From f96791e5ccc180d0ed7dc72cc14e81c80df60250 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Tue, 1 Oct 2024 19:45:33 +0200 Subject: [PATCH 01/11] Add subprocess check_call --- guarddog/analyzer/sourcecode/code-execution.yml | 5 +++++ tests/analyzer/sourcecode/code-execution.py | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/guarddog/analyzer/sourcecode/code-execution.yml b/guarddog/analyzer/sourcecode/code-execution.yml index 722ab90d..81208cf0 100644 --- a/guarddog/analyzer/sourcecode/code-execution.yml +++ b/guarddog/analyzer/sourcecode/code-execution.yml @@ -41,6 +41,11 @@ rules: - pattern: subprocess.run([..., "... $ARG1 ...", ...], ...) - pattern: run([..., "$ARG1", ...], ...) + - pattern: subprocess.check_call($ARG1, ...) + - pattern: check_call($ARG1, ...) + - pattern: subprocess.check_call([..., "... $ARG1 ...", ...], ...) + - pattern: check_call([..., "$ARG1", ...], ...) + # eval, allow checking for version - patterns: - pattern-either: diff --git a/tests/analyzer/sourcecode/code-execution.py b/tests/analyzer/sourcecode/code-execution.py index 1db1bd4d..468180f4 100644 --- a/tests/analyzer/sourcecode/code-execution.py +++ b/tests/analyzer/sourcecode/code-execution.py @@ -196,3 +196,9 @@ def run_file(path): # ruleid: code-execution p = subprocess.Popen(f"python {path}",shell=True,stdin=None,stdout=subprocess.PIPE,stderr=subprocess.PIPE,close_fds=True) out, err = p.communicate() + +# ruleid: code-execution +subprocess.check_call(["rm", "-rf", "target_dir"], cwd="/tmp") + +# ok: code-execution +subprocess.check_call(["cmake", "--build", "."]) From b7729d3e0a2833d4a5e0827d3338eb0cb09f33be Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 01:10:40 +0200 Subject: [PATCH 02/11] Make http prefixes optional in shady links --- guarddog/analyzer/sourcecode/shady-links.yml | 16 ++++++++-------- tests/analyzer/sourcecode/shady-links.py | 3 +++ 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 860bd193..2c7d75cf 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -15,26 +15,26 @@ rules: - pattern-not-regex: ^\s*"""(.|\n)*?"""\s*$ # Exclude local IPv4 sometimes used in tests - - pattern-not-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost) + - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost) # Exclude public IPv4 sometimes used in tests - - pattern-not-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8)) + - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8)) # ignore discord allowed - - pattern-not-regex: https?:\/\/discord.com\/(invite|oauth2\/authorize) + - pattern-not-regex: (?:https?:\/\/)?discord.com\/(invite|oauth2\/authorize) - patterns: - pattern: ("...") - pattern-either: # complete domains - - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.me)\/) - - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|api\.telegram\.org|rentry\.co)\/) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.me)\/) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|api\.telegram\.org|rentry\.co)\/) # top-level domains - - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) # IPv4 - - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) # IPv6 - - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\]) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\]) paths: exclude: - "*/test/*" diff --git a/tests/analyzer/sourcecode/shady-links.py b/tests/analyzer/sourcecode/shady-links.py index 3d3c6b77..084ce95e 100644 --- a/tests/analyzer/sourcecode/shady-links.py +++ b/tests/analyzer/sourcecode/shady-links.py @@ -173,3 +173,6 @@ def f(): # ok: shady-links trackingServiceUrl = 'https//discord.com/invite/u9zUjWbbQ' +def f(): + # ruleid: shady-links + trackingUrl = "qkrfaniquihoswritqaqwbg5r4l072qp7.oast.fun/track" From 4001d5910d0a20586a0219a2fd9dd495a8e35eb0 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 11:07:45 +0200 Subject: [PATCH 03/11] Require an http prefix for top-level domains --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 2c7d75cf..d5c81416 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -30,7 +30,7 @@ rules: - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.me)\/) - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|api\.telegram\.org|rentry\.co)\/) # top-level domains - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) + - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) # IPv4 - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) # IPv6 From 391ee832e424215d3def6ac913045a15a1926498 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 12:02:11 +0200 Subject: [PATCH 04/11] Add spawn --- guarddog/analyzer/sourcecode/code-execution.yml | 4 ++++ tests/analyzer/sourcecode/code-execution.py | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/guarddog/analyzer/sourcecode/code-execution.yml b/guarddog/analyzer/sourcecode/code-execution.yml index 81208cf0..825fdada 100644 --- a/guarddog/analyzer/sourcecode/code-execution.yml +++ b/guarddog/analyzer/sourcecode/code-execution.yml @@ -79,6 +79,10 @@ rules: - pattern: popen($ARG1, ...) - pattern: popen([..., $ARG1, ...], ...) + # distutils spawn + - pattern: spawn($ARG1, ...) + - pattern: $OBJ.spawn($ARG1, ...) + # miscellaneous - pattern: os.system($ARG1, ...) - pattern: system($ARG1, ...) diff --git a/tests/analyzer/sourcecode/code-execution.py b/tests/analyzer/sourcecode/code-execution.py index 468180f4..12024396 100644 --- a/tests/analyzer/sourcecode/code-execution.py +++ b/tests/analyzer/sourcecode/code-execution.py @@ -202,3 +202,13 @@ def run_file(path): # ok: code-execution subprocess.check_call(["cmake", "--build", "."]) + +class install_ext_solibs(install_lib): + def run(self): + super().run() + for wheel in glob.glob("build/bdist.*/wheel"): + for solib in os.listdir(wheel): + for mext in re.finditer("^([^/]*).cpython.*", solib): + if not mext.group(1) in templates: + # ruleid: code-execution + self.spawn(["rm", "-f", f"{wheel}/{solib}"]) From 98098c0ce5ebd3b0ee24674bf82827b37be2d35b Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 13:08:13 +0200 Subject: [PATCH 05/11] Make http prefix mandatory for IPv6 --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index d5c81416..f687362c 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -34,7 +34,7 @@ rules: # IPv4 - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) # IPv6 - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\]) + - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\]) paths: exclude: - "*/test/*" From 41393f2bc1cba45c1c4b2fdbd6526b7ae7e4826b Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 13:24:57 +0200 Subject: [PATCH 06/11] Make http prefix mandatory for IPv4 --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index f687362c..cc5af80d 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -32,7 +32,7 @@ rules: # top-level domains - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) # IPv4 - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) + - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) # IPv6 - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\]) paths: From 9ba06c2bfeeb9bdff1dfbeec86bd77c212cca561 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 14:24:57 +0200 Subject: [PATCH 07/11] Exclude cloud metadata service IPs --- guarddog/analyzer/sourcecode/shady-links.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index cc5af80d..30aae79d 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -20,6 +20,9 @@ rules: # Exclude public IPv4 sometimes used in tests - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8)) + # Exclude cloud provider metadata service IPs + - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:169\.254\.169\.254|\[fd00:ec2::254\])) + # ignore discord allowed - pattern-not-regex: (?:https?:\/\/)?discord.com\/(invite|oauth2\/authorize) From 46c7f6cd5dd90297789ae9a3fb1852a8fc8d1d24 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 15:32:08 +0200 Subject: [PATCH 08/11] Incorporate comments --- guarddog/analyzer/sourcecode/code-execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guarddog/analyzer/sourcecode/code-execution.yml b/guarddog/analyzer/sourcecode/code-execution.yml index 825fdada..8c8723a4 100644 --- a/guarddog/analyzer/sourcecode/code-execution.yml +++ b/guarddog/analyzer/sourcecode/code-execution.yml @@ -43,8 +43,8 @@ rules: - pattern: subprocess.check_call($ARG1, ...) - pattern: check_call($ARG1, ...) - - pattern: subprocess.check_call([..., "... $ARG1 ...", ...], ...) - - pattern: check_call([..., "$ARG1", ...], ...) + - pattern: subprocess.check_call([..., $ARG1, ...], ...) + - pattern: check_call([..., $ARG1, ...], ...) # eval, allow checking for version - patterns: From 24823e1ead544b5e2cd28eca5c135977d54cb95d Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 2 Oct 2024 15:43:21 +0200 Subject: [PATCH 09/11] Put back old style --- guarddog/analyzer/sourcecode/code-execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guarddog/analyzer/sourcecode/code-execution.yml b/guarddog/analyzer/sourcecode/code-execution.yml index 8c8723a4..825fdada 100644 --- a/guarddog/analyzer/sourcecode/code-execution.yml +++ b/guarddog/analyzer/sourcecode/code-execution.yml @@ -43,8 +43,8 @@ rules: - pattern: subprocess.check_call($ARG1, ...) - pattern: check_call($ARG1, ...) - - pattern: subprocess.check_call([..., $ARG1, ...], ...) - - pattern: check_call([..., $ARG1, ...], ...) + - pattern: subprocess.check_call([..., "... $ARG1 ...", ...], ...) + - pattern: check_call([..., "$ARG1", ...], ...) # eval, allow checking for version - patterns: From 21bdab224b0da92fe7522f64c50be6e3cee95735 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Thu, 3 Oct 2024 11:32:55 +0200 Subject: [PATCH 10/11] Add link to AWS docs --- guarddog/analyzer/sourcecode/shady-links.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 30aae79d..0409666a 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -21,6 +21,7 @@ rules: - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8)) # Exclude cloud provider metadata service IPs + # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:169\.254\.169\.254|\[fd00:ec2::254\])) # ignore discord allowed From 9c816552f3c4ef958fe4ffc434e20d998975f948 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Fri, 4 Oct 2024 14:13:53 +0200 Subject: [PATCH 11/11] Exclude all cloud provider link local IPs --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 0409666a..905c4cb0 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -22,7 +22,7 @@ rules: # Exclude cloud provider metadata service IPs # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html - - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:169\.254\.169\.254|\[fd00:ec2::254\])) + - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:169\.254\.\d{1,3}\.\d{1,3}|\[fd00:ec2::254\])) # ignore discord allowed - pattern-not-regex: (?:https?:\/\/)?discord.com\/(invite|oauth2\/authorize)