feat: improve file perm

Bearer · Feb 23, 2024 · a908f8c · a908f8c
1 parent 1003a32
commit a908f8c
Show file tree

Hide file tree

Showing 6 changed files with 244 additions and 7 deletions.
diff --git a/rules/go/gosec/file_permissions/file_perm.yml b/rules/go/gosec/file_permissions/file_perm.yml
@@ -17,11 +17,11 @@ auxiliary:
         filters:
           - either:
               - variable: MASK
-                regex: \A07
+                regex: \A0o?7
               - variable: MASK
-                regex: \A0\d[1-7]
+                regex: \A0o?\d[1-7]
               - variable: MASK
-                regex: \A0\d\d[1-7]
+                regex: \A0o?\d\d[1-7]
 languages:
   - go
 metadata:

diff --git a/rules/go/gosec/file_permissions/mkdir.yml b/rules/go/gosec/file_permissions/mkdir.yml
@@ -15,7 +15,7 @@ auxiliary:
       - pattern: $<MASK>
         filters:
           - variable: MASK
-            regex: \A077
+            regex: \A0o?77
 languages:
   - go
 metadata:

diff --git a/rules/go/lang/observable_timing.yml b/rules/go/lang/observable_timing.yml
@@ -0,0 +1,218 @@
+patterns:
+  - pattern: |
+      $<KEY1> == $<KEY2>
+    filters:
+      - variable: KEY1
+        regex: /pass(word)?/
+      - variable: KEY2
+        regex: /pass(word)?/
+    # - pattern: |
+    #     return $X === auth_token;
+    # - pattern: |
+    #     return auth_token === $X;
+    # - pattern: |
+    #     return $X === token;
+    # - pattern: |
+    #     return token === $X;
+    # - pattern: |
+    #     return $X === hash;
+    # - pattern: |
+    #     return hash === $X;
+    # - pattern: |
+    #     return $X === password;
+    # - pattern: |
+    #     return password === $X;
+    # - pattern: |
+    #     return $X === pass;
+    # - pattern: |
+    #     return pass === $X;
+    # - pattern: |
+    #     return $X === apiKey;
+    # - pattern: |
+    #     return apiKey === $X;
+    # - pattern: |
+    #     return $X === apiSecret;
+    # - pattern: |
+    #     return apiSecret === $X;
+    # - pattern: |
+    #     return $X === api_key;
+    # - pattern: |
+    #     return api_key === $X;
+    # - pattern: |
+    #     return $X === api_secret;
+    # - pattern: |
+    #     return api_secret === $X;
+    # - pattern: |
+    #     return $X === secret;
+    # - pattern: |
+    #     return secret === $X;
+    # - pattern: |
+    #     return $X === api;
+    # - pattern: |
+    #     return api === $X;
+    # - pattern: |
+    #     return $X == auth_token;
+    # - pattern: |
+    #     return auth_token == $X;
+    # - pattern: |
+    #     return $X == token;
+    # - pattern: |
+    #     return token == $X;
+    # - pattern: |
+    #     return $X == hash;
+    # - pattern: |
+    #     return hash == $X;
+    # - pattern: |
+    #     return $X == password;
+    # - pattern: |
+    #     return password == $X;
+    # - pattern: |
+    #     return $X == pass;
+    # - pattern: |
+    #     return pass == $X;
+    # - pattern: |
+    #     return $X == apiKey;
+    # - pattern: |
+    #     return apiKey == $X;
+    # - pattern: |
+    #     return $X == apiSecret;
+    # - pattern: |
+    #     return apiSecret == $X;
+    # - pattern: |
+    #     return $X == api_key;
+    # - pattern: |
+    #     return api_key == $X;
+    # - pattern: |
+    #     return $X == api_secret;
+    # - pattern: |
+    #     return api_secret == $X;
+    # - pattern: |
+    #     return $X == secret;
+    # - pattern: |
+    #     return secret == $X;
+    # - pattern: |
+    #     return $X == api;
+    # - pattern: |
+    #     return api == $X;
+    # - pattern: |
+    #     return $X !== auth_token;
+    # - pattern: |
+    #     return auth_token !== $X;
+    # - pattern: |
+    #     return $X !== token;
+    # - pattern: |
+    #     return token !== $X;
+    # - pattern: |
+    #     return $X !== hash;
+    # - pattern: |
+    #     return hash !== $X;
+    # - pattern: |
+    #     return $X !== password;
+    # - pattern: |
+    #     return password !== $X;
+    # - pattern: |
+    #     return $X !== pass;
+    # - pattern: |
+    #     return pass !== $X;
+    # - pattern: |
+    #     return $X !== apiKey;
+    # - pattern: |
+    #     return apiKey !== $X;
+    # - pattern: |
+    #     return $X !== apiSecret;
+    # - pattern: |
+    #     return apiSecret !== $X;
+    # - pattern: |
+    #     return $X !== api_key;
+    # - pattern: |
+    #     return api_key !== $X;
+    # - pattern: |
+    #     return $X !== api_secret;
+    # - pattern: |
+    #     return api_secret !== $X;
+    # - pattern: |
+    #     return $X !== secret;
+    # - pattern: |
+    #     return secret !== $X;
+    # - pattern: |
+    #     return $X !== api;
+    # - pattern: |
+    #     return api !== $X;
+    # - pattern: |
+    #     return $X != auth_token;
+    # - pattern: |
+    #     return auth_token != $X;
+    # - pattern: |
+    #     return $X != token;
+    # - pattern: |
+    #     return token != $X;
+    # - pattern: |
+    #     return $X != hash;
+    # - pattern: |
+    #     return hash != $X;
+    # - pattern: |
+    #     return $X != password;
+    # - pattern: |
+    #     return password != $X;
+    # - pattern: |
+    #     return $X != pass;
+    # - pattern: |
+    #     return pass != $X;
+    # - pattern: |
+    #     return $X != apiKey;
+    # - pattern: |
+    #     return apiKey != $X;
+    # - pattern: |
+    #     return $X != apiSecret;
+    # - pattern: |
+    #     return apiSecret != $X;
+    # - pattern: |
+    #     return $X != api_key;
+    # - pattern: |
+    #     return api_key != $X;
+    # - pattern: |
+    #     return $X != api_secret;
+    # - pattern: |
+    #     return api_secret != $X;
+    # - pattern: |
+    #     return $X != secret;
+    # - pattern: |
+    #     return secret != $X;
+    # - pattern: |
+    #     return $X != api;
+    # - pattern: |
+    #     return api != $X;
+
+# auxiliary:
+#   - id: go_lang_observable_timing_init
+#     patterns:
+#       - pattern1
+#       - pattern: $<INIT>
+#         filters:
+#           - variable: INIT
+#             detection: go_lang_observable_timing_instance
+#             scope: cursor
+#   - id: go_lang_observable_timing_instance
+#     patterns:
+#       - pattern2
+languages:
+  - go
+metadata:
+  description: ""
+  remediation_message: |
+    ## Description
+
+    ## Remediations
+
+    ✅
+
+    ❌
+
+    ## References
+
+    - []()
+
+  cwe_id:
+    - 208
+  id: go_lang_observable_timing
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_observable_timing
diff --git a/rules/javascript/lang/file_permissions.yml b/rules/javascript/lang/file_permissions.yml
@@ -31,11 +31,11 @@ auxiliary:
         filters:
           - either:
               - variable: MASK
-                regex: \A0o7
+                regex: \A0o?7
               - variable: MASK
-                regex: \A0o\d[1-7]
+                regex: \A0o?\d[1-7]
               - variable: MASK
-                regex: \A0o\d\d[1-7]
+                regex: \A0o?\d\d[1-7]
 languages:
   - javascript
 severity: high

diff --git a/tests/go/lang/observable_timing/test.js b/tests/go/lang/observable_timing/test.js
@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("observable_timing", () => {
+    const testCase = "main.go"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})
diff --git a/tests/go/lang/observable_timing/testdata/main.go b/tests/go/lang/observable_timing/testdata/main.go
@@ -0,0 +1 @@
+// Use bearer:expected go_lang_observable_timing to flag expected findings
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		// Use bearer:expected go_lang_observable_timing to flag expected findings