@jameswinkler, @eddynaka

We have no meaningful tests for these checks. Please review these rules for value. And build them out if they should be retained or delete them if they are weak.

https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

If we do this, we can't easily support plug-ins with validator files that have different dependencies.

We should probably have a top-level directory with the plugin name:

.spam\Security

We should release to nuget.org.

We should change from Microsoft.CodeAnalysis to Microsoft.StaticAnalysis.

@michaelcfanning / @cfaucon, what do you think?

Idea: when we build the solution, our JSON files inside the Security project should be copied to a folder called .spam where the solution exists.

Suggestion: use MSBuild tasks to accomplish this.

No longer necessary. Groups["0"] contains this data as a flex match. This is a very intrusive change, whoever picks it up should coordinate with other team members first to make sure the timing is good.

@jameswinkler , if we follow what I did in the pfx, we could validate .cer files.

We should create a folder helpers and move the logic that they will share.

ping me if u need help.

cc: @michaelcfanning

Today, every result found by the ContentsRegex is a valid issue.

But we have cases that we know that is a false positive, so it should not trigger.

@eddynaka , @jameswinkler , this is a small fix but high priority

The correct casing of this rule name is GoogleGcmServiceAccountValidator. In .NET, you never case more than two letters in sequence as upper-case.

Also, the fingerprint for this check is broken. Resource is not the right property to use. A 'resource' is a sub-component of a container. So, a database is a resource of a database server.

This rule in general looks weak. What's the insecurity here? If we can't detect an exposure of interest, that can be validated, please just consider deleting this check for now.

@eddynaka, @jameswinkler, this is high priority.

We currently persist the complete slack web URL as the secret. This prevents us from, say, examining the shannon entropy of the key element of the URL. I think it breaks down like so.

Can we convert the fingerprint to use the id and key elements asap? Thanks!

https://hooks.slack.com/services/{id}/{key}

Today, each MatchExpression contains a property called ContentsRegex. With that, we are restricted to only one regex per match expression.

But we have cases where a subId might have multiple regexes.

These are emitted within each plugin directory currently. Can we change relevant targets files to redirect to the official build location?

@eddynaka

@eddynaka

Check this pr and move from Theory to Fact just like sarif-sdk.

#60

This would return a consistent message and return value for this scenario.

Today, for each validator, we are just implementing a method. But, sometimes, we need a base configuration across all validators, such as tls1.2 enablement.

Based on that, we should figure out what is the best way to provide this interface / class to facilitate this development.

cc: @cfaucon @michaelcfanning

Today, we are using nerdbank to generate the versioning.

But when we do that and we publish, it's adding the commit to the versioning, making it hard to check if you are using the latest or not.

Idea: we don't want to create a new branch, for example v1.3.2, update the files and release, since we are doing pre-releases.

Results such as the following aren't necessarily warnings, they may reflect proper security applied to an API key. Generally, it's best not to expose a key but this can be difficult in some web site scenarios or when embedding a key in a mobile app (even in this latter case, though, Google recommends encrypting or obfuscating).

For these use cases, an API key should be restricted, for example, by applying a referer filter or enforcing a check against the mobile app identity. When our validator detects these conditions today, we fire warnings but arguably, these are 'pass' conditions! :)

e:\repros\test.txt(3,1-40): warning SEC101/003: 'test.txt' contains an apparent Google API key, the validity of which could not be determined by runtime analysis (an unexpected exception was caught attempting to validate api key: RequestDenied: API keys with referer restrictions cannot be used with this API).

e:\repros\test.txt(6,1-40): warning SEC101/003: 'test.txt' contains an apparent Google API key, the validity of which could not be determined by runtime analysis (an unexpected exception was caught attempting to validate api key: RequestDenied: This IP, site or mobile application is not authorized to use this API key. Request received from IP address 2601:600:877f:8c60:3033:d967:d038:6ee3, with empty referer).

@cfaucon has explained to us that our current model is not ideal.

@eddynaka

These two validators are almost identical in test cases and code. The only real difference are the names which can easily be merged with regex.

Merge the two validators.

While dynamic validation exists for CloudantValidator, we've never verified its accuracy. Testing against a free database https://64de90ff-4b11-4141-b2da-71d8013703be-bluemix.cloudant.com/dashboard.html always yields a 200/successful response, regardless of whether or not credentials are included in a request. It may be that free accounts can't be secured like payed accounts.

If we see that scanning against real data produces successful validation, we can close this work item.

If not, we need to eventually revisit this and complete the implementation. Perhaps the IBM documentation will be improved by then.

Useful links:

• https://cloud.ibm.com/docs/Cloudant?topic=Cloudant-creating-and-populating-a-simple-ibm-cloudant-database-on-ibm-cloud
• https://stackoverflow.com/questions/17035412/access-cloudant-db-using-net-httpclient
• https://cloud.ibm.com/docs/Cloudant?topic=Cloudant-getting-started-with-cloudant
• https://cloud.ibm.com/login - login here, not the page the database link directs you to

Add reference to the security project.

When we publish, the rules and the Security.dll should be in the same folder.

Today, if we run our test for the ReviewSensitiveFile, you will see that the output sarif is expecting many results because it is validating many times in the method RunMatchExpression.

What I would expect is: if we analyze a file that is an issue, we will just show one result pointing to the file.

What is happening today: it is analyzing all characters inside the file.

cc: @michaelcfanning

• Integrate with BuildRegex.
• Use String8 instead of StringUtf8.
• Consider refactoring names.
• Implement x86 support.
• Error handling, especially when compiling a pattern.
• Test x86 support.
• Ensure that Matches can be used concurrently.
  • [ ]Encoding.UTF8.GetBytes concurrency-safe?

The new GitHub PAT described here:

https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/

... comes with a checksum in the last 6 characters. Use this in static validation to reduce false positives.

We may be able to calculate CRC32 using existing code in the internal repo, here:
\src\Plugins\Security.Internal\SEC101_102.AdoPatValidator.cs

This library may be useful:

ICSharpCode.SharpZipLib.Checksum;

Search Nuget for "SharpZipLib"

Other useful code:

var crc32 = new Crc32();
byte[] byteArray = Encoding.ASCII.GetBytes(pat);
crc32.Update(byteArray);
string testString = crc32.Value.ToString();

string paddedIntendedChecksum = crc32.Value.ToString().PadLeft(6, '0');

if (paddedIntendedChecksum != checksum)
{
return ValidationState.NoMatch;
}

Security.csproj contains a json that looks for an email using regex. That regex is kinda broken.

Then, after the fix, try to create an email validator.

Talking with @cfaucon , when we analyze data from Cosmos, the data is based on JSON. So, with that in mind, we would need to enable all rules to accept JSON files.

What we propose:

Option 1:

• create a flag in the match expression properties that would enable JSON by default and, if the rule does not apply for JSON files, we would set it to false, for example.

Option 2:

• file vs content detection, for example, pfx vs json.

@michaelcfanning , what do you think?

... by using the information in this article: https://medium.com/@vibeeshpottayil/how-to-find-the-owner-of-a-facebook-app-id-b3205ebd0049

@eddynaka, this one looks useful, let's make it a priority if we can.

Create validator for this rule: Src/Plugins/Security/SEC101_002.GoogleOAuthCredentialsValidator.cs

Just to let you know, RE2 has an option where we can configure the size of the memory to use.

Right now, it’s a fixed number, but in specific cases, we could change that to something bigger.

😊

There are an arbitrary number of hosts in a config file, but you can also specify an arbitrary number of user credentials!

and so this helper should return host * secrets fingerprint candidates.

https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file

<packageSourceCredentials>
    <Contoso>
        <add key="Username" value="[email protected]" />
        <add key="Password" value="..." />
        <add key="ValidAuthenticationTypes" value="basic" />
    </Contoso>
    <Test_x0020_Source>
        <add key="Username" value="user" />
        <add key="ClearTextPassword" value="hal+9ooo_da!sY" />
        <add key="ValidAuthenticationTypes" value="basic, negotiate" />
    </Test_x0020_Source>
</packageSourceCredentials>

The Google Service Account Key validator attempts to extract and validate application oauth credentials. This is tricky as it requires requesting an access token without knowing the scopes, and with many redirects involved in the flow. Some code is started in https://github.com/microsoft/sarif-pattern-matcher/tree/users/v-jwinkler/GoogleServiceAccountKeyValidator_DynamicValidationAndUnitTests. The code using GoogleWebAuthorizationBroker comes closest, producing output messages like "invalid client id" or "client id deleted", but unfortunately these messages are only visible in a browser that unit tests open. The unit tests themselves hang.

Determine if there's any way to programmatically read the results from the browser, simulate the flow, or find some other technology/library to verify the client id and secret.

#128 (comment)

I am facing issues building the solution---running BuildAndTest.cmd from powershell throws a bunch of errors, which seem to highlight missing dependencies. Could you kindly enumerate the dependencies for the project in the documentation? Thanks!