From a908f8c90f080c367653b1c949ab16054bfc7713 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Fabianski?= Date: Fri, 23 Feb 2024 11:48:19 +0100 Subject: [PATCH] feat: improve file perm --- rules/go/gosec/file_permissions/file_perm.yml | 6 +- rules/go/gosec/file_permissions/mkdir.yml | 2 +- rules/go/lang/observable_timing.yml | 218 ++++++++++++++++++ rules/javascript/lang/file_permissions.yml | 6 +- tests/go/lang/observable_timing/test.js | 18 ++ .../lang/observable_timing/testdata/main.go | 1 + 6 files changed, 244 insertions(+), 7 deletions(-) create mode 100644 rules/go/lang/observable_timing.yml create mode 100644 tests/go/lang/observable_timing/test.js create mode 100644 tests/go/lang/observable_timing/testdata/main.go diff --git a/rules/go/gosec/file_permissions/file_perm.yml b/rules/go/gosec/file_permissions/file_perm.yml index bd32ce6dc..7a658d3ec 100644 --- a/rules/go/gosec/file_permissions/file_perm.yml +++ b/rules/go/gosec/file_permissions/file_perm.yml @@ -17,11 +17,11 @@ auxiliary: filters: - either: - variable: MASK - regex: \A07 + regex: \A0o?7 - variable: MASK - regex: \A0\d[1-7] + regex: \A0o?\d[1-7] - variable: MASK - regex: \A0\d\d[1-7] + regex: \A0o?\d\d[1-7] languages: - go metadata: diff --git a/rules/go/gosec/file_permissions/mkdir.yml b/rules/go/gosec/file_permissions/mkdir.yml index 8dd8c3e8d..bd902c9eb 100644 --- a/rules/go/gosec/file_permissions/mkdir.yml +++ b/rules/go/gosec/file_permissions/mkdir.yml @@ -15,7 +15,7 @@ auxiliary: - pattern: $ filters: - variable: MASK - regex: \A077 + regex: \A0o?77 languages: - go metadata: diff --git a/rules/go/lang/observable_timing.yml b/rules/go/lang/observable_timing.yml new file mode 100644 index 000000000..bea3c1e1c --- /dev/null +++ b/rules/go/lang/observable_timing.yml @@ -0,0 +1,218 @@ +patterns: + - pattern: | + $ == $ + filters: + - variable: KEY1 + regex: /pass(word)?/ + - variable: KEY2 + regex: /pass(word)?/ + # - pattern: | + # return $X === auth_token; + # - pattern: | + # return auth_token === $X; + # - pattern: | + # return $X === token; + # - pattern: | + # return token === $X; + # - pattern: | + # return $X === hash; + # - pattern: | + # return hash === $X; + # - pattern: | + # return $X === password; + # - pattern: | + # return password === $X; + # - pattern: | + # return $X === pass; + # - pattern: | + # return pass === $X; + # - pattern: | + # return $X === apiKey; + # - pattern: | + # return apiKey === $X; + # - pattern: | + # return $X === apiSecret; + # - pattern: | + # return apiSecret === $X; + # - pattern: | + # return $X === api_key; + # - pattern: | + # return api_key === $X; + # - pattern: | + # return $X === api_secret; + # - pattern: | + # return api_secret === $X; + # - pattern: | + # return $X === secret; + # - pattern: | + # return secret === $X; + # - pattern: | + # return $X === api; + # - pattern: | + # return api === $X; + # - pattern: | + # return $X == auth_token; + # - pattern: | + # return auth_token == $X; + # - pattern: | + # return $X == token; + # - pattern: | + # return token == $X; + # - pattern: | + # return $X == hash; + # - pattern: | + # return hash == $X; + # - pattern: | + # return $X == password; + # - pattern: | + # return password == $X; + # - pattern: | + # return $X == pass; + # - pattern: | + # return pass == $X; + # - pattern: | + # return $X == apiKey; + # - pattern: | + # return apiKey == $X; + # - pattern: | + # return $X == apiSecret; + # - pattern: | + # return apiSecret == $X; + # - pattern: | + # return $X == api_key; + # - pattern: | + # return api_key == $X; + # - pattern: | + # return $X == api_secret; + # - pattern: | + # return api_secret == $X; + # - pattern: | + # return $X == secret; + # - pattern: | + # return secret == $X; + # - pattern: | + # return $X == api; + # - pattern: | + # return api == $X; + # - pattern: | + # return $X !== auth_token; + # - pattern: | + # return auth_token !== $X; + # - pattern: | + # return $X !== token; + # - pattern: | + # return token !== $X; + # - pattern: | + # return $X !== hash; + # - pattern: | + # return hash !== $X; + # - pattern: | + # return $X !== password; + # - pattern: | + # return password !== $X; + # - pattern: | + # return $X !== pass; + # - pattern: | + # return pass !== $X; + # - pattern: | + # return $X !== apiKey; + # - pattern: | + # return apiKey !== $X; + # - pattern: | + # return $X !== apiSecret; + # - pattern: | + # return apiSecret !== $X; + # - pattern: | + # return $X !== api_key; + # - pattern: | + # return api_key !== $X; + # - pattern: | + # return $X !== api_secret; + # - pattern: | + # return api_secret !== $X; + # - pattern: | + # return $X !== secret; + # - pattern: | + # return secret !== $X; + # - pattern: | + # return $X !== api; + # - pattern: | + # return api !== $X; + # - pattern: | + # return $X != auth_token; + # - pattern: | + # return auth_token != $X; + # - pattern: | + # return $X != token; + # - pattern: | + # return token != $X; + # - pattern: | + # return $X != hash; + # - pattern: | + # return hash != $X; + # - pattern: | + # return $X != password; + # - pattern: | + # return password != $X; + # - pattern: | + # return $X != pass; + # - pattern: | + # return pass != $X; + # - pattern: | + # return $X != apiKey; + # - pattern: | + # return apiKey != $X; + # - pattern: | + # return $X != apiSecret; + # - pattern: | + # return apiSecret != $X; + # - pattern: | + # return $X != api_key; + # - pattern: | + # return api_key != $X; + # - pattern: | + # return $X != api_secret; + # - pattern: | + # return api_secret != $X; + # - pattern: | + # return $X != secret; + # - pattern: | + # return secret != $X; + # - pattern: | + # return $X != api; + # - pattern: | + # return api != $X; + +# auxiliary: +# - id: go_lang_observable_timing_init +# patterns: +# - pattern1 +# - pattern: $ +# filters: +# - variable: INIT +# detection: go_lang_observable_timing_instance +# scope: cursor +# - id: go_lang_observable_timing_instance +# patterns: +# - pattern2 +languages: + - go +metadata: + description: "" + remediation_message: | + ## Description + + ## Remediations + + ✅ + + ❌ + + ## References + + - []() + + cwe_id: + - 208 + id: go_lang_observable_timing + documentation_url: https://docs.bearer.com/reference/rules/go_lang_observable_timing diff --git a/rules/javascript/lang/file_permissions.yml b/rules/javascript/lang/file_permissions.yml index f07c1ad9d..ca1a2a203 100644 --- a/rules/javascript/lang/file_permissions.yml +++ b/rules/javascript/lang/file_permissions.yml @@ -31,11 +31,11 @@ auxiliary: filters: - either: - variable: MASK - regex: \A0o7 + regex: \A0o?7 - variable: MASK - regex: \A0o\d[1-7] + regex: \A0o?\d[1-7] - variable: MASK - regex: \A0o\d\d[1-7] + regex: \A0o?\d\d[1-7] languages: - javascript severity: high diff --git a/tests/go/lang/observable_timing/test.js b/tests/go/lang/observable_timing/test.js new file mode 100644 index 000000000..fbd092876 --- /dev/null +++ b/tests/go/lang/observable_timing/test.js @@ -0,0 +1,18 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("observable_timing", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/go/lang/observable_timing/testdata/main.go b/tests/go/lang/observable_timing/testdata/main.go new file mode 100644 index 000000000..8cb065e7d --- /dev/null +++ b/tests/go/lang/observable_timing/testdata/main.go @@ -0,0 +1 @@ +// Use bearer:expected go_lang_observable_timing to flag expected findings \ No newline at end of file