diff --git a/LICENSE.MD b/LICENSE.MD index 3a66b64..2a1f86b 100644 --- a/LICENSE.MD +++ b/LICENSE.MD @@ -2,7 +2,7 @@ License ============== The MIT License (MIT) -Copyright (c) 2023 - 2024 | Heitor Gouvêa. +Copyright (c) 2023 - 2025 | Heitor Gouvêa. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index ed5c579..8f99ff1 100644 --- a/README.md +++ b/README.md @@ -56,12 +56,14 @@ $ perl zarn.pl --rules rules/quick-wins.yml --source ../nozaki --sarif report.sa ```yaml rules: - id: '0001' + type: presence category: info name: Debug module enabled message: Debug modules can expose sensitive information and potentially create security vulnerabilities. sample: - Dumper - id: '0002' + type: presence category: vuln name: Code Injection message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server. @@ -71,11 +73,34 @@ rules: - exec - qx - id: '0003' + type: presence category: vuln name: Path Traversal message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure. sample: - open + - id: '0004' + type: presence + category: vuln + name: Weak Criptography Algorithm + message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data. + sample: + - md5 + - id: '0005' + type: presence + category: vuln + name: Weak Random Value Generator + message: Weak random value generators can lead to predictable values, which can be exploited by attackers to bypass security controls. + sample: + - rand + - id: '0006' + type: absence + category: warning + name: Error Suppression + message: Suppressing errors can make it difficult to identify and troubleshoot issues, potentially leading to security vulnerabilities. + sample: + - strict + - warnings ``` --- diff --git a/lib/Zarn/Engine/Source_to_Sink.pm b/lib/Zarn/Engine/Source_to_Sink.pm index dc9c714..33c7b2a 100644 --- a/lib/Zarn/Engine/Source_to_Sink.pm +++ b/lib/Zarn/Engine/Source_to_Sink.pm @@ -19,9 +19,35 @@ package Zarn::Engine::Source_to_Sink { 'rules=s' => \$rules ); + if ($ast && $rules) { + my @absence = grep { $_ -> {type} && $_ -> {type} eq 'absence' } $rules -> @*; + + for my $rule (@absence) { + my $category = $rule -> {category}; + my $title = $rule -> {name}; + my $message = $rule -> {message}; + + foreach my $token ($rule -> {sample} -> @*) { + + if ($ast -> content() !~ m/$token/xms ) { + push @results, { + category => $category, + title => $title, + message => $message, + line_sink => 'n/a', + rowchar_sink => 'n/a', + line_source => 'n/a', + rowchar_source => 'n/a' + }; + } + } + } + + my @presence = grep { !($_ -> {type}) || $_ -> {type} eq 'presence' } $rules -> @*; + foreach my $token (@{$ast -> find('PPI::Token') || []}) { - foreach my $rule (@{$rules}) { + foreach my $rule (@presence) { my @sample = $rule -> {sample} -> @*; my $category = $rule -> {category}; my $title = $rule -> {name}; @@ -63,4 +89,4 @@ package Zarn::Engine::Source_to_Sink { } } -1; +1; \ No newline at end of file diff --git a/rules/default.yml b/rules/default.yml index 83e06e4..bc9b9f4 100644 --- a/rules/default.yml +++ b/rules/default.yml @@ -1,12 +1,14 @@ --- rules: - id: '0001' + type: presence category: info name: Debug module enabled message: Debug modules can expose sensitive information and potentially create security vulnerabilities. sample: - Dumper - id: '0002' + type: presence category: vuln name: Code Injection message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server. @@ -16,20 +18,31 @@ rules: - exec - qx - id: '0003' + type: presence category: vuln name: Path Traversal message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure. sample: - open - id: '0004' + type: presence category: vuln name: Weak Criptography Algorithm message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data. sample: - md5 - id: '0005' + type: presence category: vuln name: Weak Random Value Generator message: Weak random value generators can lead to predictable values, which can be exploited by attackers to bypass security controls. sample: - - rand \ No newline at end of file + - rand + - id: '0006' + type: absence + category: warning + name: Error Suppression + message: Suppressing errors can make it difficult to identify and troubleshoot issues, potentially leading to security vulnerabilities. + sample: + - strict + - warnings \ No newline at end of file diff --git a/rules/prototype.yml b/rules/prototype.yml index 3d6de96..9147198 100644 --- a/rules/prototype.yml +++ b/rules/prototype.yml @@ -1,8 +1,80 @@ --- rules: - - id: '0001' + - id: '0006' category: vuln name: Cross Site Scripting (XSS) message: Occur when untrusted data is rendered as HTML without proper escaping, allowing attackers to execute malicious scripts in the context of the victim's browser. sample: - - render \ No newline at end of file + - render + rules: + - id: '0012' + category: vuln + name: Command Injection + message: Command injection attacks are possible when an application passes unsafe user supplied data like form values, cookies, HTTP headers etc. to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. + sample: + - exec + - syscall + - open + - qx + - readpipe + - id: '0006' + category: vuln + name: Connection String Injection + message: A connection string injection attack can occur when dynamic string concatenation is used to build connection strings that are based on user input. If the string isn't validated and malicious text or characters not escaped, an attacker can potentially access sensitive data or other resources on the server. + sample: + - connect + - ora_login + - id: '0007' + category: vuln + name: LDAP Injection + message: LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. + sample: + - search + - modify + - moddn + - add + - bind + - delete + - compare + - id: '0008' + category: vuln + name: XSS + message: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. + sample: + - print + - printf + - say + - echo + - header + - start_html + - end_html + - id: '0009' + category: vuln + name: Remote File Inclusion + message: This vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. this can lead to issues like - Code execution, Denial of Service, Sensitive Information Disclosure,etc. + sample: + - use + - require + - id: '0010' + category: vuln + name: Resource Injection + message: This attack consists of changing resource identifiers used by an application in order to perform a malicious task. When an application defines a resource type or location based on user input, such as a file name or port number, this data can be manipulated to execute or access different resources. + sample: + - socket + - id: '0011' + category: vuln + name: SQL Injection + message: A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. + sample: + - prepare + - execute + - bind_param + - do + - find + - create + - update + - ora_open + - ora_do + - ora_fetch + - select + - query \ No newline at end of file diff --git a/zarn.pl b/zarn.pl index 4ea7a6f..ccf8556 100755 --- a/zarn.pl +++ b/zarn.pl @@ -55,8 +55,8 @@ sub main { ] ); - if (@analysis) { - $analysis[0]->{'file'} = $file; + for (@analysis) { + $_->{file} = $file; } push @results, @analysis;