diff --git a/rules/java/third_parties/new_relic.yml b/rules/java/third_parties/new_relic.yml new file mode 100644 index 000000000..229693521 --- /dev/null +++ b/rules/java/third_parties/new_relic.yml @@ -0,0 +1,44 @@ +imports: + - java_shared_lang_datatype +patterns: + - pattern: | + $.$($<...>$$<...>) + filters: + - variable: NEW_RELIC + regex: \A(com\.newrelic\.api\.agent\.)?NewRelic\z + - variable: METHOD + values: + - addCustomParameter + - noticeError + - recordMetric + - setAccountName + - setInstanceName + - setProductName + - setUserId + - setUserName + - variable: DATA_TYPE + detection: java_shared_lang_datatype +languages: + - java +skip_data_types: + - "Unique Identifier" +metadata: + description: "Leakage of sensitive data to New Relic" + remediation_message: | + ## Description + Leaking sensitive data to third-party loggers is a common cause of data + leaks and can lead to data breaches. This rule looks for instances of + sensitive data sent to New Relic. + + ## Remediations + + When logging errors or events, ensure all sensitive data is removed. + + ## Resources + - [New Relic Docs](https://docs.newrelic.com/) + - [Log obfuscation](https://docs.newrelic.com/docs/logs/ui-data/obfuscation-ui/) + cwe_id: + - 201 + associated_recipe: New Relic + id: java_third_parties_new_relic + documentation_url: https://docs.bearer.com/reference/rules/java_third_parties_new_relic diff --git a/tests/java/third_parties/new_relic/test.js b/tests/java/third_parties/new_relic/test.js new file mode 100644 index 000000000..c60b0fcbe --- /dev/null +++ b/tests/java/third_parties/new_relic/test.js @@ -0,0 +1,18 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("new_relic", () => { + const testCase = "main.java" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/java/third_parties/new_relic/testdata/main.java b/tests/java/third_parties/new_relic/testdata/main.java new file mode 100644 index 000000000..a50438299 --- /dev/null +++ b/tests/java/third_parties/new_relic/testdata/main.java @@ -0,0 +1,46 @@ +// Use bearer:expected java_third_parties_new_relic to flag expected findings +import com.newrelic.api.agent.NewRelic; + +public class FooBar { + public void bad(User user) { + // ... + // bearer:expected java_third_parties_new_relic + NewRelic.addCustomParameter("userEmail", user.email); + // ... + } + + public void bad2(User user) { + // ... + // bearer:expected java_third_parties_new_relic + NewRelic.recordMetric(user.name, 123); + // ... + } + + public void bad3(User user) { + // ... + // bearer:expected java_third_parties_new_relic + NewRelic.noticeError("Some error for user " + user.email); + // ... + } + + public void bad4(User user) { + // ... + // bearer:expected java_third_parties_new_relic + NewRelic.setUserId(user.email); + // ... + } + + public void bad5(User user) { + // ... + // bearer:expected java_third_parties_new_relic + NewRelic.setUserName(user.name); + // ... + } + + public void bad5(User user) { + // ... + NewRelic.setUserId(user.uuid); + NewRelic.addCustomParameter("user", user.uuid); + // ... + } +} \ No newline at end of file