mongo rule - more precise regex

trailofbits · Dec 5, 2024 · ba97b94 · ba97b94
1 parent 83265c2
commit ba97b94
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 6 deletions.
diff --git a/generic/mongodb-insecure-transport.sh b/generic/mongodb-insecure-transport.sh
@@ -6,8 +6,48 @@ mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/"
 # ruleid: mongodb-insecure-transport
 mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=true"
 
+# ruleid: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=true&something=else"
+
+# we want to be lenient here
+# ruleid: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=truebutbug"
+
+# ruleid: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true&tlsAllowInvalidCertificates=truebutbug&something=else"
+
+# we want to be strict here
+# ruleid: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=truebutbug"
+
+# ruleid: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=truebutbug&something=else"
+
 # ok: mongodb-insecure-transport
 mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true"
 
+# ok: mongodb-insecure-transport
+mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?tls=true&something=else"
+
 # ok: mongodb-insecure-transport
 mongo "mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?ssl=true"
+
+echo '
+# ok: mongodb-insecure-transport
+mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?ssl=true
+'
+
+echo '
+# ruleid: mongodb-insecure-transport
+mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?ssl=truebutbug
+'
+
+echo '
+# ok: mongodb-insecure-transport
+mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?ssl=true&something=else
+'
+
+echo '
+# ruleid: mongodb-insecure-transport
+mongodb://user:pass@db0.example.com,db1.example.com,db2.example.com/?ssl=truebutbug&something=else
+'
diff --git a/generic/mongodb-insecure-transport.yaml b/generic/mongodb-insecure-transport.yaml
@@ -17,9 +17,9 @@ rules:
         - https://www.mongodb.com/docs/manual/reference/connection-string/#connection-options
     pattern-either:
       - patterns:
-          - pattern-regex: "mongodb://.+$"
-          - pattern-not-regex: "mongodb://.+[?&]tls=true.*$"
-          - pattern-not-regex: "mongodb://.+[?&]ssl=true.*$"
-      - pattern-regex: "mongodb://.+[?&]tlsAllowInvalidCertificates=true.*$"
-      - pattern-regex: "mongodb://.+[?&]tlsAllowInvalidHostnames=true.*$"
-      - pattern-regex: "mongodb://.+[?&]tlsInsecure=true.*$"
+          - pattern-regex: mongodb://.+$
+          - pattern-not-regex: (?:(.)?)?mongodb://.+[?&]tls=true(?:\g{1}|$|&).*
+          - pattern-not-regex: (?:(.)?)?mongodb://.+[?&]ssl=true(?:\g{1}|$|&).*
+      - pattern-regex: mongodb://.+[?&]tlsAllowInvalidCertificates=true.*$
+      - pattern-regex: mongodb://.+[?&]tlsAllowInvalidHostnames=true.*$
+      - pattern-regex: mongodb://.+[?&]tlsInsecure=true.*$