feat(java): airbrake library (CWE-201) (#252)

Bearer · Feb 12, 2024 · 2360ae7 · 2360ae7
1 parent 9d2fd4e
commit 2360ae7
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 0 deletions.
diff --git a/rules/java/third_parties/airbrake_javabrake.yml b/rules/java/third_parties/airbrake_javabrake.yml
@@ -0,0 +1,49 @@
+imports:
+  - java_shared_lang_datatype
+patterns:
+  - pattern: $<AIRBRAKE>.report($<DATA_TYPE>$<...>);
+    filters:
+      - variable: AIRBRAKE
+        regex: \A(io\.airbrake\.javabrake\.)?Airbrake\z
+      - variable: DATA_TYPE
+        detection: java_shared_lang_datatype
+  - pattern: $<AIRBRAKE_NOTICE>.$<METHOD>($<_>, $<DATA_TYPE>);
+    filters:
+      - variable: AIRBRAKE_NOTICE
+        detection: java_third_parties_airbrake_javabrake_notice
+      - variable: METHOD
+        values:
+          - setContext
+          - setParam
+      - variable: DATA_TYPE
+        detection: java_shared_lang_datatype
+auxiliary:
+  - id: java_third_parties_airbrake_javabrake_notice
+    patterns:
+      - pattern: $<AIRBRAKE>.buildNotice();
+        filters:
+          - variable: AIRBRAKE
+            regex: \A(io\.airbrake\.javabrake\.)?Airbrake\z
+languages:
+  - java
+skip_data_types:
+  - "Unique Identifier"
+metadata:
+  description: Leakage of sensitive data to Airbrake
+  remediation_message: |
+    ## Description
+    Leaking sensitive data to third-party loggers is a common cause of data
+    leaks and can lead to data breaches. This rule looks for instances of
+    sensitive data sent to Airbrake.
+
+    ## Remediations
+
+    ✅ When logging errors or events, ensure all sensitive data is removed.
+
+    ## Resources
+    - [Airbrake Docs](https://docs.airbrake.io/docs/platforms/java/)
+  cwe_id:
+    - 201
+  associated_recipe: Airbrake
+  id: java_third_parties_airbrake_javabrake
+  documentation_url: https://docs.bearer.com/reference/rules/java_third_parties_airbrake_javabrake
diff --git a/tests/java/third_parties/airbrake_javabrake/test.js b/tests/java/third_parties/airbrake_javabrake/test.js
@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("airbrake_javabrake", () => {
+    const testCase = "main.java"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})
diff --git a/tests/java/third_parties/airbrake_javabrake/testdata/main.java b/tests/java/third_parties/airbrake_javabrake/testdata/main.java
@@ -0,0 +1,31 @@
+// Use bearer:expected java_third_parties_airbrake_javabrake to flag expected findings
+import io.airbrake.javabrake.Airbrake;
+import io.airbrake.javabrake.Notice;
+
+public class AirbrakeJavabrake() {
+  public static void bad(User user) {
+    try {
+      do();
+    } catch (IOException e) {
+      // bearer:expected java_third_parties_airbrake_javabrake
+      Airbrake.report(e + " for " + user.username);
+    }
+  }
+
+  public static void bad(User user) {
+    Notice notice = Airbrake.buildNotice(e);
+    // bearer:expected java_third_parties_airbrake_javabrake
+    notice.setContext("user", user.username);
+    // bearer:expected java_third_parties_airbrake_javabrake
+    notice.setParam("email", user.email);
+    Airbrake.send(notice);
+  }
+
+  public static void ok() {
+    try {
+      do();
+    } catch (IOException e) {
+      Airbrake.report(e);
+    }
+  }
+}