diff --git a/docs/en/enterprise-edition/policy-reference/book.yml b/docs/en/enterprise-edition/policy-reference/book.yml index 732b34439e..f16238ae72 100644 --- a/docs/en/enterprise-edition/policy-reference/book.yml +++ b/docs/en/enterprise-edition/policy-reference/book.yml @@ -146,6 +146,8 @@ topics: file: terraform-policies.adoc - name: Terraform module sources do not use a git url with a commit hash revision file: ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.adoc + - name: Terraform module sources do not use a git url with a tag or commit hash revision + file: ensure-terraform-module-sources-use-tag.adoc --- kind: chapter name: Ansible Policies @@ -2959,15 +2961,45 @@ kind: chapter name: SAST Policies dir: sast-policies topics: - - name: SAST Policies - file: sast-policies.adoc - - name: Go policies - dir: go-policies - topics: - - name: SAST Go Policy Index - file: go-policies.adoc - - name: Insecure SSH ignoring host key validation - file: sast-policy-198.adoc +- name: SAST Policies + file: sast-policies.adoc +- name: Go policies + dir: go-policies + topics: + - name: SAST Go Policy Index + file: go-policies.adoc + - name: Insecure SSH ignoring host key validation + file: sast-policy-198.adoc + - name: Weak RSA key length + file: sast-policy-200.adoc + - name: Usage of weak DES encryption algorithms + file: sast-policy-239.adoc + - name: Usage of weak MD5 hashing algorithm + file: sast-policy-240.adoc + - name: Usage of insecure RC4 cipher + file: sast-policy-241.adoc + - name: Usage of insecure SHA1 hashing algorithm + file: sast-policy-242.adoc + - name: Unsafe Go package in use + file: sast-policy-243.adoc + - name: Usage of weak random key generation + file: sast-policy-248.adoc + - name: Excessive directory permissions in Go applications + file: sast-policy-249.adoc + - name: Excessive file modification permissions + file: sast-policy-250.adoc + - name: Use of root directory in HTTP handler + file: sast-policy-253.adoc + - name: Excessive file write permissions + file: sast-policy-254.adoc + - name: Unsecured Creation of Temporary Files + file: sast-policy-255.adoc + - name: Missing HTTP server timeouts + file: sast-policy-256.adoc + - name: Usage of profiling endpoint in production + file: sast-policy-259.adoc + - name: Binding to all network interfaces + file: sast-policy-262.adoc - name: Java policies dir: java-policies topics: @@ -3231,6 +3263,8 @@ topics: file: sast-policy-196.adoc - name: Unrobust cryptographic keys file: sast-policy-197.adoc + - name: Risky usage of malicious Polyfill.io library + file: sast-policy-263.adoc - name: Python policies dir: python-policies topics: @@ -3256,8 +3290,6 @@ topics: file: sast-policy-169.adoc - name: Improper Neutralization of Wildcards or Matching Symbols file: sast-policy-170.adoc - - name: Unsafe use of 'exec' command - file: sast-policy-2.adoc - name: chmod sets a permissive mask on file file: sast-policy-3.adoc - name: Use of insecure IPMI-related modules diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/go-policies.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/go-policies.adoc index 5df975d790..aaf4585718 100644 --- a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/go-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/go-policies.adoc @@ -9,5 +9,65 @@ |CKV3_SAST_198 |LOW +|xref:sast-policy-200.adoc[Weak RSA key length] +|CKV3_SAST_200 +|MEDIUM + +|xref:sast-policy-239.adoc[Usage of weak DES encryption algorithms] +|CKV3_SAST_239 +|MEDIUM + +|xref:sast-policy-240.adoc[Usage of weak MD5 hashing algorithm] +|CKV3_SAST_240 +|MEDIUM + +|xref:sast-policy-241.adoc[Usage of insecure RC4 cipher] +|CKV3_SAST_241 +|LOW + +|xref:sast-policy-242.adoc[Usage of insecure SHA1 hashing algorithm] +|CKV3_SAST_242 +|LOW + +|xref:sast-policy-243.adoc[Unsafe Go package in use] +|CKV3_SAST_243 +|LOW + +|xref:sast-policy-248.adoc[Usage of weak random key generation] +|CKV3_SAST_248 +|MEDIUM + +|xref:sast-policy-249.adoc[Excessive directory permissions in Go applications] +|CKV3_SAST_249 +|MEDIUM + +|xref:sast-policy-250.adoc[Excessive file modification permissions] +|CKV3_SAST_250 +|MEDIUM + +|xref:sast-policy-253.adoc[Use of root directory in HTTP handler] +|CKV3_SAST_253 +|MEDIUM + +|xref:sast-policy-254.adoc[Excessive file write permissions] +|CKV3_SAST_254 +|MEDIUM + +|xref:sast-policy-255.adoc[Unsecured Creation of Temporary Files] +|CKV3_SAST_255 +|MEDIUM + +|xref:sast-policy-256.adoc[Missing HTTP server timeouts] +|CKV3_SAST_256 +|MEDIUM + +|xref:sast-policy-259.adoc[Usage of profiling endpoint in production] +|CKV3_SAST_259 +|HIGH + +|xref:sast-policy-262.adoc[Binding to all network interfaces] +|CKV3_SAST_262 +|MEDIUM + |=== \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-200.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-200.adoc new file mode 100644 index 0000000000..54a7ef7156 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-200.adoc @@ -0,0 +1,81 @@ +== Weak RSA key length + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| TBD + +|Checkov ID +|CKV3_SAST_200 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/326.html[CWE-326: Inadequate Encryption Strength] + +|OWASP Categories +|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures] + +|=== + +=== Description + +This policy identifies instances where RSA keys with less than 2048 bits are generated using the `crypto/rsa` package in Go applications. RSA keys with less than 2048 bits are considered insecure due to their inadequate encryption strength. It is recommended to use RSA keys with at least 2048 bits to ensure sufficient security. + +In this example, the provided code generates a vulnerable RSA key due to its insufficient 2048-bit key length. + +[source,Go] +---- +package main + +import ( + "crypto/rand" + "crypto/rsa" + "log" +) + +func main() { + // Insecure RSA key generation with less than 2048 bits + key, err := rsa.GenerateKey(rand.Reader, 1024) + if err != nil { + log.Fatal(err) + } + log.Println("Generated RSA key with 1024 bits:", key) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, generate RSA keys with at least 2048 bits. This ensures adequate encryption strength and security. + +In this example, the application generates an RSA key with 2048 bits. + +[source,Go] +---- +package main + +import ( + "crypto/rand" + "crypto/rsa" + "log" +) + +func main() { + // Secure RSA key generation with 2048 bits + key, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + log.Fatal(err) + } + log.Println("Generated RSA key with 2048 bits:", key) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-239.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-239.adoc new file mode 100644 index 0000000000..2bb8dd6338 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-239.adoc @@ -0,0 +1,79 @@ +== Usage of weak DES encryption algorithms + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 35640d3e-f7f7-4289-a97b-a310d4789521 + +|Checkov ID +|CKV3_SAST_239 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/327.html[CWE-327: Use of a Broken or Risky Cryptographic Algorithm] + +|OWASP Categories +|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures] + +|=== + +=== Description + +This policy checks whether DES and Triple DES encryption algorithms from the crypto/des package in Go applications are in use. DES encryption algorithms are considered weak due to their small key size and are vulnerable to modern cryptanalysis techniques. Stronger algorithms such as AES from the crypto/des package with larger key sizes are recommended for enhanced security. + +The following code snippet uses the weak and insecure DES encryption algorithm from the crypto/des package. + +[source,Go] +---- +package main + +import ( + "crypto/des" + "log" +) + +func main() { + // Insecure use of DES encryption + key := []byte("weakkey") + _, err := des.NewCipher(key) + if err != nil { + log.Fatal(err) + } +} +---- + +=== Fix - Buildtime + +To mitigate this issue, replace the weak DES encryption with the more secure AES algorithm from the crypto/aes package. + +In this example, the application employs AES encryption rather than DES. + +[source,Go] +---- +package main + +import ( + "crypto/aes" + "log" +) + +func main() { + // Secure use of AES encryption + key := []byte("a very very very very secret key") // 32 bytes for AES-256 + _, err := aes.NewCipher(key) + if err != nil { + log.Fatal(err) + } +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-240.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-240.adoc new file mode 100644 index 0000000000..2d473c60af --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-240.adoc @@ -0,0 +1,75 @@ +== Usage of weak MD5 hashing algorithm + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 7c48cc99-087b-4a47-9a06-54f44f5bf0d8 + +|Checkov ID +|CKV3_SAST_240 + +|Severity +|LOW + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/328.html[CWE-328: Use of Weak Hash] + +|OWASP Categories +|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures] + +|=== + +=== Description + +This policy checks whether the MD5 hashing algorithm from the crypto/md5 package is used in Go applications. The MD5 algorithm is cryptographically broken and vulnerable to producing collisions, making it unsuitable for secure hashing. + +In the following example, the application imports the crypto/md5 package and uses the weak and insecure MD5 hashing algorithm. + +[source,Go] +---- +package main + +import ( + "crypto/md5" + "fmt" +) + +func main() { + // Insecure use of MD5 hashing + data := []byte("sensitive data") + hash := md5.Sum(data) + fmt.Printf("%x\n", hash) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, replace the weak MD5 hashing algorithm with the more robust SHA-256 hashing algorithm from the crypto/sha256 package. SHA-256 provides better security due to its resistance to collision attacks. + +In this example, the application uses SHA-256 hashing instead of the less secure MD5 algorithm. + +[source,Go] +---- +package main + +import ( + "crypto/sha256" + "fmt" +) + +func main() { + // Secure use of SHA-256 hashing + data := []byte("sensitive data") + hash := sha256.Sum256(data) + fmt.Printf("%x\n", hash) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-241.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-241.adoc new file mode 100644 index 0000000000..d50379c966 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-241.adoc @@ -0,0 +1,89 @@ +== Usage of insecure RC4 cipher + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 800e109a-4d17-4a11-9b8f-5cecb45566aa + +|Checkov ID +|CKV3_SAST_241 + +|Severity +|LOW + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/327.html[CWE-327: Use of a Broken or Risky Cryptographic Algorithm] + +|OWASP Categories +|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures] + +|=== + +=== Description + +This policy checks whether the outdated and insecure RC4 encryption protocol from the crypto/rc4 package in Go applications is in use. + +In the following example the application uses the insecure RC4 encryption algorithm from the imported crypto/rc4 package. + +[source,Go] +---- +package main + +import ( + "crypto/rc4" + "log" +) + +func main() { + // Insecure use of RC4 encryption + key := []byte("weakkey") + cipher, err := rc4.NewCipher(key) + if err != nil { + log.Fatal(err) + } + plaintext := []byte("sensitive data") + ciphertext := make([]byte, len(plaintext)) + cipher.XORKeyStream(ciphertext, plaintext) + log.Printf("%x\n", ciphertext) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, replace the insecure RC4 encryption algorithm with the more secure AES algorithm from the crypto/aes package. + +In this example, the application uses the secure AES encryption instead of the insecure RC4 algorithm. + +[source,Go] +---- +package main + +import ( + "crypto/aes" + "crypto/cipher" + "log" +) + +func main() { + // Secure use of AES encryption + key := []byte("a very very very very secret key") // 32 bytes for AES-256 + block, err := aes.NewCipher(key) + if err != nil { + log.Fatal(err) + } + plaintext := []byte("sensitive data") + ciphertext := make([]byte, len(plaintext)) + stream := cipher.NewCFBEncrypter(block, key[:block.BlockSize()]) + stream.XORKeyStream(ciphertext, plaintext) + log.Printf("%x\n", ciphertext) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-242.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-242.adoc new file mode 100644 index 0000000000..fad59daa36 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-242.adoc @@ -0,0 +1,75 @@ +== Usage of insecure SHA1 hashing algorithm + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 5fa237e7-a850-47be-a42b-2659a705a5e4 + +|Checkov ID +|CKV3_SAST_242 + +|Severity +|LOW + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/328.html[CWE-328: Use of Weak Hash] + +|OWASP Categories +|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures] + +|=== + +=== Description + +This policy checks whether the outdated and insecure SHA1 hash function from the crypto/sha1 package in Go applications is in use. + +In the following example the application uses insecure SHA1 hashing from the imported crypto/sha1 package. + +[source,Go] +---- +package main + +import ( + "crypto/sha1" + "fmt" +) + +func main() { + // Insecure use of SHA1 hashing + data := []byte("sensitive data") + hash := sha1.Sum(data) + fmt.Printf("%x\n", hash) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, replace the insecure SHA1 hashing with modern hash functions such as SHA256 from the crypto/sha256 package. SHA256 provides enhanced security due to its resistance to collision attacks. + +In this example, the code uses the SHA-256 hashing algorithm instead of the less secure SHA1. + +[source,Go] +---- +package main + +import ( + "crypto/sha256" + "fmt" +) + +func main() { + // Secure use of SHA256 hashing + data := []byte("sensitive data") + hash := sha256.Sum256(data) + fmt.Printf("%x\n", hash) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-243.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-243.adoc new file mode 100644 index 0000000000..62b2fed38c --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-243.adoc @@ -0,0 +1,74 @@ +== Unsafe Go package in use + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 162db9e5-e042-4a20-9037-40bbbaf53b9d + +|Checkov ID +|CKV3_SAST_243 + +|Severity +|LOW + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/242.html[CWE-242: Use of Inherently Dangerous Function] + +|OWASP Categories +|N/A + +|=== + +=== Description + +This policy checks whether unsafe package are used in Go applications. Unsafe packages can compromise type and memory safety, leading to unpredictable behavior and potential vulnerabilities, and can potentially lead to difficult-to-debug errors. + +In the following example, the application imports and uses the unsafe package. + +[source,Go] +---- +package main + +import ( + "fmt" + "unsafe" +) + +func main() { + // Insecure use of the unsafe package + var i int = 42 + var f float64 = *(*float64)(unsafe.Pointer(&i)) + fmt.Println(f) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, use safe, idiomatic Go code instead of the unsafe package. This will maintain application security and reliability. + +In this example, the application uses safe, idiomatic Go code instead of the unsafe package. + +[source,Go] +---- +package main + +import ( + "fmt" +) + +func main() { + // Secure and idiomatic Go code + var i int = 42 + var f float64 = float64(i) + fmt.Println(f) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-248.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-248.adoc new file mode 100644 index 0000000000..dd0979db11 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-248.adoc @@ -0,0 +1,77 @@ +== Usage of weak random key generation + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| caefc5f5-b6a9-4cb7-a5d7-c1e21f8175aa + +|Checkov ID +|CKV3_SAST_248 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/338.html[CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] + +|OWASP Categories +|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures] + +|=== + +=== Description + +This policy checks whether Go's math/rand package in contexts requiring cryptographic randomness, such as user-specific identifiers or secret generation, is in use. The math/rand package is not cryptographically secure and should be replaced with the crypto/rand package as the cryptographically secure random number generator for enhanced security. + +In the following example, the application uses the cryptographically insecure math/rand package to generate random numbers. + +[source,Go] +---- +package main + +import ( + "log" + "math/rand" +) + +func main() { + // Insecure random number generation using math/rand + randomNumber := rand.Int63() + log.Println("Generated random number:", randomNumber) +} +---- + +=== Fix - Buildtime + +To mitigate the risk of weak randomness, replace the insecure math/rand package with the cryptographically secure crypto/rand package. This ensures that the random numbers are suitable for security-sensitive contexts. + +In this example, the application uses crypto/rand to generate a cryptographically secure random number. + +[source,Go] +---- +package main + +import ( + "crypto/rand" + "log" + "math/big" +) + +func main() { + // Secure random number generation using crypto/rand + randomNumber, err := rand.Int(rand.Reader, big.NewInt(1000000)) + if err != nil { + log.Fatal(err) + } + log.Println("Generated secure random number:", randomNumber) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-249.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-249.adoc new file mode 100644 index 0000000000..6e082acd82 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-249.adoc @@ -0,0 +1,75 @@ +== Excessive directory permissions in Go applications + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 665fea5d-07c2-4b17-9e9e-b39a72e459b7 + +|Checkov ID +|CKV3_SAST_249 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/732.html[CWE-732: Incorrect Permission Assignment for Critical Resource] + +|OWASP Categories +|https://owasp.org/Top10/A01_2021-Broken_Access_Control/[A01:2021-Broken Access Control] + +|=== + +=== Description + +This policy identifies instances where Go applications set overly permissive directory permissions using `os.Mkdir` or `os.MkdirAll`. Permissions greater than `0750` can expose directories to unauthorized access. It is recommended to use more restrictive permissions, such as `0700` for read/write access by the application user only, or `0750` to allow group users to read the files. + +In this example, the application sets overly permissive directory permissions using os.MkdirAll with a mask greater than 0750. This can potentially can expose the directory to unauthorized access. + +[source,Go] +---- +package main + +import ( + "os" +) + +func main() { + // Insecure directory permissions + err := os.MkdirAll("/path/to/dir", 0777) + if err != nil { + panic(err) + } +} +---- + +=== Fix - Buildtime + +To mitigate this issue, use more restrictive permissions when creating directories. Set os.Mkdir and os.MkdirAll mode to 0700 for exclusive owner access or 0750 for group read access. + +In this example, the application sets the directory permissions to 0700, ensuring that only the application user has access. + +[source,Go] +---- +package main + +import ( + "os" +) + +func main() { + // Secure directory permissions + err := os.MkdirAll("/path/to/dir", 0700) + if err != nil { + panic(err) + } +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-250.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-250.adoc new file mode 100644 index 0000000000..7266771aff --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-250.adoc @@ -0,0 +1,78 @@ +== Excessive file modification permissions + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| bfb7a33d-2871-4792-84e0-6044d5f214eb + +|Checkov ID +|CKV3_SAST_250 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/732.html[CWE-732: Incorrect Permission Assignment for Critical Resource] + +|OWASP Categories +|https://owasp.org/Top10/A01_2021-Broken_Access_Control/[A01:2021-Broken Access Control] + +|=== + +=== Description + +This policy detects whether Go applications set excessive file permissions using os.Chmod, os.OpenFile, or os.WriteFile. Permissions greater than 0640 can potentially expose files to unauthorized access. + +In the following example, the application sets overly permissive file permissions using os.Chmod with a mask greater than 0640. This potentially exposes the file to unauthorized access. + + +[source,Go] +---- +package main + +import ( + "os" + "log" +) + +func main() { + // Insecure file permissions + err := os.Chmod("/path/to/file", 0666) + if err != nil { + log.Fatal(err) + } +} +---- + +=== Fix - Buildtime + +To mitigate this issue, implement strict permissions for modifying files. This prevents unauthorized access by limiting access to only the necessary users. It is recommended to use `0200` for write-only access, `0400` for read-only access, or `0600` for read/write access by the application user only. + +In this example, the application sets the file permissions to `0600`, ensuring that only the application user has access. + +[source,Go] +---- +package main + +import ( + "os" + "log" +) + +func main() { + // Secure file permissions + err := os.Chmod("/path/to/file", 0600) + if err != nil { + log.Fatal(err) + } +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-253.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-253.adoc new file mode 100644 index 0000000000..5f7ebc48b1 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-253.adoc @@ -0,0 +1,73 @@ +== Use of root directory in HTTP handler + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 8e7cada1-8ee8-4594-b3ce-cc4a209acf4e + +|Checkov ID +|CKV3_SAST_253 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/552.html[CWE-552: Files or Directories Accessible to External Parties] + +|OWASP Categories +|https://owasp.org/Top10/A01_2021-Broken_Access_Control/[A01:2021-Broken Access Control] + +|=== + +=== Description + +This policy checks whether Go applications mount the root directory / to an HTTP handler function, exposing the entire filesystem. This potentially allows anyone with access to the HTTP server to access any file that the server has access to. + +In the following code snippet, the application mounts the root directory `/` to an HTTP handler, which can expose the entire filesystem to external parties. + +[source,Go] +---- +package main + +import ( + "net/http" +) + +func main() { + // Insecure use of root directory in HTTP handler + fs := http.FileServer(http.Dir("/")) + http.Handle("/", fs) + http.ListenAndServe(":8080", nil) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, restrict the `http.Dir` path to a specific folder rather than the entire filesystem. This confines file exposure to only those within the designated directory, enhancing security by minimizing access to sensitive files. + +In this example, the application restricts the `http.Dir` path to a specific folder. + +[source,Go] +---- +package main + +import ( + "net/http" +) + +func main() { + // Secure use of specific directory in HTTP handler + fs := http.FileServer(http.Dir("/path/to/specific/folder")) + http.Handle("/", fs) + http.ListenAndServe(":8080", nil) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-254.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-254.adoc new file mode 100644 index 0000000000..e603e3565f --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-254.adoc @@ -0,0 +1,80 @@ +== Excessive file write permissions + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 836d7109-9fa8-4c76-804c-68ec9a48afde + +|Checkov ID +|CKV3_SAST_254 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/276.html[CWE-276: Incorrect Default Permissions] + +|OWASP Categories +|https://owasp.org/Top10/A01_2021-Broken_Access_Control/[A01:2021-Broken Access Control] + +|=== + +=== Description + +This policy checks whether Go applications set excessive file permissions using io/ioutil.WriteFile. Permissions greater than 0600 can expose files to unauthorized access. + +In this example, the application sets excessive file permissions using ioutil.WriteFile with a mask greater than 0600. This could potentially expose the file to unauthorized access. + + +[source,Go] +---- +package main + +import ( + "io/ioutil" + "log" +) + +func main() { + // Insecure file permissions + data := []byte("Sensitive data") + err := ioutil.WriteFile("/path/to/file", data, 0666) + if err != nil { + log.Fatal(err) + } +} +---- + +=== Fix - Buildtime + +To mitigate this issue, apply more restrictive file permissions when writing files. This ensures that access is limited to only the necessary users. Recommended permissions include `0200` for write-only access, `0400` for read-only access, or `0600` for read/write access by the application user only. + +In this example, the application configures the file permissions to `0600`, ensuring that only the application user has access. + +[source,Go] +---- +package main + +import ( + "io/ioutil" + "log" +) + +func main() { + // Secure file permissions + data := []byte("Sensitive data") + err := ioutil.WriteFile("/path/to/file", data, 0600) + if err != nil { + log.Fatal(err) + } +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-255.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-255.adoc new file mode 100644 index 0000000000..92b43de239 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-255.adoc @@ -0,0 +1,79 @@ +== Unsecured Creation of Temporary Files + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| b956c612-c129-477f-849c-64826dc1f0a3 + +|Checkov ID +|CKV3_SAST_255 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/378.html[CWE-378: Creation of Temporary File With Insecure Permissions] + +|OWASP Categories +|https://owasp.org/Top10/A01_2021-Broken_Access_Control/[A01:2021-Broken Access Control] + +|=== + +=== Description + +This policy checks whether Go applications create files in shared system temporary directories (/tmp or /var/tmp) without using the os.CreateTemp function. Creating temporary files in these directories without proper precautions can potentially enable attackers to exploit symlinks, potentially leading to unintended files being created or overwritten. + +In this example, the application creates a temporary file in `/tmp` using `os.Create`, exposing the file to symlink attacks. + +[source,Go] +---- +package main + +import ( + "os" + "log" +) + +func main() { + // Insecure temporary file creation + file, err := os.Create("/tmp/insecure_temp_file") + if err != nil { + log.Fatal(err) + } + defer file.Close() +} +---- + +=== Fix - Buildtime + +To address this issue, use os.CreateTemp for creating temporary files. This function provides a secure way to create temporary files and protects against symlink attacks. + +In this example, the application uses `os.CreateTemp` to securely create a temporary file. + +[source,Go] +---- +package main + +import ( + "os" + "log" +) + +func main() { + // Secure temporary file creation + file, err := os.CreateTemp("", "secure_temp_file") + if err != nil { + log.Fatal(err) + } + defer file.Close() +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-256.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-256.adoc new file mode 100644 index 0000000000..57e2d651ff --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-256.adoc @@ -0,0 +1,77 @@ +== Missing HTTP server timeouts + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| be396736-3120-4990-af91-2b536e8ca036 + +|Checkov ID +|CKV3_SAST_256 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/400.html[CWE-400: Uncontrolled Resource Consumption] + +|OWASP Categories +|https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[A05:2021-Security Misconfiguration] + +|=== + +=== Description + +This policy checks whether Go's `net/http` serve functions are used without appropriately configured timeouts. Without timeouts, the server is vulnerable to resource exhaustion attacks, where an attacker can open numerous connections without completing the data transmission or terminating the connections. This can lead to the server being unable to accept new connections. + +In this example, the application uses `http.ListenAndServe` without setting appropriate timeouts, leaving it vulnerable to resource consumption attacks. + + +[source,Go] +---- +package main + +import ( + "net/http" +) + +func main() { + // Insecure HTTP server without timeouts + http.ListenAndServe(":8080", nil) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, configure the `http.Server` with appropriate timeouts. This limits connection durations and helps protect the server from resource consumption attacks. + +In this example, the application configures the `ReadTimeout` and `ReadHeaderTimeout` parameters to enhance the security of the HTTP server. + +[source,Go] +---- +package main + +import ( + "net/http" + "time" +) + +func main() { + // Secure HTTP server with timeouts + server := &http.Server{ + Addr: ":8080", + Handler: nil, + ReadTimeout: 10 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + } + server.ListenAndServe() +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-259.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-259.adoc new file mode 100644 index 0000000000..aacd18cdd4 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-259.adoc @@ -0,0 +1,71 @@ +== Usage of profiling endpoint in production + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| add04252-b1af-4626-ba68-f90d461949ee + +|Checkov ID +|CKV3_SAST_259 + +|Severity +|HIGH + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/489.html[CWE-489: Active Debug Code] + +|OWASP Categories +|https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[A05:2021-Security Misconfiguration] + +|=== + +=== Description + +This checks whether Go's built-in profiling service is used by detecting imports of `net/http/pprof`. The `/debug/pprof` endpoint, enabled by this import, lacks authentication and can be accessed by anonymous users, which could potentially expose sensitive information. + +In this example, the application imports `net/http/pprof`. This enables the profiling endpoint, potentially exposing sensitive information. + + +[source,Go] +---- +package main + +import ( + "net/http" + _ "net/http/pprof" +) + +func main() { + // Insecure use of profiling endpoint + http.ListenAndServe(":8080", nil) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, remove the import of `net/http/pprof` to prevent the profiling endpoint from being enabled in production environments, thus reducing the risk of sensitive information leakage. + +In this example, the import of `net/http/pprof` is removed to enhance the security of the application. + +[source,Go] +---- +package main + +import ( + "net/http" +) + +func main() { + // Secure application without profiling endpoint + http.ListenAndServe(":8080", nil) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-262.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-262.adoc new file mode 100644 index 0000000000..7ff9bc3006 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-262.adoc @@ -0,0 +1,86 @@ +== Binding to all network interfaces + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 6f0a5b73-f697-4cc8-9497-e8056dc830dc + +|Checkov ID +|CKV3_SAST_262 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|Go + +|CWEs +|https://cwe.mitre.org/data/definitions/200.html[CWE-200: Exposure of Sensitive Information to an Unauthorized Actor] + +|OWASP Categories +|https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[A05:2021-Security Misconfiguration] + +|=== + +=== Description + +This policy checks whether Go applications bind to all network interfaces using `0.0.0.0` or `[::]`. Binding to all interfaces can expose services to unintended and potentially insecure traffic. + +In this example, the application binds to all network interfaces using `0.0.0.0`, potentially exposing the service to unintended and insecure traffic. + + +[source,Go] +---- +package main + +import ( + "net" + "net/http" +) + +func main() { + // Insecure binding to all network interfaces + listener, err := net.Listen("tcp", "0.0.0.0:8080") + if err != nil { + panic(err) + } + http.Serve(listener, nil) +} +---- + +=== Fix - Buildtime + +To mitigate this issue, bind the application to a specific network interface by using its IP address. This can be achieved by specifying the IP address through an environment variable, configuration file, or by determining the primary interface(s) IP address. + +In this example, the application binds to a specific network interface using an environment variable. + +[source,Go] +---- +package main + +import ( + "net" + "net/http" + "os" +) + +func main() { + // Secure binding to a specific network interface + addr := os.Getenv("BIND_ADDR") + if addr == "" { + addr = "127.0.0.1:8080" // Default to localhost if no environment variable is set + } + + listener, err := net.Listen("tcp", addr) + if err != nil { + panic(err) + } + http.Serve(listener, nil) +} +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/javascript-policies/javascript-policies.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/javascript-policies/javascript-policies.adoc index 489f97754d..2553766790 100644 --- a/docs/en/enterprise-edition/policy-reference/sast-policies/javascript-policies/javascript-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/javascript-policies/javascript-policies.adoc @@ -197,5 +197,9 @@ |CKV3_SAST_197 |MEDIUM +|xref:sast-policy-263.adoc[Risky usage of malicious Polyfill.io library] +|CKV3_SAST_197 +|MEDIUM + |=== \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/javascript-policies/sast-policy-263.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/javascript-policies/sast-policy-263.adoc new file mode 100644 index 0000000000..b6dffce112 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/javascript-policies/sast-policy-263.adoc @@ -0,0 +1,43 @@ +== Risky usage of malicious Polyfill.io library + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 5e39ff6f-a442-462f-93e3-50a551b138f7 + +|Checkov ID +|CKV3_SAST_263 + +|Severity +|MEDIUM + +|Subtype +|Build + +|Language +|JavaScript + +|=== + +=== Description + +This policy checks whether the Polyfill.io library is used in JavaScript applications. Polyfill.io has a history of serving malware; therefore, using the polyfill-library is strongly discouraged. + +In the following code snippet, the application imports the `polyfill-library`, which is considered risky due to its history of serving malware. + +[source,JavaScript] +---- +import polyfill from 'polyfill-library'; + +function main() { + // Risky usage of Polyfill.io library + polyfill(); +} +---- + +=== Fix - Buildtime + +To mitigate this issue, avoid using the `polyfill-library`. Consider alternative libraries or methods that do not pose a security risk. diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/python-policies/python-policies.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/python-policies/python-policies.adoc index 992197ecf2..ebfbc4fbc9 100644 --- a/docs/en/enterprise-edition/policy-reference/sast-policies/python-policies/python-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/sast-policies/python-policies/python-policies.adoc @@ -5,10 +5,6 @@ |=== |Policy|Checkov ID| Severity -|xref:sast-policy-2.adoc[Unsafe use of 'exec' command] -|CKV3_SAST_2 -|HIGH - |xref:sast-policy-3.adoc[chmod sets a permissive mask on file] |CKV3_SAST_3 |HIGH diff --git a/docs/en/enterprise-edition/policy-reference/sast-policies/python-policies/sast-policy-2.adoc b/docs/en/enterprise-edition/policy-reference/sast-policies/python-policies/sast-policy-2.adoc deleted file mode 100644 index 101c7106c5..0000000000 --- a/docs/en/enterprise-edition/policy-reference/sast-policies/python-policies/sast-policy-2.adoc +++ /dev/null @@ -1,76 +0,0 @@ -== Unsafe use of 'exec' command - - -=== Policy Details - -[width=45%] -[cols="1,1"] -|=== -|Prisma Cloud Policy ID -| 6b69b8ae-1ebe-4f17-83d2-a683b432b10b - -|Checkov ID -|CKV3_SAST_2 - -|Severity -|HIGH - -|Subtype -|Build - -|Language -|Python - -|CWEs -|https://cwe.mitre.org/data/definitions/78.html[CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] - -|OWASP Categories -|https://owasp.org/Top10/A03_2021-Injection/[A03:2021 - Injection] - -|=== - - - -=== Description - -The `exec()` function in Python is a built-in function that is used to execute dynamically created program, which can be a string or object code. Using `exec()` can make your code susceptible to a number of security risks: - -1. Code Injection: The most significant risk with `exec()` is that it can execute arbitrary code. This opens up the possibility for an attacker to inject malicious code into your program. - -2. Debugging: Debugging issues can become difficult because the behaviour of `exec()` can depend on the runtime environment and the exact input being executed. - -3. Performance: The `exec()` function is slow as it needs to parse and compile the code each time it's called. - -Here's an example of code that might trigger this warning: - -[source,python] ----- -command = input("Enter a command: ") -exec(command) ----- - -In this example, an attacker could input Python code that deletes files, accesses sensitive data, or makes network requests. - -=== Fix - Buildtime - -To fix it, it's often possible to replace the use of `exec()` with other techniques. If you're using `exec()` to call functions, you can replace it with a dictionary of functions. If you're using it for expressions, you might be able to use `eval()` (but be aware that `eval()` has its own security implications and should also be used very carefully). - -For example, if you want to call a function based on a string, you can do it like this: - -[source,python] ----- -def func1(): - print("Function 1 was called") - -def func2(): - print("Function 2 was called") - -functions = {"func1": func1, "func2": func2} - -command = input("Enter a command: ") - -if command in functions: - functions[command]() ----- - -This way, the program only allows specific, pre-determined commands, which reduces the risk of arbitrary code execution. diff --git a/docs/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/terraform-policies.adoc b/docs/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/terraform-policies.adoc index a29eaabe2f..a87b8ff3c7 100644 --- a/docs/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/terraform-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/terraform-policies.adoc @@ -9,7 +9,7 @@ | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py[CKV_TF_1] |MEDIUM -|xref:ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.adoc[Terraform module sources do not use a git url with a tag or commit hash revision] +|xref:ensure-terraform-module-sources-use-tag.adoc[Terraform module sources do not use a git url with a tag or commit hash revision] | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionTag.py[CKV_TF_2] |HIGH