Merge branch 'master' into rule/add-RSPEC-S7475

Author: erwan-serandour

rules/S5334/common/resources/articles.adoc

@@ -1,4 +1,4 @@
 === Articles & blog posts
 
-* https://blog.sonarsource.com/moodle-remote-code-execution/[SonarSource, Evil Teacher: Code Injection in Moodle]
+* SonarSource - https://blog.sonarsource.com/moodle-remote-code-execution/[Evil Teacher: Code Injection in Moodle]
 

rules/S5334/java/how-to-fix-it/commons-compiler.adoc

@@ -17,7 +17,7 @@ public class ExampleController
     @GetMapping(value = "/")
     public void exec(@RequestParam("message") String message) throws IOException, InvocationTargetException {
         ScriptEvaluator se = new ScriptEvaluator();
-        se.cook("System.out.println(\" + message \");");
+        se.cook("System.out.println(" + message +");"); // Noncompliant
         se.evaluate(null);
     }
 }

rules/S5334/kotlin/how-to-fix-it/commons-compiler.adoc

@@ -0,0 +1,51 @@
+== How to fix it in Commons Compiler
+
+=== Code examples
+
+The following code is vulnerable to arbitrary code execution because it compiles
+and runs HTTP data.
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+import org.codehaus.janino.ScriptEvaluator
+
+@Controller
+class ExampleController {
+    @GetMapping("/")
+    fun exec(@RequestParam("message") message: String) {
+        val se = ScriptEvaluator()
+        se.cook("System.out.println($message);") // Noncompliant
+        se.evaluate(null)
+    }
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+import org.codehaus.janino.ScriptEvaluator
+
+@Controller
+class ExampleController {
+    @GetMapping("/")
+    fun exec(@RequestParam("message") message: String) {
+        val se = ScriptEvaluator()
+        se.setParameters(arrayOf("input"), arrayOf(String::class.java))
+        se.cook("System.out.println(input);")
+        se.evaluate(arrayOf(message))
+    }
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/introduction.adoc[]
+
+include::../../common/fix/parameters.adoc[]
+
+The compliant code example uses such an approach.
+
+include::../../common/fix/allowlist.adoc[]

rules/S5334/kotlin/how-to-fix-it/spring.adoc

@@ -0,0 +1,51 @@
+== How to fix it in Spring
+
+=== Code examples
+
+The following code is vulnerable to arbitrary code execution because it compiles
+and runs HTTP data.
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=11,diff-type=noncompliant]
+----
+import org.springframework.expression.spel.standard.SpelExpressionParser
+
+@Controller
+class ExampleController {
+    @GetMapping("/")
+    fun exec(@RequestParam("message") message: String) {
+        val parser = SpelExpressionParser()
+        val exp = parser.parseExpression(message) // Noncompliant
+    }
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=11,diff-type=compliant]
+----
+import org.springframework.expression.spel.standard.SpelExpressionParser
+
+@Controller
+class ExampleController {
+    @GetMapping("/")
+    fun exec(@RequestParam("message") message: String) {
+        val evaluationContext = StandardEvaluationContext()
+        evaluationContext.setVariable("msg", message)
+        val parser = SpelExpressionParser()
+        val exp = parser.parseExpression("#msg")
+        val result = exp.getValue(evaluationContext) as String
+    }
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/introduction.adoc[]
+
+include::../../common/fix/parameters.adoc[]
+
+The compliant code example uses such an approach.
+
+include::../../common/fix/allowlist.adoc[]

rules/S5334/kotlin/metadata.json

@@ -0,0 +1,30 @@
+{
+  "securityStandards": {
+    "CWE": [
+      20,
+      95,
+      917
+    ],
+    "OWASP": [
+      "A1"
+    ],
+    "OWASP Top 10 2021": [
+      "A3"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.1"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "5.1.3",
+      "5.1.4",
+      "5.2.4",
+      "5.5.4"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222609"
+    ]
+  }
+}

rules/S5334/kotlin/rule.adoc

@@ -0,0 +1,45 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+include::how-to-fix-it/commons-compiler.adoc[]
+
+include::how-to-fix-it/spring.adoc[]
+
+== Resources
+
+include::../common/resources/articles.adoc[]
+
+include::../common/resources/standards.adoc[]
+
+* CWE - https://cwe.mitre.org/data/definitions/917[CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+=== Highlighting
+
+"[varname]" is tainted (assignments and parameters)
+
+this argument is tainted (method invocations)
+
+the returned value is tainted (returns & method invocations results)
+
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]
+

rules/S5496/java/rule.adoc

@@ -15,7 +15,7 @@ include::how-to-fix-it/groovy.adoc[]
 
 === Articles & blog posts
 
-* https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/[Exploiting SSTI in Thymeleaf]
+* Acunetix Web Security Blog - https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/[Exploiting SSTI in Thymeleaf]
 
 include::../standards.adoc[]
 

rules/S5496/kotlin/how-to-fix-it/groovy.adoc

@@ -0,0 +1,59 @@
+== How to fix it in Groovy
+
+=== Code examples
+
+==== Noncompliant code example
+
+The following code example is vulnerable to a Server-Side Template Injection
+attack because it builds a template string from a user input without control or
+sanitation.
+
+[source,kotlin,diff-id=21,diff-type=noncompliant]
+----
+import groovy.text.markup.MarkupTemplateEngine
+import groovy.text.markup.TemplateConfiguration
+
+@Controller
+class ExampleController {
+    @GetMapping("/example")
+    fun example(@RequestParam("title") title: String): String {
+        val templateString = "h1('$title')"
+        val config = TemplateConfiguration()
+        val engine = MarkupTemplateEngine(config)
+        val template = engine.createTemplate(templateString) // Noncompliant
+        val out = template.make()
+        return out.toString()
+    }
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=21,diff-type=compliant]
+----
+import groovy.text.markup.MarkupTemplateEngine
+import groovy.text.markup.TemplateConfiguration
+
+@Controller
+class ExampleController {
+    @GetMapping("/example")
+    fun example(@RequestParam("title") title: String): String {
+        val templateString = "h1(title)"
+
+        val ctx = mutableMapOf<String, Any>()
+        ctx["title"] = title
+
+        val config = TemplateConfiguration()
+        val engine = MarkupTemplateEngine(config)
+        val template = engine.createTemplate(templateString)
+        val out: Writable = template.make(ctx)
+        return out.toString()
+    }
+}
+----
+
+=== How does this work?
+
+The compliant code example uses a template binding to pass user information to
+the template. The rendering engine then ensures that this tainted data is
+processed in a way that will not change the template semantics.

rules/S5496/kotlin/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S5496/kotlin/rule.adoc

@@ -0,0 +1,32 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+include::how-to-fix-it/groovy.adoc[]
+
+
+== Resources
+
+=== Articles & blog posts
+
+* Acunetix Web Security Blog - https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/[Exploiting SSTI in Thymeleaf]
+
+include::../standards.adoc[]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+include::../message.adoc[]
+
+'''
+endif::env-github,rspecator-view[]

rules/S5883/common/resources/docs.adoc

@@ -1,6 +1,6 @@
 === Documentation
 
-* https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html[OWASP, OS Command Injection Defense Cheat Sheet]
-* https://gtfobins.github.io/#+shell[GTFOBins, list of Unix binaries that can be used to bypass local security restrictions]
-* https://lolbas-project.github.io/#[LOLBAS, list of Windows binaries that can be used to bypass local security restrictions]
+* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html[OS Command Injection Defense Cheat Sheet]
+* GTFOBins - https://gtfobins.github.io/#+shell[list of Unix binaries that can be used to bypass local security restrictions]
+* LOLBAS - https://lolbas-project.github.io/#[list of Windows binaries that can be used to bypass local security restrictions]
 

rules/S5883/java/how-to-fix-it/java-se.adoc renamed to rules/S5883/java/how-to-fix-it/java-lang.adoc

@@ -1,4 +1,4 @@
-== How to fix it in Java SE
+== How to fix it in Java Lang Package
 
 === Code examples
 

rules/S5883/java/rule.adoc

@@ -7,7 +7,7 @@ include::../impact.adoc[]
 
 // How to fix it section
 
-include::how-to-fix-it/java-se.adoc[]
+include::how-to-fix-it/java-lang.adoc[]
 
 include::how-to-fix-it/apache-commons.adoc[]
 

rules/S5883/kotlin/how-to-fix-it/apache-commons.adoc

@@ -0,0 +1,43 @@
+== How to fix it in Apache Commons
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+import org.apache.commons.exec.CommandLine
+
+@Controller
+class ExampleController {
+    @GetMapping("/find")
+    fun find(@RequestParam("filename") filename: String) {
+        val cmd = CommandLine("/usr/bin/find . -iname $filename") // Noncompliant
+    }
+}
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+import org.apache.commons.exec.CommandLine
+
+@Controller
+class ExampleController {
+    @GetMapping("/find")
+    fun find(@RequestParam("filename") filename: String) {
+        val cmd = CommandLine("/usr/bin/find")
+        cmd.addArguments(arrayOf("/usr/bin/find", ".", "-iname", filename))
+    }
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/introduction.adoc[]
+
+Here `org.apache.commons.exec.CommandLine.addArguments(addArguments: Array<String>)` takes care of escaping the passed arguments and internally
+creates a single string given to the operating system to be executed.