Add rules for '35 more Semgrep rules' blog post

generic/amqp-unencrypted-transport.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: amqp-unencrypted-transport
+echo "Hello, World!" | amqp-publish --url=amqp://guest:guest@example.com:5672 --routing-key=test_queue
+
+# ok: amqp-unencrypted-transport
+echo "Hello, World!" | amqp-publish --url=amqps://guest:guest@example.com:5672 --routing-key=test_queue

generic/amqp-unencrypted-transport.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: amqp-unencrypted-transport
+    message: |
+      Found unencrypted AMQP connection, prefer TLS encrypted `amqps://` transport
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      technology: [amqp, rabbitmq]
+      references:
+        - https://www.rabbitmq.com/docs/uri-spec#the-amqps-uri-scheme
+    options:
+      generic_ellipsis_max_span: 0
+    pattern: amqp://...

generic/mongodb-insecure-transport.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/"
+
+# ruleid: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=true"
+
+# ok: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true"
+
+# ok: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?ssl=true"

generic/mongodb-insecure-transport.yaml

@@ -0,0 +1,25 @@
+rules:
+  - id: mongodb-insecure-transport
+    message: |
+      Found insecure MongoDB connection, prefer TLS encrypted transport by
+      setting the `tls=true` connection option and ensuring proper verification
+    languages: [regex]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      technology: [mongodb]
+      references:
+        - https://www.mongodb.com/docs/manual/reference/connection-string/#connection-options
+    pattern-either:
+      - patterns:
+          - pattern-regex: "mongodb://.+$"
+          - pattern-not-regex: "mongodb://.+[?&]tls=true.*$"
+          - pattern-not-regex: "mongodb://.+[?&]ssl=true.*$"
+      - pattern-regex: "mongodb://.+[?&]tlsAllowInvalidCertificates=true.*$"
+      - pattern-regex: "mongodb://.+[?&]tlsAllowInvalidHostnames=true.*$"
+      - pattern-regex: "mongodb://.+[?&]tlsInsecure=true.*$"

generic/mysql-insecure-sslmode.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# ruleid: mysql-insecure-sslmode
+mysql mysql://myapplicationuser:mypass@myhost:1234/applicationdb?SslMode=Disabled
+
+# ruleid: mysql-insecure-sslmode
+mysql mysql://myapplicationuser:mypass@myhost:1234/applicationdb?useSSL=false
+
+# ok: mysql-insecure-sslmode
+mysql mysql://myapplicationuser:mypass@myhost:1234/applicationdb?SslMode=Required

generic/mysql-insecure-sslmode.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: mysql-insecure-sslmode
+    message: |
+      Found MySQL connection string disabling SSL verification
+    languages: [regex]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      technology: [mysql]
+      references:
+        - https://dev.mysql.com/doc/connector-net/en/connector-net-8-0-connection-options.html
+        - https://dev.mysql.com/doc/connector-j/en/connector-j-connp-props-security.html
+    pattern-either:
+      - pattern-regex: "Ssl[ -]?Mode=(Disabled|None|Preferred)"
+      - pattern-regex: "sslMode=(DISABLED|PREFERRED)"
+      - pattern-regex: "useSSL=false"

generic/node-disable-certificate-validation.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# ruleid: node-disable-certificate-validation
+export NODE_TLS_REJECT_UNAUTHORIZED=0
+
+node app.js

generic/node-disable-certificate-validation.yaml

@@ -0,0 +1,22 @@
+rules:
+  - id: node-disable-certificate-validation
+    message: |
+      Setting this environment variable disables TLS certificate validation.
+      This makes TLS, and HTTPS by extension, insecure. The use of this
+      environment variable is strongly discouraged.
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      technology: [nodejs]
+      references:
+        - https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue
+    pattern-either:
+      - pattern: NODE_TLS_REJECT_UNAUTHORIZED=0
+      - pattern: NODE_TLS_REJECT_UNAUTHORIZED='0'
+      - pattern: NODE_TLS_REJECT_UNAUTHORIZED="0"

generic/postgres-insecure-sslmode.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: postgres-insecure-sslmode
+psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=disable
+
+# ok: postgres-insecure-sslmode
+psql postgresql://myapplicationuser:mypass@myhost:1234/applicationdb?sslmode=require

generic/postgres-insecure-sslmode.yaml

@@ -0,0 +1,17 @@
+rules:
+  - id: postgres-insecure-sslmode
+    message: |
+      Found PostgreSQL connection string disabling SSL verification
+    languages: [regex]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      technology: [postgresql]
+      references:
+        - https://www.postgresql.org/docs/current/libpq-connect.html
+    pattern-regex: "[?&]sslmode=(disable|allow|prefer)"

generic/redis-unencrypted-transport.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: redis-unencrypted-transport
+redis-cli -u redis://user:password@host:port/dbnum PING
+
+# ok: redis-unencrypted-transport
+redis-cli -u rediss://user:password@host:port/dbnum PING

generic/redis-unencrypted-transport.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: redis-unencrypted-transport
+    message: |
+      Found unencrypted Redis connection, prefer TLS encrypted `rediss://` transport
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      technology: [redis]
+      references:
+        - https://redis.io/docs/latest/develop/connect/cli/#host-port-password-and-database
+    options:
+      generic_ellipsis_max_span: 0
+    pattern: redis://...

hcl/nomad/docker-hardcoded-password.job

@@ -0,0 +1,44 @@
+task "example" {
+  driver = "docker"
+
+  config {
+    image = "secret/service"
+
+    auth {
+      username = "dockerhub_user"
+
+      # ruleid: docker-hardcoded-password
+      password = "dockerhub_password"
+    }
+  }
+}
+
+task "example" {
+  driver = "docker"
+
+  config {
+    image = "secret/service"
+
+    auth {
+      username = "dockerhub_user"
+
+      # ok: docker-hardcoded-password
+      password = "${PASSWORD}"
+    }
+  }
+}
+
+task "example" {
+  driver = "podman"
+
+  config {
+    image = "secret/service"
+
+    auth {
+      username = "dockerhub_user"
+
+      # ruleid: docker-hardcoded-password
+      password = "dockerhub_password"
+    }
+  }
+}

hcl/nomad/docker-hardcoded-password.yaml

@@ -0,0 +1,35 @@
+rules:
+  - id: docker-hardcoded-password
+    message: |
+      Found Nomad task using Docker auth with hardcoded password
+    languages: [hcl]
+    severity: WARNING
+    metadata:
+      category: security
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      subcategory: [audit]
+      confidence: HIGH
+      likelihood: HIGH
+      impact: LOW
+      technology: [nomad, docker, podman]
+      references:
+        - https://developer.hashicorp.com/nomad/docs/drivers/docker#password
+    patterns:
+      - pattern-inside: |
+          task "..." {
+            ...
+            driver = "$RUNTIME"
+            ...
+            config {
+              ...
+              auth {
+                ...
+              }
+              ...
+            }
+            ...
+          }
+      - pattern: password = "..."
+      - metavariable-regex:
+          metavariable: $RUNTIME
+          regex: (docker|podman)

hcl/nomad/docker-privileged-mode.job

@@ -0,0 +1,62 @@
+task "server" {
+  driver = "docker"
+
+  user = "root"
+
+  config {
+    image = "hashicorp/http-echo"
+    args  = ["-text", "hello world"]
+
+    # ruleid: docker-privileged-mode
+    privileged = true
+  }
+
+  resources {
+    cpu = 20
+  }
+}
+
+task "server" {
+  driver = "docker"
+
+  user = "ubuntu"
+
+  # ok: docker-privileged-mode
+  config {
+    image = "hashicorp/http-echo"
+    args  = ["-text", "hello world"]
+  }
+
+  resources {
+    cpu = 20
+  }
+}
+
+plugin "docker" {
+  config {
+    endpoint = "unix:///var/run/docker.sock"
+
+    auth {
+      config = "/etc/docker-auth.json"
+      helper = "ecr-login"
+    }
+
+    # ruleid: docker-privileged-mode
+    allow_privileged = true
+    allow_caps       = ["chown", "net_raw"]
+  }
+}
+
+plugin "docker" {
+  # ok: docker-privileged-mode
+  config {
+    endpoint = "unix:///var/run/docker.sock"
+
+    auth {
+      config = "/etc/docker-auth.json"
+      helper = "ecr-login"
+    }
+
+    allow_caps       = ["chown", "net_raw"]
+  }
+}

hcl/nomad/docker-privileged-mode.yaml

@@ -0,0 +1,41 @@
+rules:
+  - id: docker-privileged-mode
+    message: |
+      Found Nomad task using Docker containers in privileged mode
+    languages: [hcl]
+    severity: WARNING
+    metadata:
+      category: security
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      subcategory: [audit]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: LOW
+      technology: [nomad, docker, podman]
+      references:
+        - https://developer.hashicorp.com/nomad/docs/drivers/docker#privileged
+        - https://developer.hashicorp.com/nomad/docs/drivers/docker#allow_privileged
+    pattern-either:
+      - patterns:
+          - pattern-inside: |
+              task "..." {
+                ...
+                config {
+                  ...
+                }
+                ...
+              }
+          - pattern: privileged = true
+      - patterns:
+          - pattern-inside: |
+              plugin "$RUNTIME" {
+                ...
+                config {
+                  ...
+                }
+                ...
+              }
+          - pattern: allow_privileged = true
+          - metavariable-regex:
+              metavariable: $RUNTIME
+              regex: (docker|podman)

hcl/nomad/podman-tls-verify-disabled.job

@@ -0,0 +1,26 @@
+task "example" {
+  driver = "podman"
+
+  config {
+    image = "secret/service"
+
+    auth {
+      # ruleid: podman-tls-verify-disabled
+      tlsVerify = false
+    }
+  }
+}
+
+task "example" {
+  driver = "podman"
+
+  config {
+    image = "secret/service"
+
+    # ok: podman-tls-verify-disabled
+    auth {
+      username = "dockerhub_user"
+      password = "${PASSWORD}"
+    }
+  }
+}