From 0f71134bc68fa89ab29d3e4c5fbf5285b27a810c Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 12 Feb 2024 16:25:55 +0200 Subject: [PATCH 1/2] feat(java): add Google BigQuery rule --- rules/java/third_parties/bigquery.yml | 59 +++++++++++++++++++ tests/java/third_parties/bigquery/test.js | 18 ++++++ .../third_parties/bigquery/testdata/main.java | 31 ++++++++++ 3 files changed, 108 insertions(+) create mode 100644 rules/java/third_parties/bigquery.yml create mode 100644 tests/java/third_parties/bigquery/test.js create mode 100644 tests/java/third_parties/bigquery/testdata/main.java diff --git a/rules/java/third_parties/bigquery.yml b/rules/java/third_parties/bigquery.yml new file mode 100644 index 000000000..d39cf5121 --- /dev/null +++ b/rules/java/third_parties/bigquery.yml @@ -0,0 +1,59 @@ +imports: + - java_shared_lang_datatype + - java_shared_lang_instance +patterns: + - pattern: $.addRow($); + filters: + - variable: BUILDER + detection: java_third_parties_bigquery_builder + - variable: HASH_MAP + detection: java_shared_lang_instance + scope: cursor + filters: + - variable: JAVA_SHARED_LANG_INSTANCE_TYPE + regex: \A(java\.util\.)?HashMap\<\>\z +trigger: + required_detection: java_third_parties_bigquery_row_with_data +languages: + - java +auxiliary: + - id: java_third_parties_bigquery_builder + patterns: + - pattern: $.newBuilder(); + filters: + - variable: INSERT_REQUEST + regex: \A(com\.google\.cloud\.bigquery\.)?InsertAllRequest\z + - id: java_third_parties_bigquery_row_with_data + patterns: + - pattern: | + $.put($<_>, $); + filters: + - variable: HASH_MAP + detection: java_shared_lang_instance + scope: cursor + filters: + - variable: JAVA_SHARED_LANG_INSTANCE_TYPE + regex: \A(java\.util\.)?HashMap\<\>\z + - variable: DATA_TYPE + detection: java_shared_lang_datatype + scope: result +skip_data_types: + - "Unique Identifier" +metadata: + description: Leakage of sensitive data to BigQuery + remediation_message: | + ## Description + Leaking sensitive data to third-party data tools is a common cause of data + leaks and can lead to data breaches. This rule looks for instances of + sensitive data sent to BigQuery. + + ## Remediations + When sending data to third-party services, ensure all sensitive data is removed. + + ## Resources + - [BigQuery docs](https://cloud.google.com/java/docs/reference/cloud-bigquery/latest) + cwe_id: + - 201 + associated_recipe: Google Cloud BigQuery + id: java_third_parties_bigquery + documentation_url: https://docs.bearer.com/reference/rules/java_third_parties_bigquery diff --git a/tests/java/third_parties/bigquery/test.js b/tests/java/third_parties/bigquery/test.js new file mode 100644 index 000000000..5fc023d06 --- /dev/null +++ b/tests/java/third_parties/bigquery/test.js @@ -0,0 +1,18 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("bigquery", () => { + const testCase = "main.java" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/java/third_parties/bigquery/testdata/main.java b/tests/java/third_parties/bigquery/testdata/main.java new file mode 100644 index 000000000..9836c86dd --- /dev/null +++ b/tests/java/third_parties/bigquery/testdata/main.java @@ -0,0 +1,31 @@ +// Use bearer:expected java_third_parties_bigquery to flag expected findings +import com.google.cloud.bigquery.BigQuery; +import com.google.cloud.bigquery.BigQueryOptions; +import com.google.cloud.bigquery.InsertAllRequest; +import com.google.cloud.bigquery.InsertAllResponse; +import com.google.cloud.bigquery.TableId; +import com.google.cloud.bigquery.InsertAllRequest.RowToInsert; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +public class FooBar { + public static void bad(User user) { + BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService(); + + TableId tableId = TableId.of("MY_DATASET_NAME", "MY_TABLE_NAME"); + + Map rowContent = new HashMap<>(); + rowContent.put("name", user.name); + rowContent.put("location", user.location); + rowContent.put("email", user.email); + + InsertAllResponse response = bigquery + // bearer:expected java_third_parties_bigquery + .insertAll(InsertAllRequest.newBuilder(tableId) + .addRow(rowContent) + .build() + ); + } +} \ No newline at end of file From 78d45320f2e04a0682de003aa47b2627fa8bd7b6 Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 26 Feb 2024 15:08:33 +0200 Subject: [PATCH 2/2] wip: failing ok case --- .../third_parties/bigquery/testdata/main.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/java/third_parties/bigquery/testdata/main.java b/tests/java/third_parties/bigquery/testdata/main.java index 9836c86dd..49c1e6c52 100644 --- a/tests/java/third_parties/bigquery/testdata/main.java +++ b/tests/java/third_parties/bigquery/testdata/main.java @@ -28,4 +28,19 @@ public static void bad(User user) { .build() ); } + + public static void bad(User user) { + BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService(); + + TableId tableId = TableId.of("MY_DATASET_NAME", "MY_TABLE_NAME"); + + Map rowContent = new HashMap<>(); + rowContent.put("uuid", user.uuid); + + InsertAllResponse response = bigquery + .insertAll(InsertAllRequest.newBuilder(tableId) + .addRow(rowContent) + .build() + ); + } } \ No newline at end of file