       - pattern: |
           Action = $ACTION
       - metavariable-pattern:
@@ -37,6 +51,16 @@ rules:
             }
             ...
           }
+      - pattern-not-inside: |
+          data aws_iam_policy_document "..." {
+            ...
+            statement {
+              ...
+              effect = "Deny"
+              ...
+            }
+            ...
+          }
       - pattern: |
           actions = [..., $ACTION, ...]
   - metavariable-pattern:

diff --git a/terraform/lang/security/iam/no-iam-data-exfiltration.yaml b/terraform/lang/security/iam/no-iam-data-exfiltration.yaml
@@ -17,6 +17,20 @@ rules:
             })
             ...
           }
+      - pattern-not-inside: |
+          resource $TYPE "..." {
+            ...
+            policy = jsonencode({
+              ...
+              Statement = [
+                ...,
+                {... Effect = "Deny" ...},
+                ...
+              ]
+              ...
+            })
+            ...
+          }
       - pattern: |
           Action = $ACTION
       - metavariable-pattern:
@@ -41,6 +55,16 @@ rules:
             }
             ...
           }
+      - pattern-not-inside: |
+          data aws_iam_policy_document "..." {
+            ...
+            statement {
+              ...
+              effect = "Deny"
+              ...
+            }
+            ...
+          }
       - pattern: |
           actions = [..., $ACTION, ...]
   - metavariable-pattern:

diff --git a/terraform/lang/security/iam/no-iam-priv-esc-funcs.yaml b/terraform/lang/security/iam/no-iam-priv-esc-funcs.yaml
@@ -15,6 +15,20 @@ rules:
             })
             ...
           }
+      - pattern-not-inside: |
+          resource $TYPE "..." {
+            ...
+            policy = jsonencode({
+              ...
+              Statement = [
+                ...,
+                {... Effect = "Deny" ...},
+                ...
+              ]
+              ...
+            })
+            ...
+          }
       - pattern: Action = $ACTION
       - metavariable-pattern:
           metavariable: $TYPE
@@ -36,6 +50,16 @@ rules:
             }
             ...
           }
+      - pattern-not-inside: |
+          data aws_iam_policy_document "..." {
+            ...
+            statement {
+              ...
+              effect = "Deny"
+              ...
+            }
+            ...
+          }
       - pattern: |
           actions = [..., $ACTION, ...]
   - metavariable-pattern:

diff --git a/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml b/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml
@@ -17,6 +17,20 @@ rules:
             })
             ...
           }
+      - pattern-not-inside: |
+          resource $TYPE "..." {
+            ...
+            policy = jsonencode({
+              ...
+              Statement = [
+                ...,
+                {... Effect = "Deny" ...},
+                ...
+              ]
+              ...
+            })
+            ...
+          }
       - pattern: |
           Action = $ACTION
       - metavariable-pattern:
@@ -41,6 +55,16 @@ rules:
             }
             ...
           }
+      - pattern-not-inside: |
+          data aws_iam_policy_document "..." {
+            ...
+            statement {
+              ...
+              effect = "Deny"
+              ...
+            }
+            ...
+          }
       - pattern: |
           actions = [..., $ACTION, ...]
   - metavariable-pattern: