Skip to content

Commit

Permalink
Update rule metadata (#2346)
Browse files Browse the repository at this point in the history
  • Loading branch information
saberduck authored Nov 12, 2020
1 parent 46062a9 commit 61aa15d
Show file tree
Hide file tree
Showing 26 changed files with 101 additions and 118 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,7 @@ <h2>Compliant Solution</h2>
</pre>
<h2>See</h2>
<ul>
<li> <a href="https://www.securecoding.cert.org/confluence/x/1QGMAg">CERT, EXP19-C.</a> - Use braces for the body of an if, for, or while statement
</li>
<li> <a href="https://www.securecoding.cert.org/confluence/x/3wHEAw">CERT, EXP52-J.</a> - Use braces for the body of an if, for, or while statement
</li>
<li> <a href="https://wiki.sei.cmu.edu/confluence/x/g9YxBQ">CERT, EXP19-C.</a> - Use braces for the body of an if, for, or while statement </li>
<li> <a href="https://wiki.sei.cmu.edu/confluence/x/MzZGBQ">CERT, EXP52-J.</a> - Use braces for the body of an if, for, or while statement </li>
</ul>

Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466">CVE-2019-13466</a> </li>
<li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389">CVE-2018-15389</a> </li>
</ul>
<p>Credentials should be stored outside of the code in a configuration file, a database or secret management service. </p>
<p>Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets. </p>
<p>This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
strings, and for variable names that match any of the patterns from the provided list.</p>
<p>It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...</p>
Expand All @@ -20,7 +20,7 @@ <h2>Recommended Secure Coding Practices</h2>
<ul>
<li> Store the credentials in a configuration file that is not pushed to the code repository. </li>
<li> Store the credentials in a database. </li>
<li> Use the secret management service of you cloud provider. </li>
<li> Use your cloud provider's service for managing secrets. </li>
<li> If the a password has been disclosed through the source code: change it. </li>
</ul>
<h2>Sensitive Code Example</h2>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
misleading and induce bugs.</p>
<p>This rule raises an issue when the whitespacing of the lines after a one line block indicates an intent to include those lines in the block, but
the omission of curly braces means the lines will be unconditionally executed once.</p>
<p>Note that this rule considers tab characters to be equivalent to 1 space. If you mix spaces and tabs you will sometimes see issues in code which
looks fine in your editor but is confusing when you change the size of tabs.</p>
<h2>Noncompliant Code Example</h2>
<pre>
if (condition)
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
<p>Browsers <a href="https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage">allow message exchanges</a> between Window objects of
different origins. </p>
<p>Because any window can send / receive messages from other window it is important to verify the sender's / receiver's identity:</p>
<p>- When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (<code>*</code>) should not be
used).</p>
<p>- When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties.</p>
<ul>
<li> When sending message with postMessage method, the identity's receiver should be defined (the wildcard keyword (<code>*</code>) should not be
used). </li>
<li> When receiving message with message event, the sender's identity should be verified using the origin and possibly source properties. </li>
</ul>
<h2>Noncompliant Code Example</h2>
<p>When sending message:</p>
<pre>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,6 @@ <h2>Ask Yourself Whether</h2>
<h2>Recommended Secure Coding Practices</h2>
<p>Do not enable debug features on production servers.</p>
<h2>Sensitive Code Example</h2>
<p>The <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/debugger">debugger statement</a> should be removed in
production:</p>
<pre>
for (i = 1; i&lt;5; i++) {
// Print i to the Output window.
Debug.write("loop index is " + i);
// Wait for user to resume.
debugger; // Sensitive
}
</pre>
<p><code>alert()</code>, <code>confirm()</code> and <code>prompt()</code> instructions should be removed in production:</p>
<pre>
if(unexpectedCondition) {
alert("Unexpected Condition"); // Sensitive
}
</pre>
<p><a href="https://www.npmjs.com/package/errorhandler">errorhandler Express.js middleware</a> should not be used in production:</p>
<pre>
const express = require('express');
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<p>An exception (including <code>reject</code>) thrown by a promise will not be caught by a nesting <code>try</code> block, due to the asynchronous
nature of execution. Instead, use <code>catch</code> method of <code>Promise</code> or wrap it inside <code>await</code> expression.</p>
<p>This rule reports <code>try-catch</code> statements containing nothing else but call(s) to a function returning a&nbsp;<code>Promise</code> (thus
it's less likely that <code>catch</code> is intended to catch something else than <code>Promise</code> rejection).</p>
<p>This rule reports <code>try-catch</code> statements containing nothing else but call(s) to a function returning a <code>Promise</code> (thus it's
less likely that <code>catch</code> is intended to catch something else than <code>Promise</code> rejection).</p>
<h2>Noncompliant Code Example</h2>
<pre>
function runPromise() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<code>Groovy's template engine</code>, allow configuration of automatic variable escaping before rendering templates. When escape occurs, characters
that make sense to the browser (eg: &lt;a&gt;) will be transformed/replaced with escaped/sanitized values (eg: &amp; lt;a&amp; gt; ).</p>
<p>Auto-escaping is not a magic feature to annihilate all cross-site scripting attacks, it depends on <a
href="https://twig.symfony.com/doc/3.x/filters/escape.html">the strategy applied</a> and the context, for example a "_html auto-escaping_" strategy
href="https://twig.symfony.com/doc/3.x/filters/escape.html">the strategy applied</a> and the context, for example a "html auto-escaping" strategy
(which only transforms html characters into <a href="https://developer.mozilla.org/en-US/docs/Glossary/Entity">html entities</a>) will not be relevant
when variables are used in a <a href="https://en.wikipedia.org/wiki/HTML_attribute">html attribute</a> because '<code>:</code>' character is not
escaped and thus an attack as below is possible:</p>
Expand All @@ -20,10 +20,8 @@ <h2>Ask Yourself Whether</h2>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
<li> Enable auto-escaping by default and continue to review the use of inputs in order to be sure that the chosen auto-escaping strategy is the
right one. </li>
</ul>
<p>Enable auto-escaping by default and continue to review the use of inputs in order to be sure that the chosen auto-escaping strategy is the right
one.</p>
<p> </p>
<h2>Sensitive Code Example</h2>
<p><a href="https://www.npmjs.com/package/mustache">mustache.js</a> template engine:</p>
Expand Down Expand Up @@ -130,4 +128,4 @@ <h2>See</h2>
</li>
<li> <a href="https://cwe.mitre.org/data/definitions/84.html">MITRE, CWE-84</a> - Improper Neutralization of Encoded URI Schemes in a Web Page </li>
</ul>

Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
"title": "Disabling auto-escaping in template engines is security-sensitive",
"type": "SECURITY_HOTSPOT",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"cwe",
"owasp-a7"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,15 @@
future standard (but currently experimental) web browser query API</a> and specific APIs related to the permission. It is highly recommended to
customize this rule with the permissions considered as intrusive in the context of the web application.</p>
<h2>Ask Yourself Whether</h2>
<p> * Some powerful features used by the application are not really necessary.</p>
<p> * Users are not clearly informed why and when powerful features are used by the application.</p>
<ul>
<li> Some powerful features used by the application are not really necessary. </li>
<li> Users are not clearly informed why and when powerful features are used by the application. </li>
</ul>
<p>You are at risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p> * In order to respect user privacy it is recommended to avoid using intrusive powerful features.</p>
<ul>
<li> In order to respect user privacy it is recommended to avoid using intrusive powerful features. </li>
</ul>
<h2>Sensitive Code Example</h2>
<p>When using <a href="https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API">geolocation API</a>, Firefox for example retrieves personal
information like nearby wireless access points and IP address and sends it to the default geolocation service provider, <a
Expand Down Expand Up @@ -41,11 +45,12 @@ <h2>Compliant Solution</h2>
&lt;/html&gt;
</pre>
<h2>See</h2>
<p> * <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Web Top 10 2017 Category A3</a> - Sensitive Data
Exposure</p>
<p> * <a href="https://cwe.mitre.org/data/definitions/250.html">CWE-250</a> - Execution with Unnecessary Privileges</p>
<p> * <a href="https://cwe.mitre.org/data/definitions/359.html">CWE-359</a> - Exposure of Private Information</p>
<p> * <a href="https://www.w3.org/TR/permissions/">W3C</a> - Permissions</p>
<p> * <a href="https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites">Mozilla</a> - Does Firefox share my location with
websites?</p>

<ul>
<li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Web Top 10 2017 Category A3</a> - Sensitive Data
Exposure </li>
<li> <a href="https://cwe.mitre.org/data/definitions/250.html">CWE-250</a> - Execution with Unnecessary Privileges </li>
<li> <a href="https://cwe.mitre.org/data/definitions/359.html">CWE-359</a> - Exposure of Private Information </li>
<li> <a href="https://www.w3.org/TR/permissions/">W3C</a> - Permissions </li>
<li> <a href="https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites">Mozilla</a> - Does Firefox share my location with
websites? </li>
</ul>
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ <h2>Noncompliant Code Example</h2>
<pre>
const jwt = require('jsonwebtoken');

let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: JWT should include a signature
let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: 'none' cipher doesn't sign the JWT (no signature will be included)

jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: none algorithm should not be used when verifying JWT signature
jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: 'none' cipher should not be used when verifying JWT signature
</pre>
<h2>Compliant Solution</h2>
<p><a href="https://www.npmjs.com/package/jsonwebtoken">jsonwebtoken</a> library:</p>
Expand All @@ -28,4 +28,4 @@ <h2>See</h2>
</li>
<li> <a href="https://cwe.mitre.org/data/definitions/347.html">MITRE, CWE-347</a> - Improper Verification of Cryptographic Signature </li>
</ul>

Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,12 @@ <h2>Compliant Solution</h2>
app2.use(helmet.hidePoweredBy());
</pre>
<h2>See</h2>
<p> * <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_Framework_(OTG-INFO-008)">OWASP Testing Guide - OTG-INFO-008</a> -
Fingerprint Web Application Framework</p>
<p> * <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009)">OWASP Testing Guide - OTG-INFO-009</a> - Fingerprint Web
Application</p>
<p> * <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
Misconfiguration</p>
<p> * <a href="https://cwe.mitre.org/data/definitions/200.html">MITRE, CWE-200</a> - Information Exposure</p>

<ul>
<li> <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_Framework_(OTG-INFO-008)">OWASP Testing Guide - OTG-INFO-008</a> -
Fingerprint Web Application Framework </li>
<li> <a href="https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009)">OWASP Testing Guide - OTG-INFO-009</a> - Fingerprint Web
Application </li>
<li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
Misconfiguration </li>
<li> <a href="https://cwe.mitre.org/data/definitions/200.html">MITRE, CWE-200</a> - Information Exposure </li>
</ul>
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,16 @@
<p>Outside of the user environment, hidden files are sensitive because they are used to store privacy-related information or even hard-coded
secrets.</p>
<h2>Ask Yourself Whether</h2>
<p> * Hidden files may have been inadvertently uploaded to the static server's public directory and it accepts requests to hidden files.</p>
<p> * There is no business use cases linked to serve files in <code>.name</code> format but the server is not configured to reject requests to this
type of files. </p>
<ul>
<li> Hidden files may have been inadvertently uploaded to the static server's public directory and it accepts requests to hidden files. </li>
<li> There is no business use cases linked to serve files in <code>.name</code> format but the server is not configured to reject requests to this
type of files. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p> * Disable the serving of hidden files.</p>
<ul>
<li> Disable the serving of hidden files. </li>
</ul>
<h2>Sensitive Code Example</h2>
<p><a href="https://www.npmjs.com/package/serve-static">Express.js serve-static</a> middleware:</p>
<pre>
Expand All @@ -33,6 +37,7 @@ <h2>See</h2>
</li>
<li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Web Top 10 2017 Category A6</a> - Security
Misconfiguration. </li>
<li> <a href="https://cwe.mitre.org/data/definitions/538.html">CWE-538</a> - File and Directory Information Exposure </li>
</ul>
<p> * <a href="https://cwe.mitre.org/data/definitions/538.html">CWE-538</a> - File and Directory Information Exposure</p>

Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,12 @@ <h2>Ask Yourself Whether</h2>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
<li> For most of the features of an application, it is recommended to limit the size of requests to: </li>
<li> For most of the features of an application, it is recommended to limit the size of requests to:
<ul>
<li> lower or equal to 8mb for file uploads. </li>
<li> lower or equal to 2mb for other requests. </li>
</ul> </li>
</ul>
<p> <strong></strong> lower or equal to 8mb for file uploads.</p>
<p> <strong></strong> lower or equal to 2mb for other requests.</p>
<p>It is recommended to customize the rule with the limit values that correspond to the web application.</p>
<h2>Sensitive Code Example</h2>
<p><a href="https://www.npmjs.com/package/formidable">formidable</a> file upload module:</p>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,8 @@ <h2>Ask Yourself Whether</h2>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
<li> Implement content security policy fetch directives, in particular <em>default-src</em> directive and continue to properly sanitize and validate
all inputs of the application, indeed CSP fetch directives is only a tool to reduce +the impact+ of cross site scripting attacks. </li>
</ul>
<p>Implement content security policy fetch directives, in particular <em>default-src</em> directive and continue to properly sanitize and validate all
inputs of the application, indeed CSP fetch directives is only a tool to reduce the impact of cross site scripting attacks.</p>
<h2>Sensitive Code Example</h2>
<p>In a Express.js application, the code is sensitive if the <a href="https://www.npmjs.com/package/helmet">helmet</a> contentSecurityPolicy
middleware is disabled:</p>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,8 @@ <h2>Ask Yourself Whether</h2>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
<li> Implement content security policy <em>block-all-mixed-content</em> directive which is supported by all modern browsers and will block loading
of mixed-contents. </li>
</ul>
<p>Implement content security policy <em>block-all-mixed-content</em> directive which is supported by all modern browsers and will block loading of
mixed-contents.</p>
<h2>Sensitive Code Example</h2>
<p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/helmet-csp">helmet-csp</a> or <a
href="https://www.npmjs.com/package/helmet">helmet</a> middleware is used without the <code>blockAllMixedContent</code> directive:</p>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<p><a href="https://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a> attacks occur when an attacker try to trick an user to click on certain
buttons/links of a legit website. This attack can take place with malicious HTML frames well hidden in an attacker website. </p>
<p>For instance, suppose a safe and authentic page of a social network (https://socialnetworkexample.com/make_myprofil_public) which allows an user to
<p>For instance, suppose a safe and authentic page of a social network (https://socialnetworkexample.com/makemyprofilpublic) which allows an user to
change the visibility of his profile by clicking on a button. This is a critical feature with high privacy concerns. Users are generally well informed
on the social network of the consequences of this action. An attacker can trick users, without their consent, to do this action with the below
embedded code added on a malicious website:</p>
Expand All @@ -12,19 +12,17 @@
&lt;/html&gt;
</pre>
<p>Playing with the size of the iframe it's sometimes possible to display only the critical parts of a page, in this case the button of the
<em>make</em>myprofil_public_ page.</p>
<em>makemyprofilpublic</em> page.</p>
<h2>Ask Yourself Whether</h2>
<ul>
<li> <a href="https://en.wikipedia.org/wiki/Clickjacking#Clickjacking_categories">Critical actions</a> of the application are prone to clickjacking
attacks because a simple click on a link or a button can trigger them. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
<li> Implement content security policy <em>frame-ancestors</em> directive which is supported by all modern browsers and will specify the origins of
frame allowed to be loaded by the browser (this directive deprecates <a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">X-Frame-Options</a>). </li>
</ul>
<p>Implement content security policy <em>frame-ancestors</em> directive which is supported by all modern browsers and will specify the origins of
frame allowed to be loaded by the browser (this directive deprecates <a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">X-Frame-Options</a>).</p>
<h2>Sensitive Code Example</h2>
<p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/helmet-csp">helmet-csp</a> or <a
href="https://www.npmjs.com/package/helmet">helmet</a> middleware is used without the <code>frameAncestors</code> directive (or if
Expand Down
Loading

0 comments on commit 61aa15d

Please sign in to comment.