From 08734c185e12743b7e4723bbdca9fae405ae47e2 Mon Sep 17 00:00:00 2001 From: Wilian Gabriel Date: Wed, 23 Mar 2022 12:36:20 -0300 Subject: [PATCH] nginx:chore - Adding improvements on nginx rules (#1041) In this commit I changed to add Safe and Unsafe code in all rules of the nginx. Reference from issue #630 and #1020. Signed-off-by: Wilian Gabriel --- internal/services/engines/nginx/rules.go | 48 +++++++++++-------- internal/services/engines/nginx/rules_test.go | 25 +++++----- .../nginx/{samples_test.go => samples.go} | 0 3 files changed, 40 insertions(+), 33 deletions(-) rename internal/services/engines/nginx/{samples_test.go => samples.go} (100%) diff --git a/internal/services/engines/nginx/rules.go b/internal/services/engines/nginx/rules.go index 6c22722d6..338474b05 100644 --- a/internal/services/engines/nginx/rules.go +++ b/internal/services/engines/nginx/rules.go @@ -27,11 +27,13 @@ import ( func NewIncludeXFrameOptionsHeader() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-NGINX-1", - Name: "Improper Restriction of Rendered UI Layers or Frames", - Description: "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-NGINX-1", + Name: "Improper Restriction of Rendered UI Layers or Frames", + Description: "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSNGINX1, + UnsafeExample: SampleVulnerableHSNGINX1, }, Type: text.NotMatch, Expressions: []*regexp.Regexp{ @@ -43,11 +45,13 @@ func NewIncludeXFrameOptionsHeader() *text.Rule { func NewIncludeXContentTypeOptionsHeader() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-NGINX-2", - Name: "Missing X-Content-Type-Options header", - Description: "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-NGINX-2", + Name: "Missing X-Content-Type-Options header", + Description: "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSNGINX2, + UnsafeExample: SampleVulnerableHSNGINX2, }, Type: text.NotMatch, Expressions: []*regexp.Regexp{ @@ -59,11 +63,13 @@ func NewIncludeXContentTypeOptionsHeader() *text.Rule { func NewIncludeContentSecurityPolicyHeader() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-NGINX-3", - Name: "Missing Content-Security-Policy header", - Description: "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-NGINX-3", + Name: "Missing Content-Security-Policy header", + Description: "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSNGINX3, + UnsafeExample: SampleVulnerableHSNGINX3, }, Type: text.NotMatch, Expressions: []*regexp.Regexp{ @@ -75,11 +81,13 @@ func NewIncludeContentSecurityPolicyHeader() *text.Rule { func NewIncludeServerTokensOff() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-NGINX-4", - Name: "Exposure of Sensitive Information", - Description: "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-NGINX-4", + Name: "Exposure of Sensitive Information", + Description: "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSNGINX4, + UnsafeExample: SampleVulnerableHSNGINX4, }, Type: text.NotMatch, Expressions: []*regexp.Regexp{ diff --git a/internal/services/engines/nginx/rules_test.go b/internal/services/engines/nginx/rules_test.go index 639ac7e9e..29bfdb687 100644 --- a/internal/services/engines/nginx/rules_test.go +++ b/internal/services/engines/nginx/rules_test.go @@ -15,7 +15,6 @@ package nginx import ( - "fmt" "path/filepath" "testing" @@ -31,12 +30,12 @@ func TestRulesVulnerableCode(t *testing.T) { Name: "HS-NGINX-1", Rule: NewIncludeXFrameOptionsHeader(), Src: SampleVulnerableHSNGINX1, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-1.test"), Findings: []engine.Finding{ { CodeSample: "", SourceLocation: engine.Location{ - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-1.test"), Line: 0, Column: 0, }, @@ -47,12 +46,12 @@ func TestRulesVulnerableCode(t *testing.T) { Name: "HS-NGINX-2", Rule: NewIncludeXContentTypeOptionsHeader(), Src: SampleVulnerableHSNGINX2, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-2.test"), Findings: []engine.Finding{ { CodeSample: "", SourceLocation: engine.Location{ - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-2.test"), Line: 0, Column: 0, }, @@ -63,12 +62,12 @@ func TestRulesVulnerableCode(t *testing.T) { Name: "HS-NGINX-3", Rule: NewIncludeContentSecurityPolicyHeader(), Src: SampleVulnerableHSNGINX3, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-3.test"), Findings: []engine.Finding{ { CodeSample: "", SourceLocation: engine.Location{ - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-3.test"), Line: 0, Column: 0, }, @@ -79,12 +78,12 @@ func TestRulesVulnerableCode(t *testing.T) { Name: "HS-NGINX-4", Rule: NewIncludeServerTokensOff(), Src: SampleVulnerableHSNGINX4, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-4.test"), Findings: []engine.Finding{ { CodeSample: "", SourceLocation: engine.Location{ - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-4.test"), Line: 0, Column: 0, }, @@ -103,25 +102,25 @@ func TestRulesSafeCode(t *testing.T) { Name: "HS-NGINX-1", Rule: NewIncludeXFrameOptionsHeader(), Src: SampleSafeHSNGINX1, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-1.test"), }, { Name: "HS-NGINX-2", Rule: NewIncludeXContentTypeOptionsHeader(), Src: SampleSafeHSNGINX2, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-2.test"), }, { Name: "HS-NGINX-3", Rule: NewIncludeContentSecurityPolicyHeader(), Src: SampleSafeHSNGINX3, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-3.test"), }, { Name: "HS-NGINX-4", Rule: NewIncludeServerTokensOff(), Src: SampleSafeHSNGINX4, - Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")), + Filename: filepath.Join(tempDir, "HS-NGINX-4.test"), }, } diff --git a/internal/services/engines/nginx/samples_test.go b/internal/services/engines/nginx/samples.go similarity index 100% rename from internal/services/engines/nginx/samples_test.go rename to internal/services/engines/nginx/samples.go