Skip to content

Semgrep testing 98 #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vivekkhimani wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Semgrep testing 98 #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0b29fb5
test
vivekkhimani May 21, 2023
273d9fc
testing
vivekkhimani Aug 9, 2023
02aaf69
something
vivekkhimani Aug 18, 2023
563db54
something
vivekkhimani Aug 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
import yaml


yaml.load(Loader=yaml.Loader)
Copy link

@semgrep-code-torchfl-org semgrep-code-torchfl-org bot Aug 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fukkkdsafsadfadsadddblahDetected a possible YAML deserialization vulnerability. yaml.unsafe_load, yaml.Loader, yaml.CLoader, and yaml.UnsafeLoader are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use yaml.safe_load or yaml.SafeLoader instead. blah blah.blah

Ignore this finding from avoid-pyyaml-load.

Copy link
Collaborator Author

@vivekkhimani vivekkhimani Aug 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/semgrep ignore not important


yaml.unsafe_load("something")
46 changes: 46 additions & 0 deletions test1.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
public class ActiveDebugCode{

public void bad(){
StackTraceElement[] elements;

Exception e = new Exception();
elements = e.getStackTrace();

// ruleid: active-debug-code-getstacktrace
System.err.print(elements);
}

public void bad2(){
StackTraceElement[] elements;

elements = Thread.currentThread().getStackTrace();

// ruleid: active-debug-code-getstacktrace
System.err.print(elements);
}

public void bad3(){
StackTraceElement[] elements;

elements = new Throwable().getStackTrace();

// ruleid: active-debug-code-getstacktrace
System.err.print(elements);
}

public void bad4(){
// ruleid: active-debug-code-getstacktrace
System.out.println(org.apache.commons.lang3.exception.ExceptionUtils.getStackTrace(e));
// ruleid: active-debug-code-getstacktrace
System.out.println(org.apache.commons.lang3.exception.ExceptionUtils.getFullStackTrace(e));
}

public void alsobad(){
for (StackTraceElement ste : Thread.currentThread().getStackTrace()) {
// ruleid: active-debug-code-getstacktrace
System.out.println(ste);
}
}

}

71 changes: 71 additions & 0 deletions test3.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
import json
from json import load, loads

from http.server import BaseHTTPRequestHandler
import urllib.parse

class GetHandler(BaseHTTPRequestHandler):

def do_GET(self):
tainted = urlparse.urlparse(self.path).query

# ruleid: tainted-json
json.load(tainted)
# ruleid: tainted-json
json.load(tainted, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)
# ruleid: tainted-json
json.loads(tainted)
# ruleid: tainted-json
json.loads(tainted, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)

decoder = json.JSONDecoder()
# ruleid: tainted-json
decoder.decode(tainted)
# ruleid: tainted-json
decoder.raw_decode(tainted)

# ok: tainted-json
json.load(s)
# ok: tainted-json
json.load(s, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)
# ok: tainted-json
json.loads(s)
# ok: tainted-json
json.loads(s, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)

decoder = json.JSONDecoder()
# ok: tainted-json
decoder.decode(s)
# ok: tainted-json
decoder.raw_decode(s)

# ruleid: tainted-json
load(tainted)
# ruleid: tainted-json
load(tainted, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)
# ruleid: tainted-json
loads(tainted)
# ruleid: tainted-json
loads(tainted, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)

decoder = JSONDecoder()
# ruleid: tainted-json
decoder.decode(tainted)
# ruleid: tainted-json
decoder.raw_decode(tainted)

# ok: tainted-json
load(s)
# ok: tainted-json
load(s, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)
# ok: tainted-json
loads(s)
# ok: tainted-json
loads(s, cls=None, object_hook=None, parse_float=None, parse_int=None, parse_constant=None, object_pairs_hook=None)

decoder = JSONDecoder()
# ok: tainted-json
decoder.decode(s)
# ok: tainted-json
decoder.raw_decode(s)

1 change: 1 addition & 0 deletions test5.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
print("hello world")
52 changes: 52 additions & 0 deletions torchfl-org-yaml-rule-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
rules:
- id: avoid-pyyaml-load
metadata:
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-502: Deserialization of Untrusted Data"
references:
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://nvd.nist.gov/vuln/detail/CVE-2017-18342
category: security
technology:
- pyyaml
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
rule-origin-note: published from torchfl-org-yaml-rule-test.yaml in
git@github.com:torchfl-org/torchfl.git
languages:
- python
message: fukkkdsafsadfadsadddblahDetected a possible YAML deserialization vulnerability.
`yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader`
are all known to be unsafe methods of deserializing YAML. An attacker with
control over the YAML input could create special YAML input that allows
the attacker to run arbitrary Python code. This would allow the attacker
to steal files, download and install malware, or otherwise take over the
machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead. blah blah.blah
fix-regex:
regex: unsafe_load
replacement: safe_load
count: 1
severity: ERROR
patterns:
- pattern-inside: |
import yaml
...
- pattern-not-inside: |
$YAML = ruamel.yaml.YAML(...)
...
- pattern-either:
- pattern: yaml.load(..., Loader=yaml.UnsafeLoader, ...)
- pattern: yaml.load(..., Loader=yaml.CLoader, ...)
- pattern: yaml.load_all(..., Loader=yaml.Loader, ...)
- pattern: yaml.load_all(..., Loader=yaml.UnsafeLoader, ...)
- pattern: yaml.load_all(..., Loader=yaml.CLoader, ...)
- pattern: yaml.unsafe_load(...)