feat: add more cases to exception rule

Bearer · Oct 9, 2023 · f80f05e · f80f05e
1 parent 346baad
commit f80f05e
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 0 deletions.
diff --git a/rules/php/lang/exception.yml b/rules/php/lang/exception.yml
@@ -5,6 +5,15 @@ patterns:
       - variable: DATA_TYPE
         detection: datatype
         scope: result
+  - pattern: $<FUNCTION>($<DATA_TYPE>)
+    filters:
+      - variable: FUNCTION
+        values:
+          - die
+          - exit
+      - variable: DATA_TYPE
+        detection: datatype
+        scope: result
 languages:
   - php
 skip_data_types:

diff --git a/tests/php/lang/exception/__snapshots__/test.js.snap b/tests/php/lang/exception/__snapshots__/test.js.snap
@@ -44,6 +44,90 @@ exports[`php_lang_exception bad 1`] = `
       "fingerprint": "70ef43ccc75d77cc05321c82fe7852c6_0",
       "old_fingerprint": "2b002c2a933af8de1c1d21ef38d88015_0",
       "code_extract": "throw new Exception(\\"error occurred for {$user->email}\\");"
+    },
+    {
+      "cwe_ids": [
+        "210"
+      ],
+      "id": "php_lang_exception",
+      "title": "Sensitive data in a exception message detected.",
+      "description": "## Description\\n\\nLeaking sensitive data to an exception is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to exceptions.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`php\\nthrow new Exception(\\"error for {$user->email}\\");\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`php\\nthrow new Exception(\\"error for {$user->uuid}\\");\\n\`\`\`\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_lang_exception",
+      "line_number": 5,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "data_type": {
+        "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b",
+        "name": "Email Address"
+      },
+      "category_groups": [
+        "PII",
+        "Personal Data"
+      ],
+      "source": {
+        "start": 5,
+        "end": 5,
+        "column": {
+          "start": 26,
+          "end": 38
+        }
+      },
+      "sink": {
+        "start": 5,
+        "end": 5,
+        "column": {
+          "start": 1,
+          "end": 41
+        },
+        "content": "die(\\"error occurred for {$user->email}\\")"
+      },
+      "parent_line_number": 5,
+      "snippet": "die(\\"error occurred for {$user->email}\\")",
+      "fingerprint": "70ef43ccc75d77cc05321c82fe7852c6_1",
+      "old_fingerprint": "2b002c2a933af8de1c1d21ef38d88015_1",
+      "code_extract": "die(\\"error occurred for {$user->email}\\");"
+    },
+    {
+      "cwe_ids": [
+        "210"
+      ],
+      "id": "php_lang_exception",
+      "title": "Sensitive data in a exception message detected.",
+      "description": "## Description\\n\\nLeaking sensitive data to an exception is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to exceptions.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`php\\nthrow new Exception(\\"error for {$user->email}\\");\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`php\\nthrow new Exception(\\"error for {$user->uuid}\\");\\n\`\`\`\\n",
+      "documentation_url": "https://docs.bearer.com/reference/rules/php_lang_exception",
+      "line_number": 6,
+      "full_filename": "/tmp/bearer-scan/bad.php",
+      "filename": ".",
+      "data_type": {
+        "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b",
+        "name": "Email Address"
+      },
+      "category_groups": [
+        "PII",
+        "Personal Data"
+      ],
+      "source": {
+        "start": 6,
+        "end": 6,
+        "column": {
+          "start": 27,
+          "end": 39
+        }
+      },
+      "sink": {
+        "start": 6,
+        "end": 6,
+        "column": {
+          "start": 1,
+          "end": 42
+        },
+        "content": "exit(\\"error occurred for {$user->email}\\")"
+      },
+      "parent_line_number": 6,
+      "snippet": "exit(\\"error occurred for {$user->email}\\")",
+      "fingerprint": "70ef43ccc75d77cc05321c82fe7852c6_2",
+      "old_fingerprint": "2b002c2a933af8de1c1d21ef38d88015_2",
+      "code_extract": "exit(\\"error occurred for {$user->email}\\");"
     }
   ]
 }"

diff --git a/tests/php/lang/exception/testdata/bad.php b/tests/php/lang/exception/testdata/bad.php
@@ -1,3 +1,6 @@
 <?php
 
 throw new Exception("error occurred for {$user->email}");
+
+die("error occurred for {$user->email}");
+exit("error occurred for {$user->email}");
diff --git a/tests/php/lang/exception/testdata/ok.php b/tests/php/lang/exception/testdata/ok.php
@@ -1,3 +1,6 @@
 <?php
 
 throw new Exception("error occurred for {$user->uuid}");
+
+die("error occurred for {$user->uuid}");
+exit("error occurred for {$user->uuid}");