Add C# BinaryFormatter and Ruby force_ssl security rules with tests (#148)

* removed missing-secure-java

* httponly-false-csharp

* use-of-md5-digest-utils-java

* removing use-of-md5-digest-utils and httponly-false-csharp

* force-ssl-false-ruby

* insecure-binaryformatter-deserialization-csharp

---------

Co-authored-by: Sakshis <[email protected]>

Author: ESS-ENN

rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml

@@ -0,0 +1,44 @@
+id: insecure-binaryformatter-deserialization-csharp
+severity: warning
+language: csharp
+message: >-
+  The BinaryFormatter type is dangerous and is not recommended for data
+  processing. Applications should stop using BinaryFormatter as soon as
+  possible, even if they believe the data they're processing to be
+  trustworthy. BinaryFormatter is insecure and can't be made secure.
+note: >-
+  [CWE-502] Deserialization of Untrusted Data.
+  [REFERENCES]
+      - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
+
+ast-grep-essentials: true
+
+utils:
+  MATCH_PATTERN_BinaryFormatter:
+   pattern: new BinaryFormatter()
+   any:
+    - inside:
+        stopBy: end
+        follows:
+          stopBy: end
+          kind: using_directive
+          pattern: using System.Runtime.Serialization.Formatters.Binary;      
+    - inside:
+        kind: global_statement
+        stopBy: end
+        follows:
+          stopBy: end
+          kind: using_directive
+          pattern: using System.Runtime.Serialization.Formatters.Binary
+   not:
+    inside:
+      kind: object_creation_expression
+      stopBy: end
+      not:
+        inside:
+          kind: variable_declarator
+          stopBy: end
+                
+rule:
+  matches: MATCH_PATTERN_BinaryFormatter
+    

rules/ruby/security/force-ssl-false-ruby.yml

@@ -0,0 +1,28 @@
+id: force-ssl-false-ruby
+language: ruby
+severity: warning
+message: >-
+  Checks for configuration setting of force_ssl to false. Force_ssl
+  forces usage of HTTPS, which could lead to network interception of
+  unencrypted application traffic. To fix, set config.force_ssl = true.
+note: >-
+  [CWE-311] Missing Encryption of Sensitive Data.
+  [REFERENCES]
+      - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb
+
+ast-grep-essentials: true
+
+utils:
+  config.force_ssl = $FAL:
+    kind: assignment
+    all:
+      - has:
+          kind: call
+          pattern: config.force_ssl
+      - has:
+          regex: ^\s*false$
+
+rule:
+  kind: assignment
+  any:
+    - matches: config.force_ssl = $FAL

tests/__snapshots__/force-ssl-false-ruby-snapshot.yml

@@ -0,0 +1,19 @@
+id: force-ssl-false-ruby
+snapshots:
+  ? |
+    def bad_ssl
+    config.force_ssl = false
+    end
+  : labels:
+    - source: config.force_ssl = false
+      style: primary
+      start: 12
+      end: 36
+    - source: config.force_ssl
+      style: secondary
+      start: 12
+      end: 28
+    - source: 'false'
+      style: secondary
+      start: 31
+      end: 36

tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml

@@ -0,0 +1,26 @@
+id: insecure-binaryformatter-deserialization-csharp
+
+invalid:
+  - |
+    using System.Runtime.Serialization.Formatters.Binary; 
+    namespace InsecureDeserialization
+    {
+     public class InsecureBinaryFormatterDeserialization
+     {
+        public void BinaryFormatterDeserialization(string json)
+        {
+            try
+            {
+                BinaryFormatter binaryFormatter = new BinaryFormatter();
+
+                MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));
+                binaryFormatter.Deserialize(memoryStream);
+                memoryStream.Close();
+            }
+            catch (Exception e)
+            {
+                Console.WriteLine(e);
+            }
+        }
+    }
+    }

tests/ruby/force-ssl-false-ruby-test.yml

@@ -0,0 +1,11 @@
+id: force-ssl-false-ruby
+valid:
+  - |
+    def bad_ssl
+    config.force_ssl = true
+    end
+invalid:
+  - |
+    def bad_ssl
+    config.force_ssl = false
+    end