diff --git a/rules/php/lang/exception.yml b/rules/php/lang/exception.yml new file mode 100644 index 000000000..0c86ac884 --- /dev/null +++ b/rules/php/lang/exception.yml @@ -0,0 +1,35 @@ +patterns: + - pattern: | + throw $; + filters: + - variable: DATA_TYPE + detection: datatype + scope: result +languages: + - php +skip_data_types: + - Unique Identifier +metadata: + description: "Sensitive data in a exception message detected." + remediation_message: | + ## Description + + Leaking sensitive data to an exception is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to exceptions. + + ## Remediations + + āŒ Avoid using sensitive data in logger messages: + + ```php + throw new Exception("error for {$user->email}"); + ``` + + āœ… If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information: + + ```php + throw new Exception("error for {$user->uuid}"); + ``` + cwe_id: + - 210 + id: php_lang_exception + documentation_url: https://docs.bearer.com/reference/rules/php_lang_exception diff --git a/tests/php/lang/exception/__snapshots__/test.js.snap b/tests/php/lang/exception/__snapshots__/test.js.snap new file mode 100644 index 000000000..1b970bfab --- /dev/null +++ b/tests/php/lang/exception/__snapshots__/test.js.snap @@ -0,0 +1,52 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`php_lang_exception bad 1`] = ` +"{ + "high": [ + { + "cwe_ids": [ + "210" + ], + "id": "php_lang_exception", + "title": "Sensitive data in a exception message detected.", + "description": "## Description\\n\\nLeaking sensitive data to an exception is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to exceptions.\\n\\n## Remediations\\n\\nāŒ Avoid using sensitive data in logger messages:\\n\\n\`\`\`php\\nthrow new Exception(\\"error for {$user->email}\\");\\n\`\`\`\\n\\nāœ… If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`php\\nthrow new Exception(\\"error for {$user->uuid}\\");\\n\`\`\`\\n", + "documentation_url": "https://docs.bearer.com/reference/rules/php_lang_exception", + "line_number": 3, + "full_filename": "/tmp/bearer-scan/bad.php", + "filename": ".", + "data_type": { + "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b", + "name": "Email Address" + }, + "category_groups": [ + "PII", + "Personal Data" + ], + "source": { + "start": 3, + "end": 3, + "column": { + "start": 42, + "end": 54 + } + }, + "sink": { + "start": 3, + "end": 3, + "column": { + "start": 1, + "end": 57 + }, + "content": "throw new Exception(\\"error occurred for {$user->email}\\")" + }, + "parent_line_number": 3, + "snippet": "throw new Exception(\\"error occurred for {$user->email}\\")", + "fingerprint": "70ef43ccc75d77cc05321c82fe7852c6_0", + "old_fingerprint": "2b002c2a933af8de1c1d21ef38d88015_0", + "code_extract": "throw new Exception(\\"error occurred for {$user->email}\\");" + } + ] +}" +`; + +exports[`php_lang_exception ok 1`] = `"{}"`; diff --git a/tests/php/lang/exception/test.js b/tests/php/lang/exception/test.js new file mode 100644 index 000000000..bca0fa61e --- /dev/null +++ b/tests/php/lang/exception/test.js @@ -0,0 +1,16 @@ +const { createInvoker, getEnvironment } = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createInvoker(ruleId, ruleFile, testBase) + + test("bad", () => { + const testCase = "bad.php" + expect(invoke(testCase)).toMatchSnapshot() + }) + + test("ok", () => { + const testCase = "ok.php" + expect(invoke(testCase)).toMatchSnapshot() + }) +}) diff --git a/tests/php/lang/exception/testdata/bad.php b/tests/php/lang/exception/testdata/bad.php new file mode 100644 index 000000000..c047fea6f --- /dev/null +++ b/tests/php/lang/exception/testdata/bad.php @@ -0,0 +1,3 @@ +email}"); diff --git a/tests/php/lang/exception/testdata/ok.php b/tests/php/lang/exception/testdata/ok.php new file mode 100644 index 000000000..f064f00b8 --- /dev/null +++ b/tests/php/lang/exception/testdata/ok.php @@ -0,0 +1,3 @@ +uuid}");