From aaa64d04b249d52152df2315810c286decdd4b37 Mon Sep 17 00:00:00 2001 From: bcaller Date: Wed, 23 Aug 2023 15:03:11 +0100 Subject: [PATCH] url.startswith("https://prefix") -> url.startswith("https://prefix/") --- .../services/starts-with-partial-host-py.py | 17 ++++++++++++++++ .../services/starts-with-partial-host-py.yaml | 20 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 assets/semgrep_rules/services/starts-with-partial-host-py.py create mode 100644 assets/semgrep_rules/services/starts-with-partial-host-py.yaml diff --git a/assets/semgrep_rules/services/starts-with-partial-host-py.py b/assets/semgrep_rules/services/starts-with-partial-host-py.py new file mode 100644 index 00000000..c3ae0595 --- /dev/null +++ b/assets/semgrep_rules/services/starts-with-partial-host-py.py @@ -0,0 +1,17 @@ +# ruleid: starts-with-partial-host-py +my_urI[0].startswith("https://x.y") + +# ruleid: starts-with-partial-host-py +request.url.startswith('https://example.com') + +# ruleid: starts-with-partial-host-py +url.startswith('http://127.0.0.1:') + +# ok: starts-with-partial-host-py +url.startswith("https://ba.na/x") + +# ok: starts-with-partial-host-py +url.startswith("https://") + +# ok: starts-with-partial-host-py +url.startswith("xyz://abc/https://def") \ No newline at end of file diff --git a/assets/semgrep_rules/services/starts-with-partial-host-py.yaml b/assets/semgrep_rules/services/starts-with-partial-host-py.yaml new file mode 100644 index 00000000..297ffff2 --- /dev/null +++ b/assets/semgrep_rules/services/starts-with-partial-host-py.yaml @@ -0,0 +1,20 @@ +rules: + - id: starts-with-partial-host-py + metadata: + author: Ben Caller + confidence: LOW + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/starts-with-partial-host-py.yaml + patterns: + - pattern: $URL.startswith("$PREFIX") + - metavariable-regex: + metavariable: $PREFIX + regex: (?i)^https?://[^/]+$ + - metavariable-regex: + # Avoid false positives where we actually have an origin or hostname + metavariable: $URL + regex: (?i).*ur[li].* + message: | + Add a forward-slash at the end to prevent matching `$PREFIX.e.vil` or `$PREFIX@e.vil`. + Even better, properly parse the URL and match a list of origins/hosts. + languages: [python] + severity: WARNING