Pull request for 10 rules ESS-ENN (#5)

Author: ESS-ENN

rules/c/security/libxml2-audit-parser-c.yml

@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-c
+language: c
+severity: warning
+message: >-
+  The libxml2 library is used to parse XML. When auditing such code, make
+  sure that either the document being parsed is trusted or that the parsing
+  options are safe to consume untrusted documents. In such case make sure
+  DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+  [CWE-611] Improper Restriction of XML External Entity Reference.
+  [REFERENCES]
+      - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+  any:
+    - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+    - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+    - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)

rules/c/security/sizeof-this-c.yml

@@ -0,0 +1,13 @@
+id: sizeof-this-c
+language: c
+severity: warning
+message: >-
+  Do not use `sizeof(this)` to get the number of bytes of the object in
+  memory. It returns the size of the pointer, not the size of the object.
+note: >-
+  [CWE-467]: Use of sizeof() on a Pointer Type
+  [REFERENCES]
+      - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
+rule:
+  any:
+    - pattern: "sizeof(this)"

rules/cpp/security/libxml2-audit-parser-cpp.yml

@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-cpp
+language: Cpp
+severity: warning
+message: >-
+  The libxml2 library is used to parse XML. When auditing such code, make
+  sure that either the document being parsed is trusted or that the parsing
+  options are safe to consume untrusted documents. In such case make sure
+  DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+  [CWE-611] Improper Restriction of XML External Entity Reference.
+  [REFERENCES]
+      - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+  any:
+    - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+    - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+    - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)

rules/csharp/security/httponly-false-csharp.yml

@@ -0,0 +1,25 @@
+id: httponly-false-csharp
+language: csharp
+severity: warning
+message: >-
+  "Detected a cookie where the `HttpOnly` flag is either missing or
+      disabled. The `HttpOnly` cookie flag instructs the browser to forbid
+      client-side JavaScript to read the cookie. If JavaScript interaction is
+      required, you can ignore this finding. However, set the `HttpOnly` flag to
+      `true` in all other cases. If this wasn't intentional, it's recommended to
+      set the HttpOnly flag to true so the cookie will not be accessible through
+      client-side scripts or to use the Cookie Policy Middleware to globally set
+      the HttpOnly flag. You can then use the CookieOptions class when
+      instantiating the cookie, which inherits these settings and will require
+      future developers to have to explicitly override them on a case-by-case
+      basis if needed. This approach ensures cookies are secure by default."
+note: >-
+  [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag"
+  [REFERENCES]
+      - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware
+      - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions
+      - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+  any:
+    - pattern: $BUILDER.Cookie.HttpOnly = false;
+    - pattern: $COOKIE.HttpOnly = false;

rules/html/security/plaintext-http-link-html.yml

@@ -0,0 +1,14 @@
+id: plaintext-http-link-html
+language: html
+severity: warning
+message: >-
+  "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
+note: >-
+  [CWE-319] Authentication Bypass by Primary Weakness
+  [REFERENCES]
+      -  https://cwe.mitre.org/data/definitions/319.html
+rule:
+  pattern: <a $$$ href=$URL>$C</a>
+constraints:
+  URL:
+    regex: ^['"`]?([Hh][Tt][Tt][Pp]://)

rules/java/security/cbc-padding-oracle-java.yml

@@ -0,0 +1,17 @@
+id: cbc-padding-oracle-java
+severity: warning
+language: java
+message: >-
+  Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
+      malicious actor could discern the difference between plaintext with valid
+      or invalid padding. Further, CBC mode does not include any integrity
+      checks. Use 'AES/GCM/NoPadding' instead.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://capec.mitre.org/data/definitions/463.html
+rule:
+  pattern: Cipher.getInstance($MODE)
+constraints:
+  MODE:
+    regex: ".*/CBC/PKCS5Padding"

rules/java/security/cbc-padding-oracle.yml

@@ -0,0 +1,16 @@
+id: des-is-deprecated-java
+severity: warning
+language: java
+message: >-
+  DES is considered deprecated. AES is the recommended cipher. Upgrade to
+  use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+  for more information.
+note: >-
+  [CWE-326] Inadequate Encryption Strength.
+  [REFERENCES]
+      - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+rule:
+  pattern: $CIPHER.getInstance($SAS)
+constraints:
+  SAS:
+    regex: "DES"

rules/java/security/des-is-deprecated-java.yml

@@ -0,0 +1,16 @@
+id: desede-is-deprecated-java
+language: java
+severity: warning
+message: >-
+  Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
+note: >-
+  [CWE-326]: Inadequate Encryption Strength
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+      - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
+      - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
+rule:
+  any:
+    - pattern: $CIPHER.getInstance("=~/DESede.*/")
+    - pattern: $CRYPTO.KeyGenerator.getInstance("DES")

rules/java/security/desede-is-deprecated-java.yml

@@ -0,0 +1,17 @@
+id: ecb-cipher-java
+severity: warning
+language: java
+message: >-
+  Cipher in ECB mode is detected. ECB mode produces the same output for
+  the same input each time which allows an attacker to intercept and replay
+  the data. Further, ECB mode does not provide any integrity checking. See
+  https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  pattern: Cipher $VAR = $CIPHER.getInstance($MODE);
+constraints:
+  MODE:
+    regex: .*ECB.*