Merge Develop into Release

go/lang/correctness/use-filepath-join.go

@@ -17,7 +17,7 @@ func a() {
 	path.Join("/", path.Base(p))
 }
 
-func a() {
+func a2() {
 	url, err := url.Parse("http://foo:666/bar")
 	if err != nil {
 		panic(err)
@@ -27,7 +27,7 @@ func a() {
 	fmt.Println(path.Join(url.Path, "baz"))
 }
 
-func a(p string) {
+func a3(p string) {
 	// ruleid: use-filepath-join
 	fmt.Println(path.Join(p, "baz"))
 

go/lang/security/deserialization/unsafe-deserialization-interface.yaml

@@ -5,8 +5,7 @@ rules:
     message: >-
       Deserializing into `interface{}` allows arbitrary data structures and types,
       which can lead to security vulnerabilities (CWE-502). Use a concrete struct
-      type instead. Consider using github.com/ravisastryk/go-safeinput/safedeserialize
-      for automatic protection.
+      type instead.
     severity: WARNING
     metadata:
       cwe:
@@ -24,7 +23,6 @@ rules:
         - vuln
       references:
         - https://cwe.mitre.org/data/definitions/502.html
-        - https://github.com/ravisastryk/go-safeinput
     patterns:
       - pattern-either:
           - pattern: |

go/lang/security/injection/tainted-sql-string.go

@@ -110,7 +110,7 @@ func SelectHandler3(db *sql.DB) func(w http.ResponseWriter, req *http.Request) {
     }
 }
 
-func SelectHandler3(db *sql.DB) func(w http.ResponseWriter, req *http.Request) {
+func SelectHandler3ok(db *sql.DB) func(w http.ResponseWriter, req *http.Request) {
     return func(w http.ResponseWriter, req *http.Request) {
         del := req.URL.Query().Get("del")
         id := req.URL.Query().Get("Id")

java/lang/security/audit/formatted-sql-string.java

@@ -66,7 +66,7 @@ public void findAccountsById(String id) throws SQLException {
         ResultSet rs = c.createStatement().execute(sql);
     }
 
-    public List<AccountDTO> findAccountsById(String id) {
+    public List<AccountDTO> findAccountsById(String id, String unused) {
         String jql = "from Account where id = '" + id + "'";
         EntityManager em = emfactory.createEntityManager();
         // ruleid:formatted-sql-string
@@ -92,7 +92,7 @@ public void findAccountsById(String id) throws SQLException {
         ResultSet rs = c.createStatement().execute(sql);
     }
 
-    public List<AccountDTO> findAccountsById(String id) {
+    public List<AccountDTO> findAccountsById(String id, String unused) {
         String jql = String.format("from Account where id = '%s'", id);
         EntityManager em = emfactory.createEntityManager();
         // ruleid: formatted-sql-string
@@ -171,4 +171,4 @@ public ResultSet call() throws SQLException {
             },
             Retry.RETRY_FOREVER);
     }
-}
+}

java/lang/security/audit/sqli/tainted-sql-from-http-request.java

@@ -251,7 +251,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
 }
 
 @WebServlet(value = "/sqli-00/BenchmarkTest00008")
-public class bad1 extends HttpServlet {
+public class bad6 extends HttpServlet {
 
     private static final long serialVersionUID = 1L;
 

java/lang/security/audit/tainted-env-from-http-request.java

@@ -71,8 +71,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
     }
 }
 
-@WebServlet(value = "/cmdi-00/BenchmarkTest00007")
-public class bad2 extends HttpServlet {
+@WebServlet(value = "/cmdi-00/BenchmarkTest00007ok")
+public class bad2ok extends HttpServlet {
 
     private static final long serialVersionUID = 1L;
 
@@ -110,7 +110,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
 
             // ok: tainted-env-from-http-request
-            Process p = r.exec(param, argsEnv);
+            Process p2 = r.exec(param, argsEnv);
         } catch (IOException e) {
             System.out.println("Problem executing cmdi - TestCase");
             response.getWriter()

java/lang/security/audit/tainted-ldapi-from-http-request.java

@@ -302,8 +302,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
     }
 }
 
-@WebServlet(value = "/ldapi-00/BenchmarkTest00021")
-public class BenchmarkTest00021 extends HttpServlet {
+@WebServlet(value = "/ldapi-00/BenchmarkTest00021ok")
+public class BenchmarkTest00021ok extends HttpServlet {
 
     private static final long serialVersionUID = 1L;
 

java/lang/security/audit/tainted-session-from-http-request.java

@@ -120,8 +120,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
     }
 }
 
-@WebServlet(value = "/trustbound-00/BenchmarkTest00004")
-public class BenchmarkTest00004 extends HttpServlet {
+@WebServlet(value = "/trustbound-00/BenchmarkTest00004ok")
+public class BenchmarkTest00004ok extends HttpServlet {
 
     private static final long serialVersionUID = 1L;
 

java/lang/security/audit/tainted-xpath-from-http-request.java

@@ -185,8 +185,8 @@ public String doSomething(HttpServletRequest request, String param)
     } // end innerclass Test
 } // end DataflowThruInnerClass
 
-@WebServlet(value = "/xpathi-00/BenchmarkTest00207")
-public class BenchmarkTest00207 extends HttpServlet {
+@WebServlet(value = "/xpathi-00/BenchmarkTest00207ok")
+public class BenchmarkTest00207ok extends HttpServlet {
 
     private static final long serialVersionUID = 1L;
 

java/spring/security/injection/tainted-html-string.java

@@ -284,7 +284,7 @@ public ResponseEntity<String> getVulnerablePayloadLevelSecure2(
             value = LevelConstants.LEVEL_7,
             variant = Variant.SECURE,
             htmlTemplate = "LEVEL_1/XSS")
-    public ResponseEntity<String> getVulnerablePayloadLevelSecure3(
+    public ResponseEntity<String> getVulnerablePayloadLevelSecure3ok(
             @RequestParam(PARAMETER_NAME) String imageLocation) {
         String vulnerablePayloadWithPlaceHolder = "not html";
 

java/spring/security/injection/tainted-sql-string.java

@@ -72,8 +72,8 @@ ResultSet test5(@RequestBody String name) {
         return rs;
     }
 
-    @RequestMapping(value = "/test5", method = RequestMethod.POST, produces = "plain/text")
-    ResultSet test5(@RequestBody String name) {
+    @RequestMapping(value = "/test5ok", method = RequestMethod.POST, produces = "plain/text")
+    ResultSet test5ok(@RequestBody String name) {
         try {
             // ok: tainted-sql-string
             throw new Exception(String.format("Update request from %s to %s isn't allowed",

javascript/deno/security/audit/deno-dangerous-run.js

@@ -17,7 +17,7 @@ async function test1(userInput) {
   await p.status();
 }
 
-async function test1(userInput) {
+async function test2(userInput) {
   const p = Deno.run({
     // ruleid: deno-dangerous-run
     cmd: ["bash", "-c", userInput],

javascript/lang/security/audit/path-traversal/path-join-resolve-traversal.js

@@ -11,7 +11,7 @@ function test1() {
 }
 
 function test2() {
-    function someFunc(val) {
+    function someFunc2(val) {
         createFile({
             // ruleid:path-join-resolve-traversal
             filePath: path.resolve(opts.path, val)

javascript/lang/security/detect-child-process.js

@@ -8,7 +8,7 @@ function a(args) {
   });
 }
 
-function a(userInput) {
+function a2(userInput) {
   // ruleid:detect-child-process
   cp.spawnSync(userInput);
 }

python/django/security/audit/avoid-insecure-deserialization.py

@@ -1,7 +1,7 @@
 from django.http import HttpResponse
 import datetime
 
-def current_datetime(request):
+def current_datetime_ok(request):
     user_obj = request.cookies.get('uuid')
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
@@ -11,69 +11,69 @@ def current_datetime(request):
 
 # pickle tests
 
-def current_datetime(request):
+def current_datetime_pickle_b64(request):
     user_obj = b64decode(request.cookies.get('uuid'))
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
 
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(pickle.loads(user_obj))
 
-def current_datetime(request):
+def current_datetime_pickle(request):
     user_obj = request.cookies.get('uuid')
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
 
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(pickle.loads(user_obj))
 
-def current_datetime(request):
+def current_datetime_pickle_nested_b64(request):
     user_obj = request.cookies.get('uuid')
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
 
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(pickle.loads(b64decode(user_obj)))
 
-def current_datetime(request):
+def current_datetime_pickle_inline(request):
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(pickle.loads(b64decode(request.cookies.get('uuid'))))
 
 # Other libraries
 
-def current_datetime(request):
+def current_datetime_underscore_pickle(request):
     user_obj = b64decode(request.cookies.get('uuid'))
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
 
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(_pickle.loads(user_obj))
 
-def current_datetime(request):
+def current_datetime_cpickle(request):
     user_obj = request.cookies.get('uuid')
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
 
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(cPickle.loads(user_obj))
 
-def current_datetime(request):
+def current_datetime_dill(request):
     user_obj = request.cookies.get('uuid')
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
 
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(dill.loads(b64decode(user_obj)))
 
-def current_datetime(request):
+def current_datetime_shelve(request):
     user_obj = request.cookies.get('uuid')
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now
 
     # ruleid:avoid-insecure-deserialization
     return "Hey there! {}!".format(shelve.loads(user_obj))
 
-def current_datetime(request):
+def current_datetime_yaml(request):
     user_obj = request.cookies.get('uuid')
     now = datetime.datetime.now()
     html = "<html><body>It is now %s.</body></html>" % now

python/flask/security/injection/raw-html-concat.py

@@ -83,8 +83,8 @@ def ok():
     # ok: raw-html-format
     return "<a href='https://example.com'>Click me!</a>"
 
-@app.route("/post_param_branch", methods=["POST"])
-def post_param_branch():
+@app.route("/post_param_branch_ok", methods=["POST"])
+def post_param_branch_ok():
     param = flask.request.form['param']
     part = flask.render_template("link.html", data=param)
     if True:

python/flask/security/injection/tainted-sql-string.py

@@ -55,7 +55,7 @@ def insert_person():
     engine.execute(query, {"x":"%@aol.com", "y":name}).fetchall()
 
 @app.route("/insert/person/path")
-def insert_person(path):
+def insert_person_path(path):
     name = path
     lastname = "you don't get to pick >:)"
 

python/flask/security/injection/tainted-url-host.py

@@ -115,7 +115,7 @@ def load_model(model):
 
 # Real world example
 @app.route('/models/<model>')
-def load_model(model):
+def load_model_ok(model):
     # ok: tainted-url-host
     htmlpage = '''
     <body style='margin : 0px; overflow: hidden;'>

python/lang/security/audit/dangerous-subinterpreters-run-string-tainted-env-args.py

@@ -8,7 +8,7 @@ def run_payload(payload: str) -> None:
     _xxsubinterpreters.run_string(_xxsubinterpreters.create(), payload)
 
 
-def run_payload(payload: str) -> None:
+def run_payload_param(payload: str) -> None:
     # fn: dangerous-subinterpreters-run-string-tainted-env-args
     _xxsubinterpreters.run_string(_xxsubinterpreters.create(), payload)
 

ruby/lang/security/dangerous-exec.rb

@@ -57,24 +57,24 @@ def test_calls(user_input)
     exec(["ls", "-lah", "/tmp"])
   end
 
-  def test_params()
+  def test_params2()
     user_input = params['some_key']
   # ruleid: dangerous-exec
     exec("ls -lah #{user_input}")
-  
+
   # ruleid: dangerous-exec
     Process.spawn([user_input, "smth"])
-  
+
   # ruleid: dangerous-exec
     output = exec(["sh", "-c", user_input])
-  
+
   # ruleid: dangerous-exec
     pid = spawn(["bash", user_input])
-  
+
     commands = "ls -lah /raz/dva"
   # ok: dangerous-exec
     system(commands)
-  
+
     cmd_name = "sh"
   # ok: dangerous-exec
     Process.exec([cmd_name, "ls", "-la"])

ruby/rails/security/brakeman/check-regex-dos.rb

@@ -4,13 +4,13 @@ def some_rails_controller
   Regexp.new(foo).match("some_string")
 end
 
-def some_rails_controller
+def some_rails_controller2
   foo = Record[something]
   #ruleid: check-regex-dos
   Regexp.new(foo).match("some_string")
 end
 
-def some_rails_controller
+def some_rails_controller3
   foo = Record.read_attribute("some_attribute")
   #ruleid: check-regex-dos
   Regexp.new(foo).match("some_string")

ruby/rails/security/brakeman/check-render-local-file-include.rb

@@ -16,7 +16,7 @@ def test_render_with_modern_param
     render file: "/some/path/#{page}"
   end
 
-  def test_render_with_modern_param
+  def test_render_with_modern_param_sanitized
     page = params[:page]
     #ok: check-render-local-file-include
     render file: File.basename("/some/path/#{page}")

ruby/rails/security/injection/raw-html-format.rb

@@ -44,7 +44,7 @@ def render_url
     render inline: Kernel::sprintf("<div>%s</div>", name)
   end
 
-  def render_url
+  def render_url_ok
     # ok: raw-html-format
     render html: "boo, %s" % params[:name]
   end

typescript/react/security/audit/react-href-var.tsx

@@ -22,7 +22,7 @@ let zzz = <Foo className={"foobar"} href={SEMGREP_REPO} />;
 // ok: react-href-var
 let zzz = <Foo className={"foobar"} href={SEMGREP_REPO1} />;
 
-function test1(input) {
+function test1_ok(input) {
 // ok: react-href-var
   if(input.startsWith("https:")) {
     const params = {href: input};
@@ -36,7 +36,7 @@ function test2(input) {
   return React.createElement("a", params);
 }
 
-function test2(input) {
+function test2_ok(input) {
   // ok: react-href-var
   const params = {href: "#"+input};
   return React.createElement("a", params);