diff --git a/assets/semgrep_rules/client/android-resolve-intent.yaml b/assets/semgrep_rules/client/android-resolve-intent.yaml index 82d188ff..e2664fef 100644 --- a/assets/semgrep_rules/client/android-resolve-intent.yaml +++ b/assets/semgrep_rules/client/android-resolve-intent.yaml @@ -16,6 +16,7 @@ rules: author: Artem Chaikin source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/android-resolve-intent.yaml assignees: stoletheminerals + category: security message: Implicit intents in resolveComponent and queryComponent methods for component launch may pose security risks, as other installed apps can register similar components with higher priority. Instead, it is recommended to use hardcoded package names for third-party components launch or getApplicationContext().getPackageName() for local component launch. languages: [java, kotlin] severity: WARNING diff --git a/assets/semgrep_rules/client/brave-execute-script-ios.yaml b/assets/semgrep_rules/client/brave-execute-script-ios.yaml index 3de109a5..aa2416d3 100644 --- a/assets/semgrep_rules/client/brave-execute-script-ios.yaml +++ b/assets/semgrep_rules/client/brave-execute-script-ios.yaml @@ -8,6 +8,7 @@ rules: assignees: | stoletheminerals bridiver + category: security message: | $FUNC usages should be vet by the security-team. diff --git a/assets/semgrep_rules/client/brave-execute-script.yaml b/assets/semgrep_rules/client/brave-execute-script.yaml index 888114d1..0069053f 100644 --- a/assets/semgrep_rules/client/brave-execute-script.yaml +++ b/assets/semgrep_rules/client/brave-execute-script.yaml @@ -10,6 +10,7 @@ rules: thypon diracdeltas bridiver + category: security message: | $FUNC usages should be vet by the security-team. diff --git a/assets/semgrep_rules/client/brave-isolated-world.yaml b/assets/semgrep_rules/client/brave-isolated-world.yaml index 8ada3ff7..532b03fa 100644 --- a/assets/semgrep_rules/client/brave-isolated-world.yaml +++ b/assets/semgrep_rules/client/brave-isolated-world.yaml @@ -8,6 +8,7 @@ rules: diracdeltas bridiver source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/brave-isolated-world.yaml + category: security message: Security hotspot found (`ISOLATED_WORLD`). A security-team member should analyze the code security for possible vulnerabilities. severity: WARNING languages: diff --git a/assets/semgrep_rules/client/brave-missing-break-in-switch.yaml b/assets/semgrep_rules/client/brave-missing-break-in-switch.yaml index 895ee339..5167a786 100644 --- a/assets/semgrep_rules/client/brave-missing-break-in-switch.yaml +++ b/assets/semgrep_rules/client/brave-missing-break-in-switch.yaml @@ -10,6 +10,7 @@ rules: - https://github.com/returntocorp/semgrep/issues/4939 confidence: MEDIUM source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/brave-missing-break-in-switch.yaml + category: security # NOTE: we should also check for default blocks that miss the # break/return/exit or equivalent statement/function call. message: >- diff --git a/assets/semgrep_rules/client/cast-signed-to-unsigned.yaml b/assets/semgrep_rules/client/cast-signed-to-unsigned.yaml index 2c9facda..5022c4fe 100644 --- a/assets/semgrep_rules/client/cast-signed-to-unsigned.yaml +++ b/assets/semgrep_rules/client/cast-signed-to-unsigned.yaml @@ -6,6 +6,7 @@ rules: fmarier thypon bridiver + category: security patterns: - pattern: ($CAST)($TYPE $X) - metavariable-regex: diff --git a/assets/semgrep_rules/client/check_includes.yaml b/assets/semgrep_rules/client/check_includes.yaml index 78c9cdc2..7128ffd2 100644 --- a/assets/semgrep_rules/client/check_includes.yaml +++ b/assets/semgrep_rules/client/check_includes.yaml @@ -9,6 +9,7 @@ rules: assignees: | bridiver thypon + category: security paths: include: - "*.gn" diff --git a/assets/semgrep_rules/client/chromium-insecure-gurl.yaml b/assets/semgrep_rules/client/chromium-insecure-gurl.yaml index 2bb2217b..41597907 100644 --- a/assets/semgrep_rules/client/chromium-insecure-gurl.yaml +++ b/assets/semgrep_rules/client/chromium-insecure-gurl.yaml @@ -6,6 +6,7 @@ rules: assignees: | thypon fmarier + category: security pattern-either: - patterns: - pattern: $TYPE $VAR = ...; diff --git a/assets/semgrep_rules/client/chromium-uaf.yaml b/assets/semgrep_rules/client/chromium-uaf.yaml index 575c59eb..1b8fb260 100644 --- a/assets/semgrep_rules/client/chromium-uaf.yaml +++ b/assets/semgrep_rules/client/chromium-uaf.yaml @@ -16,6 +16,7 @@ rules: thypon goodov iefremov + category: security message: | base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding. Consider swapping Unretained for a weak reference. diff --git a/assets/semgrep_rules/client/dangling-pointer-trait.yaml b/assets/semgrep_rules/client/dangling-pointer-trait.yaml index 70655dd9..7b55c65e 100644 --- a/assets/semgrep_rules/client/dangling-pointer-trait.yaml +++ b/assets/semgrep_rules/client/dangling-pointer-trait.yaml @@ -9,6 +9,7 @@ rules: stoletheminerals thypon cdesouza-chromium + category: security patterns: - pattern-either: - pattern-inside: raw_ptr<...> diff --git a/assets/semgrep_rules/client/glide-library.yaml b/assets/semgrep_rules/client/glide-library.yaml index 2dfa8078..e245916a 100644 --- a/assets/semgrep_rules/client/glide-library.yaml +++ b/assets/semgrep_rules/client/glide-library.yaml @@ -8,6 +8,7 @@ rules: assignees: | stoletheminerals bridiver + category: security message: "The Glide image loading library is not yet approved, new usages should not be implemented until the security team has given their approval." languages: [java] severity: WARNING diff --git a/assets/semgrep_rules/client/interesting-api-calls.yaml b/assets/semgrep_rules/client/interesting-api-calls.yaml index b79bf20e..d8f94f71 100644 --- a/assets/semgrep_rules/client/interesting-api-calls.yaml +++ b/assets/semgrep_rules/client/interesting-api-calls.yaml @@ -11,6 +11,7 @@ rules: # NOTE: goto, try/catch, kill/sig/jmp, sem/mutex, new/delete, # static_cast/reinterpret_cast are not covered. source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/interesting-api-calls.yaml + category: security message: >- Locate all calls to interesting and potentially insecure API functions (candidate points). The auditor can backtrace from these candidate points to find pathways allowing access from untrusted input. severity: INFO diff --git a/assets/semgrep_rules/client/licensing.yaml b/assets/semgrep_rules/client/licensing.yaml index 24c18ba2..401a1a5d 100644 --- a/assets/semgrep_rules/client/licensing.yaml +++ b/assets/semgrep_rules/client/licensing.yaml @@ -8,6 +8,7 @@ rules: fmarier thypon source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/licensing.yaml + category: security message: "Non-free license detected" severity: ERROR languages: diff --git a/assets/semgrep_rules/client/mismatched-memory-management-cpp.yaml b/assets/semgrep_rules/client/mismatched-memory-management-cpp.yaml index 5b1ea573..0e67488c 100644 --- a/assets/semgrep_rules/client/mismatched-memory-management-cpp.yaml +++ b/assets/semgrep_rules/client/mismatched-memory-management-cpp.yaml @@ -13,6 +13,7 @@ rules: # NOTE: overloaded operators, VirtualAlloc()/VirtualFree(), # mmap()/munmap() are not covered. source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/mismatched-memory-management-cpp.yaml + category: security message: >- The software attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. When the memory management functions are mismatched, the consequences may be as severe as code execution, memory corruption, or program crash. Consequences and ease of exploit will vary depending on the implementation of the routines and the object being managed. Due to inherent limitations of Semgrep, this rule might generate many false positives and should therefore be customized for your codebase. severity: INFO diff --git a/assets/semgrep_rules/client/signed-unsigned-conversion.yaml b/assets/semgrep_rules/client/signed-unsigned-conversion.yaml index 204ee0fb..f8cff54e 100644 --- a/assets/semgrep_rules/client/signed-unsigned-conversion.yaml +++ b/assets/semgrep_rules/client/signed-unsigned-conversion.yaml @@ -15,6 +15,7 @@ rules: - http://www.phrack.org/issues/60/10.html#article - https://docs.microsoft.com/en-us/cpp/sanitizers/asan-error-examples confidence: MEDIUM + category: security source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/signed-unsigned-conversion.yaml message: The software uses a signed primitive and performs a cast to an unsigned primitive, or uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the signed primitive cannot be represented using an unsigned primitive, or if the value of the unsigned primitive cannot be represented using a signed primitive. It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate assumptions made by the program. Often, functions will return negative values to indicate a failure. When the result of a function is to be used as a size parameter, using these negative return values can have unexpected results. For example, if negative size values are passed to the standard memory copy or allocation functions they will be implicitly cast to a large unsigned value. This may lead to an exploitable buffer overflow or underflow condition. Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic. severity: WARNING diff --git a/assets/semgrep_rules/client/typos.yaml b/assets/semgrep_rules/client/typos.yaml index 0a503ff1..22737640 100644 --- a/assets/semgrep_rules/client/typos.yaml +++ b/assets/semgrep_rules/client/typos.yaml @@ -14,6 +14,7 @@ rules: license: MIT original_source: https://raw.githubusercontent.com/0xdea/semgrep-rules/main/c/typos.yaml source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/typos.yaml + category: security # NOTE: common issues with comments are not covered. # NOTE: constructs such as assert(var == val) lead to false positives. message: >- diff --git a/assets/semgrep_rules/client/unsafe-cpp-constructs.yaml b/assets/semgrep_rules/client/unsafe-cpp-constructs.yaml index 1ad4cfd9..00bd85bb 100644 --- a/assets/semgrep_rules/client/unsafe-cpp-constructs.yaml +++ b/assets/semgrep_rules/client/unsafe-cpp-constructs.yaml @@ -9,6 +9,7 @@ rules: stoletheminerals thypon cdesouza-chromium + category: security languages: [cpp] message: "Potentially unsafe C++ construct detected" severity: WARNING diff --git a/assets/semgrep_rules/client/unsafejs-in-cpp.yaml b/assets/semgrep_rules/client/unsafejs-in-cpp.yaml index b497b04b..59b399aa 100644 --- a/assets/semgrep_rules/client/unsafejs-in-cpp.yaml +++ b/assets/semgrep_rules/client/unsafejs-in-cpp.yaml @@ -7,6 +7,7 @@ rules: diracdeltas thypon source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/unsafejs-in-cpp.yaml + category: security message: Unsafe JS in CPP strings languages: - c diff --git a/assets/semgrep_rules/services/activerecord-sanitize-sql-noop.yaml b/assets/semgrep_rules/services/activerecord-sanitize-sql-noop.yaml index c1bf198a..823cf056 100644 --- a/assets/semgrep_rules/services/activerecord-sanitize-sql-noop.yaml +++ b/assets/semgrep_rules/services/activerecord-sanitize-sql-noop.yaml @@ -25,3 +25,4 @@ rules: - https://api.rubyonrails.org/classes/ActiveRecord/Sanitization/ClassMethods.html confidence: LOW source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/activerecord-sanitize-sql-noop.yaml + category: security diff --git a/assets/semgrep_rules/services/find-links-without-no-index.yaml b/assets/semgrep_rules/services/find-links-without-no-index.yaml index e7ee4612..a70832f4 100644 --- a/assets/semgrep_rules/services/find-links-without-no-index.yaml +++ b/assets/semgrep_rules/services/find-links-without-no-index.yaml @@ -1,11 +1,13 @@ rules: - id: find-links-without-no-index - author: Artem Chaikin - source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/find-links-without-no-index.yaml - references: + metadata: + author: Artem Chaikin + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/find-links-without-no-index.yaml + references: - https://portswigger.net/daily-swig/dependency-confusion-attack-mounted-via-pypi-repo-exposes-flawed-package-installer-behavior - https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/ - confidence: LOW + confidence: LOW + category: security pattern-either: - pattern-regex: ^(?!.*--no-index).*--find-links - pattern-regex: ^(?!.*--no-index).*(pip|pip3)\s.*\s-f diff --git a/assets/semgrep_rules/services/http-parse-multipart-dos.yaml b/assets/semgrep_rules/services/http-parse-multipart-dos.yaml index 95f4d414..14028e23 100644 --- a/assets/semgrep_rules/services/http-parse-multipart-dos.yaml +++ b/assets/semgrep_rules/services/http-parse-multipart-dos.yaml @@ -10,6 +10,7 @@ rules: assignees: | thypon kdenhartog + category: security severity: INFO languages: - go diff --git a/assets/semgrep_rules/services/internal-digest-call.yaml b/assets/semgrep_rules/services/internal-digest-call.yaml index 742fbc66..c9ebbdeb 100644 --- a/assets/semgrep_rules/services/internal-digest-call.yaml +++ b/assets/semgrep_rules/services/internal-digest-call.yaml @@ -7,3 +7,8 @@ rules: severity: WARNING metadata: source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/internal-digest-call.yaml + assignees: | + stoletheminerals + thypon + cdesouza-chromium + bridiver diff --git a/assets/semgrep_rules/services/io-readall-dos.yaml b/assets/semgrep_rules/services/io-readall-dos.yaml index dba500af..5e0b974b 100644 --- a/assets/semgrep_rules/services/io-readall-dos.yaml +++ b/assets/semgrep_rules/services/io-readall-dos.yaml @@ -10,6 +10,7 @@ rules: assignees: | thypon kdenhartog + category: security severity: INFO languages: - go diff --git a/assets/semgrep_rules/services/no-backticks-in-js-handlers.yaml b/assets/semgrep_rules/services/no-backticks-in-js-handlers.yaml index 28489db4..eefd8d5b 100644 --- a/assets/semgrep_rules/services/no-backticks-in-js-handlers.yaml +++ b/assets/semgrep_rules/services/no-backticks-in-js-handlers.yaml @@ -3,6 +3,7 @@ rules: metadata: author: Andrea Brancaleoni @ Brave source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/no-backticks-in-js-handlers.yaml + category: security patterns: - pattern-either: - pattern-inside: $HANDLER="..." diff --git a/assets/semgrep_rules/services/nodejs-insecure-url-parse.yaml b/assets/semgrep_rules/services/nodejs-insecure-url-parse.yaml index 575f953b..a1682765 100644 --- a/assets/semgrep_rules/services/nodejs-insecure-url-parse.yaml +++ b/assets/semgrep_rules/services/nodejs-insecure-url-parse.yaml @@ -9,6 +9,7 @@ rules: references: - https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost - https://nodejs.org/api/url.html#the-whatwg-url-api + category: security pattern-either: - pattern: url.parse(...) - pattern: require('url').parse(...) diff --git a/assets/semgrep_rules/services/path-travesal-by-string-interpolation.yaml b/assets/semgrep_rules/services/path-travesal-by-string-interpolation.yaml index 750c4e4a..16a016a1 100644 --- a/assets/semgrep_rules/services/path-travesal-by-string-interpolation.yaml +++ b/assets/semgrep_rules/services/path-travesal-by-string-interpolation.yaml @@ -4,6 +4,7 @@ rules: author: Ben Caller confidence: MEDIUM source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/path-travesal-by-string-interpolation.yaml + category: security message: The code contains new security hotspots which should be checked manually by a security team member! Could a user perform path traversal by setting a variable to include `../`? severity: INFO languages: diff --git a/assets/semgrep_rules/services/pip-extra-index-url.yaml b/assets/semgrep_rules/services/pip-extra-index-url.yaml index 56439389..f163234b 100644 --- a/assets/semgrep_rules/services/pip-extra-index-url.yaml +++ b/assets/semgrep_rules/services/pip-extra-index-url.yaml @@ -7,6 +7,7 @@ rules: - https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/ confidence: LOW source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/pip-extra-index-url.yaml + category: security message: >- Use --index-url instead of --extra-index-url to avoid dependency confusion. When using --extra-index-url, pip looks on pypi.org as well as the private index. It may install a malicious package from pypi.org with the same name as your private package instead of the package in your private index. severity: INFO diff --git a/assets/semgrep_rules/services/starts-with-partial-host-py.yaml b/assets/semgrep_rules/services/starts-with-partial-host-py.yaml index 1216a138..13dceabd 100644 --- a/assets/semgrep_rules/services/starts-with-partial-host-py.yaml +++ b/assets/semgrep_rules/services/starts-with-partial-host-py.yaml @@ -4,6 +4,7 @@ rules: author: Ben Caller confidence: LOW source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/starts-with-partial-host-py.yaml + category: security patterns: - pattern: $URL.startswith("$PREFIX") - metavariable-regex: diff --git a/assets/semgrep_rules/services/svelte-html-usages.yaml b/assets/semgrep_rules/services/svelte-html-usages.yaml index f36d8a86..b81426ff 100644 --- a/assets/semgrep_rules/services/svelte-html-usages.yaml +++ b/assets/semgrep_rules/services/svelte-html-usages.yaml @@ -8,6 +8,7 @@ rules: - https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words confidence: LOW source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/svelte-html-usages.yaml + category: security message: >- The code contains new security hotspots (`{@html expression}`) which should be checked manually by a security team member! severity: INFO diff --git a/assets/semgrep_rules/services/svelte-purifyConfig-usage.yaml b/assets/semgrep_rules/services/svelte-purifyConfig-usage.yaml index 5d2642c0..4186fa25 100644 --- a/assets/semgrep_rules/services/svelte-purifyConfig-usage.yaml +++ b/assets/semgrep_rules/services/svelte-purifyConfig-usage.yaml @@ -7,7 +7,8 @@ rules: - https://cwe.mitre.org/data/definitions/615 - https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words confidence: LOW - source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/svelte-purifyConfig-usages.yaml + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/svelte-purifyConfig-usage.yaml + category: security message: >- The code contains new security hotspots (`purifyConfig`) which should be checked manually by a security team member! severity: INFO diff --git a/assets/semgrep_rules/services/url-constructor-base.yaml b/assets/semgrep_rules/services/url-constructor-base.yaml index 37797390..aa8ecdd5 100644 --- a/assets/semgrep_rules/services/url-constructor-base.yaml +++ b/assets/semgrep_rules/services/url-constructor-base.yaml @@ -9,6 +9,7 @@ rules: assignees: | thypon kdenhartog + category: security message: Are you using the `URL(url, base)` constructor as a security control to limit the origin with base `$BASE`? The base is ignored whenever url looks like an absolute URL, e.g. when it begins `protocol://`. `\\\\` or `//x.y`. Verify that the URL's origin is as expected rather than relying on the URL constructor. severity: INFO languages: