diff --git a/package-lock.json b/package-lock.json index 5baf8101..d07b351b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -46,6 +46,7 @@ "arm64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "darwin" @@ -62,6 +63,7 @@ "x64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "darwin" @@ -78,6 +80,7 @@ "arm64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "linux" @@ -94,6 +97,7 @@ "x64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "linux" @@ -110,6 +114,7 @@ "arm64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "win32" @@ -126,6 +131,7 @@ "ia32" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "win32" @@ -142,6 +148,7 @@ "x64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "win32" @@ -155,6 +162,7 @@ "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.3.tgz", "integrity": "sha512-bwy0MGW55bG41VqxxypOsdSdGqLwXPI/focwgTYCFMbdUiBAxLg9CFzG08sz2aqzknwiX7Hkl0bQENjg8iLByw==", "dev": true, + "license": "Apache-2.0", "engines": { "node": ">=8" } diff --git a/rules/java/security/cookie-secure-flag-false-java.yml b/rules/java/security/cookie-secure-flag-false-java.yml new file mode 100644 index 00000000..1ca41137 --- /dev/null +++ b/rules/java/security/cookie-secure-flag-false-java.yml @@ -0,0 +1,14 @@ +id: cookie-secure-flag-false-java +language: java +severity: warning +message: >- + A cookie was detected without setting the 'secure' flag. The 'secure' + flag for cookies prevents the client from transmitting the cookie over + insecure channels such as HTTP. Set the 'secure' flag by calling + '$COOKIE.setSecure(true);'. +note: >- + [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. + [REFERENCES] + - https://owasp.org/www-community/controls/SecureCookieAttribute +rule: + pattern: $COOKIE.setSecure(false); diff --git a/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml b/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml new file mode 100644 index 00000000..7a1b53e3 --- /dev/null +++ b/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml @@ -0,0 +1,46 @@ +id: documentbuilderfactory-disallow-doctype-decl-false-java +language: java +severity: warning +message: >- + DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting + external entity declarations, this is vulnerable to XML external entity + attacks. Disable this by setting the feature + "http://apache.org/xml/features/disallow-doctype-decl" to true. + Alternatively, allow DOCTYPE declarations and only prohibit external + entities declarations. This can be done by setting the features + "http://xml.org/sax/features/external-general-entities" and + "http://xml.org/sax/features/external-parameter-entities" to false. +note: >- + [CWE-611]: mproper Restriction of XML External Entity Reference + [OWASP A04:2017]: XML External Entities (XXE) + [OWASP A05:2021 - Security Misconfiguration] + [REFERENCES] + https://blog.sonarsource.com/secure-xml-processor + https://xerces.apache.org/xerces2-j/features.html +utils: + match_expression_statement: + kind: expression_statement + has: + stopBy: end + kind: method_invocation + all: + - has: + stopBy: end + kind: identifier + - has: + stopBy: end + kind: identifier + regex: '^setFeature$' + has: + kind: argument_list + all: + - has: + stopBy: end + kind: string_literal + regex: 'http://apache.org/xml/features/disallow-doctype-decl' + - has: + stopBy: end + regex: '^false$' +rule: + any: + - matches: match_expression_statement diff --git a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml new file mode 100644 index 00000000..b4c1bec6 --- /dev/null +++ b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml @@ -0,0 +1,9 @@ +id: cookie-secure-flag-false-java +snapshots: + ? | + cookie.setSecure(false); + : labels: + - source: cookie.setSecure(false); + style: primary + start: 0 + end: 24 diff --git a/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml new file mode 100644 index 00000000..9d49ce7d --- /dev/null +++ b/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml @@ -0,0 +1,70 @@ +id: documentbuilderfactory-disallow-doctype-decl-false-java +snapshots: + ? | + ParserConfigurationException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); + } + : labels: + - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); + style: primary + start: 106 + end: 184 + - source: dbf + style: secondary + start: 106 + end: 109 + - source: setFeature + style: secondary + start: 110 + end: 120 + - source: '"http://apache.org/xml/features/disallow-doctype-decl"' + style: secondary + start: 121 + end: 175 + - source: 'false' + style: secondary + start: 177 + end: 182 + - source: ("http://apache.org/xml/features/disallow-doctype-decl", false) + style: secondary + start: 120 + end: 183 + - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false) + style: secondary + start: 106 + end: 183 + ? | + ParserConfigurationException { + SAXParserFactory spf = SAXParserFactory.newInstance(); + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); + } + : labels: + - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); + style: primary + start: 94 + end: 172 + - source: spf + style: secondary + start: 94 + end: 97 + - source: setFeature + style: secondary + start: 98 + end: 108 + - source: '"http://apache.org/xml/features/disallow-doctype-decl"' + style: secondary + start: 109 + end: 163 + - source: 'false' + style: secondary + start: 165 + end: 170 + - source: ("http://apache.org/xml/features/disallow-doctype-decl", false) + style: secondary + start: 108 + end: 171 + - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false) + style: secondary + start: 94 + end: 171 diff --git a/tests/java/cookie-secure-flag-false-java-test.yml b/tests/java/cookie-secure-flag-false-java-test.yml new file mode 100644 index 00000000..4d2b0fdb --- /dev/null +++ b/tests/java/cookie-secure-flag-false-java-test.yml @@ -0,0 +1,10 @@ +id: cookie-secure-flag-false-java +valid: + - | + response.addCookie(cookie); + cookie.setSecure(true); + cookie.setHttpOnly(true); + response.addCookie(cookie); +invalid: + - | + cookie.setSecure(false); diff --git a/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml b/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml new file mode 100644 index 00000000..4b4d4183 --- /dev/null +++ b/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml @@ -0,0 +1,51 @@ +id: documentbuilderfactory-disallow-doctype-decl-false-java +valid: + - | + ParserConfigurationException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + } + - | + ParserConfigurationException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + } + - | + ParserConfigurationException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + } + - | + ParserConfigurationException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + } + - | + ParserConfigurationException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + } + - | + ParserConfigurationException { + SAXParserFactory spf = SAXParserFactory.newInstance(); + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + } +invalid: + - | + ParserConfigurationException { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); + } + - | + ParserConfigurationException { + SAXParserFactory spf = SAXParserFactory.newInstance(); + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); + }