diff --git a/.semgrep.yml b/.semgrep.yml index ec53f7b..a58901c 100644 --- a/.semgrep.yml +++ b/.semgrep.yml @@ -1,5 +1,569 @@ rules: - - id: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher + - + id: go.lang.security.audit.crypto.math_random.math-random-used + languages: + - go + message: "Do not use `math/rand`. Use `crypto/rand` instead." + metadata: + cwe: "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)" + dev.semgrep.actions: + - block + owasp: "A3: Sensitive Data Exposure" + references: + - "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used" + pattern-either: + - + patterns: + - + pattern-inside: | + import mrand "math/rand" + ... + - + pattern-either: + - + pattern: mrand.Int() + - + pattern: mrand.Read(...) + - + patterns: + - + pattern-inside: | + import "math/rand" + ... + - + pattern-not-inside: | + import "crypto/rand" + ... + - + pattern-either: + - + pattern: rand.Int() + - + pattern: rand.Read(...) + severity: WARNING + - + id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 + languages: + - go + message: | + Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use SHA256 or SHA3 instead. + metadata: + cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + dev.semgrep.actions: + - block + owasp: "A9: Using Components with Known Vulnerabilities" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5" + source-rule-url: "https://github.com/securego/gosec#available-rules" + pattern-either: + - + pattern: "md5.New()\n" + - + pattern: "md5.Sum(...)\n" + severity: WARNING + - + id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 + languages: + - go + message: | + Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use SHA256 or SHA3 instead. + metadata: + cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + dev.semgrep.actions: + - block + owasp: "A9: Using Components with Known Vulnerabilities" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1" + source-rule-url: "https://github.com/securego/gosec#available-rules" + pattern-either: + - + pattern: "sha1.New()\n" + - + pattern: "sha1.Sum(...)\n" + severity: WARNING + - + id: go.lang.security.audit.net.pprof.pprof-debug-exposure + languages: + - go + message: | + The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. + This could leak information about the server. + Instead, use `import "net/http/pprof"`. See + https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ + for more information and mitigation. + metadata: + cwe: "CWE-489: Active Debug Code" + dev.semgrep.actions: + - block + owasp: "A6: Security Misconfiguration" + references: + - "https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure" + source-rule-url: "https://github.com/securego/gosec#available-rules" + patterns: + - + pattern-inside: | + import _ "net/http/pprof" + ... + - + pattern-inside: | + func $ANY(...) { + ... + } + - + pattern-not: "http.ListenAndServe(\"=~/^localhost.*/\", ...)" + - + pattern-not: "http.ListenAndServe(\"=~/^127[.]0[.]0[.]1.*/\", ...)" + - + pattern: http.ListenAndServe(...) + severity: WARNING + - + id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4 + languages: + - go + message: | + Detected RC4 cipher algorithm which is insecure. The algorithm has many + known vulnerabilities. Use AES instead. + metadata: + cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + dev.semgrep.actions: + - block + owasp: "A9: Using Components with Known Vulnerabilities" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4" + source-rule-url: "https://github.com/securego/gosec#available-rules" + pattern: rc4.NewCipher(...) + severity: WARNING + - + id: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace + languages: + - go + message: | + Detected a potentially dynamic ClientTrace. This occurred because semgrep could not + find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because + they deserialize function code to run when certain Request events occur, which could lead + to code being run without your knowledge. Ensure that your ClientTrace is statically defined. + metadata: + cwe: "CWE-913: Improper Control of Dynamically-Managed Code Resources" + dev.semgrep.actions: + - block + owasp: "A8: Insecure Deserialization" + references: + - "https://github.com/returntocorp/semgrep-rules/issues/518" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace" + patterns: + - + pattern-not-inside: | + ... + &httptrace.ClientTrace { ... } + ... + - + pattern: "httptrace.WithClientTrace($ANY, $TRACE)" + severity: WARNING + - + id: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf + languages: + - go + message: | + Found data going from url query parameters into formatted data written to ResponseWriter. + This could be XSS and should not be done. If you must do this, ensure your data is + sanitized or escaped. + metadata: + cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + dev.semgrep.actions: + - block + owasp: "A7: Cross-Site Scripting ('XSS')" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf" + patterns: + - + pattern-inside: | + func $FUNC(..., $W http.ResponseWriter, ...) { + ... + } + - + pattern-inside: | + ... + var $T = "..." + ... + $W.Write([]byte(fmt.$PRINTF($T, ...)), ...) + - + pattern-either: + - + pattern: | + $PARAMS = r.URL.Query() + ... + $DATA, $ERR := $PARAMS[...] + ... + $INTERM = $ANYTHING(..., $DATA, ...) + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - + pattern: | + $PARAMS = r.URL.Query() + ... + $DATA, $ERR := $PARAMS[...] + ... + $INTERM = $DATA[...] + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - + pattern: | + $DATA, $ERR := r.URL.Query()[...] + ... + $INTERM = $DATA[...] + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - + pattern: | + $DATA, $ERR := r.URL.Query()[...] + ... + $INTERM = $ANYTHING(..., $DATA, ...) + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - + pattern: | + $PARAMS = r.URL.Query() + ... + $DATA, $ERR := $PARAMS[...] + ... + $W.Write([]byte(fmt.$PRINTF(..., $DATA, ...))) + severity: WARNING + - + fix-regex: + regex: VersionSSL30 + replacement: VersionTLS13 + id: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure + languages: + - go + message: | + SSLv3 is insecure because it has known vulnerabilities. + Starting with go1.14, SSLv3 will be removed. Instead, use + 'tls.VersionTLS13'. + metadata: + cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + dev.semgrep.actions: + - block + owasp: "A9: Using Components with Known Vulnerabilities" + references: + - "https://golang.org/doc/go1.14#crypto/tls" + - "https://www.us-cert.gov/ncas/alerts/TA14-290A" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure" + source-rule-url: "https://github.com/securego/gosec/blob/master/rules/tls_config.go" + patterns: + - + pattern: "tls.Config{..., MinVersion: $TLS.VersionSSL30, ...}" + severity: ERROR + - + fix-regex: + regex: "(.*)(Copy|CopyBuffer)\\((.*?),(.*?)(\\)|,.*\\))" + replacement: "\\1CopyN(\\3, \\4, 1024*1024*256)" + id: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb + languages: + - go + message: "Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. Refer to https://bomb.codes/ to learn more about this attack and other ways to mitigate it." + metadata: + cwe: "CWE-400: Uncontrolled Resource Consumption" + dev.semgrep.actions: + - block + references: + - "https://bomb.codes/" + - "https://golang.org/pkg/io/#CopyN" + - "https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb" + source-rule-url: "https://github.com/securego/gosec" + patterns: + - + pattern-either: + - + pattern: io.Copy(...) + - + pattern: io.CopyBuffer(...) + - + pattern-either: + - + pattern-inside: | + gzip.NewReader(...) + ... + - + pattern-inside: | + zlib.NewReader(...) + ... + - + pattern-inside: | + zlib.NewReaderDict(...) + ... + - + pattern-inside: | + bzip2.NewReader(...) + ... + - + pattern-inside: | + flate.NewReader(...) + ... + - + pattern-inside: | + flate.NewReaderDict(...) + ... + - + pattern-inside: | + lzw.NewReader(...) + ... + - + pattern-inside: | + tar.NewReader(...) + ... + - + pattern-inside: | + zip.NewReader(...) + ... + - + pattern-inside: | + zip.OpenReader(...) + ... + severity: WARNING + - + id: go.lang.correctness.useless-eqeq.hardcoded-eq-true-or-false + languages: + - go + message: "useless if statement, always the same behavior" + metadata: + dev.semgrep.actions: + - block + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.correctness.useless-eqeq.hardcoded-eq-true-or-false" + patterns: + - + pattern-either: + - + pattern: "if (true) { ... }" + - + pattern: "if (false) { ... }" + severity: ERROR + - + id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES + languages: + - go + message: | + Detected DES cipher algorithm which is insecure. The algorithm is + considered weak and has been deprecated. Use AES instead. + metadata: + cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + dev.semgrep.actions: + - block + owasp: "A9: Using Components with Known Vulnerabilities" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES" + source-rule-url: "https://github.com/securego/gosec#available-rules" + pattern-either: + - + pattern: "des.NewTripleDESCipher(...)\n" + - + pattern: "des.NewCipher(...)\n" + severity: WARNING + - + id: go.lang.maintainability.useless-ifelse.useless-if-body + languages: + - go + message: "Detected identical if-statement bodies. Is this intentional?\n" + metadata: + dev.semgrep.actions: + - block + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.maintainability.useless-ifelse.useless-if-body" + patterns: + - + pattern: |- + if ($X) { + $S + } else { + $S + } + severity: WARNING + - + id: go.lang.security.zip.path-traversal-inside-zip-extraction + languages: + - go + message: "File traversal when extracting zip archive" + metadata: + cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + dev.semgrep.actions: + - block + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction" + source_rule_url: "https://github.com/securego/gosec/issues/205" + patterns: + - + pattern: |- + reader, $ERR := zip.OpenReader($ARCHIVE) + ... + for _, $FILE := range reader.File { + ... + path := filepath.Join($TARGET, $FILE.Name) + ... + } + severity: WARNING + - + id: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key + languages: + - go + message: | + Disabled host key verification detected. This allows man-in-the-middle + attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do + host key verification. + See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ + to learn more about the problem and how to fix it. + metadata: + cwe: "CWE-322: Key Exchange without Entity Authentication" + dev.semgrep.actions: + - block + owasp: "A3: Sensitive Data Exposure" + references: + - "https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/" + - "https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key" + source-rule-url: "https://github.com/securego/gosec" + pattern: ssh.InsecureIgnoreHostKey() + severity: WARNING + - + id: go.lang.maintainability.useless-ifelse.useless-if-conditional + languages: + - go + message: "Detected an if block that checks for the same condition on both branches (`$X`)\n" + metadata: + dev.semgrep.actions: + - block + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.maintainability.useless-ifelse.useless-if-conditional" + patterns: + - + pattern-either: + - + pattern: |- + if ($X) { + ... + } else if ($X) { + ... + } + severity: WARNING + - + id: go.lang.security.audit.crypto.bad_imports.insecure-module-used + languages: + - go + message: "Detected use of an insecure cryptographic hashing method. This method is known to be broken and easily compromised. Use SHA256 or SHA3 instead." + metadata: + cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + dev.semgrep.actions: + - block + owasp: "A9: Using Components with Known Vulnerabilities" + references: + - "https://godoc.org/golang.org/x/crypto/sha3" + semgrep.policy: + id: 5253 + name: cart + slug: cart + semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used" + source-rule-url: "https://github.com/securego/gosec" + pattern-either: + - + patterns: + - + pattern-inside: | + import "crypto/md5" + ... + - + pattern: "md5.$FUNC(...)\n" + - + patterns: + - + pattern-inside: | + import "crypto/des" + ... + - + pattern: "des.$FUNC(...)\n" + - + patterns: + - + pattern-inside: | + import "crypto/sha1" + ... + - + pattern: "sha1.$FUNC(...)\n" + - + patterns: + - + pattern-inside: | + import "crypto/rc4" + ... + - + pattern: "rc4.$FUNC(...)\n" + - + patterns: + - + pattern-inside: | + import "net/http/cgi" + ... + - + pattern: "cgi.$FUNC(...)\n" + severity: WARNING + - + id: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher languages: - go message: | @@ -21,16 +585,28 @@ rules: semgrep.url: "https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher" source-rule-url: "https://github.com/securego/gosec/blob/master/rules/tls.go" pattern-either: - - pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_RC4_128_SHA,...}}\n" - - pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_AES_128_CBC_SHA256,...}}\n" - - pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,...}}\n" - - pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,...}}\n" - - pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,...}}\n" - - pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,...}}\n" - - pattern: "tls.CipherSuite{..., TLS_RSA_WITH_RC4_128_SHA ,...}\n" - - pattern: "tls.CipherSuite{..., TLS_RSA_WITH_AES_128_CBC_SHA256 ,...}\n" - - pattern: "tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ,...}\n" - - pattern: "tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_RC4_128_SHA ,...}\n" - - pattern: "tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ,...}\n" - - pattern: "tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ,...}" - severity: WARNING \ No newline at end of file + - + pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_RC4_128_SHA,...}}\n" + - + pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_AES_128_CBC_SHA256,...}}\n" + - + pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,...}}\n" + - + pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,...}}\n" + - + pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,...}}\n" + - + pattern: "tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,...}}\n" + - + pattern: "tls.CipherSuite{..., TLS_RSA_WITH_RC4_128_SHA ,...}\n" + - + pattern: "tls.CipherSuite{..., TLS_RSA_WITH_AES_128_CBC_SHA256 ,...}\n" + - + pattern: "tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ,...}\n" + - + pattern: "tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_RC4_128_SHA ,...}\n" + - + pattern: "tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ,...}\n" + - + pattern: "tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ,...}" + severity: WARNING diff --git a/Makefile b/Makefile index 8d478e6..8358a14 100755 --- a/Makefile +++ b/Makefile @@ -10,4 +10,6 @@ build: test: @echo ">>> Running tests..." - @go test -race -v ./... -count=1 \ No newline at end of file + @go test -race -v ./... -count=1 + +.PHONY: up down build test diff --git a/internal/creator/cart_creator.go b/internal/creator/cart_creator.go index d91a6d9..4d48a30 100755 --- a/internal/creator/cart_creator.go +++ b/internal/creator/cart_creator.go @@ -36,7 +36,7 @@ func (c CartCreator) AddItem(ctx context.Context, dto AddItemDTO) error { stxt, span := trace.StartSpan(ctx, "cart_creator_add_item") defer span.End() - // ruleid: math-random-used + // ruleid: math-random-used bad, _ := rand.Read([]byte{3}) println(bad) diff --git a/internal/repository.go b/internal/repository.go index 91efa0d..fbd98fa 100755 --- a/internal/repository.go +++ b/internal/repository.go @@ -9,7 +9,7 @@ type CartRepository interface { Get(ctx context.Context) *Cart } -// This application only has Get Items but in future iterations there would also be a Save method to add new ones +// This application only has Get Items but in future iterations there would also be a Save method that adds new ones type ItemRepository interface { Get(ctx context.Context, itemID string) (Item, error) }