rules:feat - adding rule to spring framework rce (#1053)

This commit adds a new rule to identify a new remote code execution vulnerability in the spring framework. Due to the limitations of the regex engine, this rule can bring some false positives about safe versions pointed out as vulnerabilities. The rule will consider any vulnerability < 5.3.18 as vulnerable, which is not true, as versions >= 5.2.20 already have the fix for the problem, but due to the limitation of the engine we can't detect it. Signed-off-by: Nathan Martins <nathan.martins@zup.com.br> (cherry picked from commit e5a7fd0)
ZupIT · Apr 4, 2022 · 2c11096 · 2c11096
1 parent 763a796
commit 2c11096
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 4 deletions.
diff --git a/internal/services/custom_rules/custom_rule_test.go b/internal/services/custom_rules/custom_rule_test.go
@@ -18,12 +18,11 @@ import (
 	"regexp"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/ZupIT/horusec-devkit/pkg/enums/confidence"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/severities"
 	"github.com/ZupIT/horusec-engine/text"
+	"github.com/stretchr/testify/require"
 )
 
 func TestValidate(t *testing.T) {
@@ -325,7 +324,6 @@ func TestGetRuleType(t *testing.T) {
 }
 
 func TestGetExpressions(t *testing.T) {
-
 	exprs := []string{"testOne", "testTwo"}
 	exprOne, _ := regexp.Compile(exprs[0])
 	exprTwo, _ := regexp.Compile(exprs[1])

diff --git a/internal/services/engines/java/rule_manager.go b/internal/services/engines/java/rule_manager.go
@@ -143,6 +143,7 @@ func Rules() []engine.Rule {
 		// NewMessageDigest(),
 		NewOverlyPermissiveFilePermission(),
 		NewCipherGetInstanceInsecure(),
+		NewVulnerableRemoteCodeExecutionSpringFramework(),
 
 		// Regular rules
 		NewHiddenElements(),

diff --git a/internal/services/engines/java/rules.go b/internal/services/engines/java/rules.go
@@ -2634,3 +2634,21 @@ func NewUncheckedClassInstatiation() *text.Rule {
 		},
 	}
 }
+
+func NewVulnerableRemoteCodeExecutionSpringFramework() *text.Rule {
+	return &text.Rule{
+		Metadata: engine.Metadata{
+			ID:          "HS-JAVA-152",
+			Name:        "Spring Framework Remote Code Execution",
+			Description: "It has been identified that versions prior to < 5.3.18 or < 5.2.20 of the spring framework are vulnerable to remote code execution. Please upgrade to version >= 5.3.18 or >= 5.2.20. For more information checkout the CVE-2022-22965 (https://tanzu.vmware.com/security/cve-2022-22965) advisory.",
+			Severity:    severities.Critical.ToString(),
+			Confidence:  confidence.Medium.ToString(),
+		},
+		Type: text.OrMatch,
+		Expressions: []*regexp.Regexp{
+			regexp.MustCompile(`<dependency.*org="org\.springframework".*\s.*(5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+).*/>`),
+			regexp.MustCompile(`compile.*"org\.springframework:spring-context.*((5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+).*"\))`),
+			regexp.MustCompile(`<groupId>\s*org\.springframework\s*</groupId>\s*<artifactId>.*\s*spring-context.*\s*</artifactId>\s*(<version>\s*((5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+)).*)\s*</version>`),
+		},
+	}
+}
diff --git a/internal/services/engines/java/rules_test.go b/internal/services/engines/java/rules_test.go
@@ -723,6 +723,54 @@ func TestRulesVulnerableCode(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample1IvyVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.1", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<dependency org=\"org.springframework\"",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.1", ".test")),
+						Line:     2,
+						Column:   0,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample2GradleVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.2", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile(\"org.springframework:spring-context:5.3.17.RELEASE\")",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.2", ".test")),
+						Line:     3,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample3MavenVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.3", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<groupId>org.springframework</groupId>",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.3", ".test")),
+						Line:     4,
+						Column:   8,
+					},
+				},
+			},
+		},
 	}
 
 	testutil.TestVulnerableCode(t, testcases)
@@ -1007,6 +1055,24 @@ func TestRulesSafeCode(t *testing.T) {
 			Src:      Sample5MavenSafeHSJAVA151,
 			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
 		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample1IvySafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample2GradleSafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample3MavenSafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
 	}
 	testutil.TestSafeCode(t, testcases)
 }
diff --git a/internal/services/engines/java/sample_test.go b/internal/services/engines/java/sample_test.go
@@ -1444,5 +1444,51 @@ test {
         </dependency>
     </dependencies>
 </project>
+`
+
+	Sample1IvyVulnerableHSJAVA152 = `
+<dependency org="org.springframework"
+    name="spring-core" rev="5.3.17.RELEASE" conf="compile->runtime"/>
+`
+
+	Sample1IvySafeHSJAVA152 = `
+<dependency org="org.springframework"
+    name="spring-core" rev="5.3.18.RELEASE" conf="compile->runtime"/>
+`
+
+	Sample2GradleVulnerableHSJAVA152 = `
+dependencies {
+    compile("org.springframework:spring-context:5.3.17.RELEASE")
+    testCompile("org.springframework:spring-test:5.3.17.RELEASE")
+}
+`
+
+	Sample2GradleSafeHSJAVA152 = `
+dependencies {
+    compile("org.springframework:spring-context:5.3.18.RELEASE")
+    testCompile("org.springframework:spring-test:5.3.18.RELEASE")
+}
+`
+
+	Sample3MavenVulnerableHSJAVA152 = `
+<dependencies>
+    <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-context</artifactId>
+        <version>5.3.17.RELEASE</version>
+        <scope>runtime</scope>
+    </dependency>
+</dependencies>
+`
+
+	Sample3MavenSafeHSJAVA152 = `
+<dependencies>
+    <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-context</artifactId>
+        <version>5.3.18.RELEASE</version>
+        <scope>runtime</scope>
+    </dependency>
+</dependencies>
 `
 )
diff --git a/internal/services/engines/rules_test.go b/internal/services/engines/rules_test.go
@@ -67,7 +67,7 @@ func TestGetRules(t *testing.T) {
 		{
 			engine:             "Java",
 			manager:            java.NewRules(),
-			expectedTotalRules: 182,
+			expectedTotalRules: 183,
 		},
 		{
 			engine:             "Dart",