From 2360ae7d7c55260e3c46256ca5a17c6678f97e04 Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 12 Feb 2024 10:06:45 +0200 Subject: [PATCH] feat(java): airbrake library (CWE-201) (#252) --- .../java/third_parties/airbrake_javabrake.yml | 49 +++++++++++++++++++ .../third_parties/airbrake_javabrake/test.js | 18 +++++++ .../airbrake_javabrake/testdata/main.java | 31 ++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 rules/java/third_parties/airbrake_javabrake.yml create mode 100644 tests/java/third_parties/airbrake_javabrake/test.js create mode 100644 tests/java/third_parties/airbrake_javabrake/testdata/main.java diff --git a/rules/java/third_parties/airbrake_javabrake.yml b/rules/java/third_parties/airbrake_javabrake.yml new file mode 100644 index 000000000..68ecb2f7c --- /dev/null +++ b/rules/java/third_parties/airbrake_javabrake.yml @@ -0,0 +1,49 @@ +imports: + - java_shared_lang_datatype +patterns: + - pattern: $.report($$<...>); + filters: + - variable: AIRBRAKE + regex: \A(io\.airbrake\.javabrake\.)?Airbrake\z + - variable: DATA_TYPE + detection: java_shared_lang_datatype + - pattern: $.$($<_>, $); + filters: + - variable: AIRBRAKE_NOTICE + detection: java_third_parties_airbrake_javabrake_notice + - variable: METHOD + values: + - setContext + - setParam + - variable: DATA_TYPE + detection: java_shared_lang_datatype +auxiliary: + - id: java_third_parties_airbrake_javabrake_notice + patterns: + - pattern: $.buildNotice(); + filters: + - variable: AIRBRAKE + regex: \A(io\.airbrake\.javabrake\.)?Airbrake\z +languages: + - java +skip_data_types: + - "Unique Identifier" +metadata: + description: Leakage of sensitive data to Airbrake + remediation_message: | + ## Description + Leaking sensitive data to third-party loggers is a common cause of data + leaks and can lead to data breaches. This rule looks for instances of + sensitive data sent to Airbrake. + + ## Remediations + + ✅ When logging errors or events, ensure all sensitive data is removed. + + ## Resources + - [Airbrake Docs](https://docs.airbrake.io/docs/platforms/java/) + cwe_id: + - 201 + associated_recipe: Airbrake + id: java_third_parties_airbrake_javabrake + documentation_url: https://docs.bearer.com/reference/rules/java_third_parties_airbrake_javabrake diff --git a/tests/java/third_parties/airbrake_javabrake/test.js b/tests/java/third_parties/airbrake_javabrake/test.js new file mode 100644 index 000000000..7e4e69b31 --- /dev/null +++ b/tests/java/third_parties/airbrake_javabrake/test.js @@ -0,0 +1,18 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("airbrake_javabrake", () => { + const testCase = "main.java" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/java/third_parties/airbrake_javabrake/testdata/main.java b/tests/java/third_parties/airbrake_javabrake/testdata/main.java new file mode 100644 index 000000000..b9c5fbddf --- /dev/null +++ b/tests/java/third_parties/airbrake_javabrake/testdata/main.java @@ -0,0 +1,31 @@ +// Use bearer:expected java_third_parties_airbrake_javabrake to flag expected findings +import io.airbrake.javabrake.Airbrake; +import io.airbrake.javabrake.Notice; + +public class AirbrakeJavabrake() { + public static void bad(User user) { + try { + do(); + } catch (IOException e) { + // bearer:expected java_third_parties_airbrake_javabrake + Airbrake.report(e + " for " + user.username); + } + } + + public static void bad(User user) { + Notice notice = Airbrake.buildNotice(e); + // bearer:expected java_third_parties_airbrake_javabrake + notice.setContext("user", user.username); + // bearer:expected java_third_parties_airbrake_javabrake + notice.setParam("email", user.email); + Airbrake.send(notice); + } + + public static void ok() { + try { + do(); + } catch (IOException e) { + Airbrake.report(e); + } + } +}