-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
NEW (pmd): @W-17310954@ Adding in some more AppExchange Security rules
- Loading branch information
1 parent
b3debb0
commit 851adf5
Showing
23 changed files
with
621 additions
and
85 deletions.
There are no files selected for viewing
61 changes: 61 additions & 0 deletions
61
...ules/src/main/java/com/salesforce/security/pmd/html/DetectHardCodedCredentialsInAura.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| package com.salesforce.security.pmd.html; | ||
|
|
||
| import java.util.List; | ||
|
|
||
| import net.sourceforge.pmd.lang.html.ast.ASTHtmlElement; | ||
| import net.sourceforge.pmd.lang.html.rule.AbstractHtmlRule; | ||
| import net.sourceforge.pmd.lang.rule.xpath.Attribute; | ||
|
|
||
| import com.salesforce.security.pmd.utils.SecretsInPackageUtils; | ||
|
|
||
| public class DetectHardCodedCredentialsInAura extends AbstractHtmlRule { | ||
| private static final String AURA_C_COMPONENT = "C:"; | ||
| private static final String AURA_HARDCODED_SECRET_VIOLATION = | ||
| "Detected a potential hard coded secret in aura:attribute \"%s\""; | ||
|
|
||
| @Override | ||
| @SuppressWarnings("unchecked") | ||
| public Object visit(ASTHtmlElement node, Object data) { | ||
| detectHardCodedSecrets(node,data); | ||
| return super.visit(node, data); | ||
| } | ||
|
|
||
| private void detectHardCodedSecrets(ASTHtmlElement htmlElement, Object data) { | ||
| String name=htmlElement.getNodeName(); | ||
| if (name.equalsIgnoreCase("aura:attribute")) { | ||
| detectSecretsInAuraAttrs(htmlElement, data); | ||
| } else if (name.toUpperCase().startsWith(AURA_C_COMPONENT)) { | ||
| detectSecretsInAuraComponent(htmlElement, data); | ||
| } | ||
|
|
||
| } | ||
|
|
||
| private void detectSecretsInAuraComponent(ASTHtmlElement component, Object data) { | ||
| List<Attribute> allAttrs=component.getAttributes(); | ||
| for (Attribute eachAttr: allAttrs) { | ||
| String attrName = eachAttr.getName(); | ||
| if (SecretsInPackageUtils.isAPotentialSecret(attrName)) { | ||
| this.asCtx(data).addViolationWithMessage(component, | ||
| String.format(AURA_HARDCODED_SECRET_VIOLATION, attrName)); | ||
| } | ||
| } | ||
|
|
||
| } | ||
|
|
||
| private void detectSecretsInAuraAttrs(ASTHtmlElement nextAttr, Object data) { | ||
| String attrName = nextAttr.getAttribute("name"); | ||
| String type = nextAttr.getAttribute("type"); | ||
| if (type!=null && //handles null pointer exception when type is not specified | ||
| (type.compareToIgnoreCase("string")!=0 && type.compareToIgnoreCase("list")!=0)) { | ||
| return; | ||
| } | ||
| String defaultValue = nextAttr.getAttribute("default"); | ||
| if (defaultValue==null || defaultValue.isEmpty()){ | ||
| return; | ||
| } | ||
| if (SecretsInPackageUtils.isAPotentialSecret(attrName)) { | ||
| this.asCtx(data).addViolationWithMessage(nextAttr, | ||
| String.format(AURA_HARDCODED_SECRET_VIOLATION, attrName)); | ||
| } | ||
| } | ||
| } |
15 changes: 15 additions & 0 deletions
15
...e/pmd-rules/src/main/java/com/salesforce/security/pmd/html/DetectUnescapedHtmlInAura.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| package com.salesforce.security.pmd.html; | ||
|
|
||
| import net.sourceforge.pmd.lang.html.ast.ASTHtmlElement; | ||
| import net.sourceforge.pmd.lang.html.rule.AbstractHtmlRule; | ||
|
|
||
| public class DetectUnescapedHtmlInAura extends AbstractHtmlRule { | ||
| @Override | ||
| @SuppressWarnings("unchecked") | ||
| public Object visit(ASTHtmlElement node, Object data) { | ||
| if (node.getNodeName().equalsIgnoreCase("aura:unescapedHtml")) { | ||
| this.asCtx(data).addViolation(node); // Message is defined in sfca/rulesets/AppExchange_html.xml file | ||
| } | ||
| return super.visit(node, data); | ||
| } | ||
| } |
104 changes: 104 additions & 0 deletions
104
...gine/pmd-rules/src/main/java/com/salesforce/security/pmd/utils/SecretsInPackageUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| package com.salesforce.security.pmd.utils; | ||
|
|
||
| import java.util.List; | ||
|
|
||
| public class SecretsInPackageUtils { | ||
| private static final List<String> PRIVACY_FIELD_MAPPINGS_LIST = List.of( | ||
| "SSN", | ||
| "SOCIALSECURITY", | ||
| "SOCIAL_SECURITY", | ||
| "NATIONALID", | ||
| "NATIONAL_ID", | ||
| "NATIONAL_IDENTIFIER", | ||
| "NATIONALIDENTIFIER", | ||
| "DRIVERSLICENSE", | ||
| "DRIVERS_LICENSE", | ||
| "DRIVER_LICENSE", | ||
| "DRIVERLICENSE", | ||
| "PASSPORT", | ||
| "AADHAAR", | ||
| "AADHAR" //More? | ||
| ); | ||
|
|
||
| private static final List<String> AUTH_FIELD_MAPPINGS_LIST = List.of( | ||
| "KEY", // potentially high false +ve rate | ||
| "ACCESS", | ||
| "PASS", | ||
| "ENCRYPT", | ||
| "TOKEN", | ||
| "HASH", | ||
| "SECRET", | ||
| "SIGNATURE", | ||
| "SIGN", | ||
| "AUTH", //AUTHORIZATION,AUTHENTICATION,AUTHENTICATE,OAUTH | ||
| "AUTHORIZATION", | ||
| "AUTHENTICATION", | ||
| "AUTHENTICATE", | ||
| "BEARER", | ||
| "CRED", //cred, credential(s), | ||
| "REFRESH", // | ||
| "CERT", | ||
| "PRIVATE", | ||
| "PUBLIC", | ||
| "JWT" | ||
| ); | ||
|
|
||
| private static final List<String> POTENTIAL_SECERT_VARS_LIST = List.of( | ||
| "APIKEY", | ||
| "API_KEY", | ||
| "API-KEY", | ||
| "PASSWORD", | ||
| "PASSWD", | ||
| "ENCRYPT", | ||
| "TOKEN", | ||
| "HASH", | ||
| "SECRET", | ||
| "SIGNATURE", | ||
| "AUTHN", | ||
| "AUTHZ", | ||
| "OAUTH", | ||
| "AUTHORIZATION", | ||
| "AUTHENTICATION", | ||
| "AUTHENTICATE", | ||
| "BEARER", | ||
| "CREDS", //cred - has too many false +ve hits, credential(s), | ||
| "CREDENTIAL", | ||
| "REFRESHTOKEN", | ||
| "REFRESH_TOKEN", | ||
| "CERT", | ||
| "PRIVATE", | ||
| "SYMMETRICKEY", | ||
| "SYMMETRIC_KEY", | ||
| "ASYMMETRIC_KEY", | ||
| "ASYMMETRICKEY", | ||
| "JWT", | ||
| "SALT", | ||
| "COOKIE", | ||
| "SESSIONID", | ||
| "SESSION_ID", | ||
| "CREDITCARD", | ||
| "CREDIT_CARD" | ||
| ); | ||
|
|
||
| private static boolean isAPartialMatchInList(String inputStr, List<String> listOfStrings) { | ||
| String inputStrUpper = inputStr.toUpperCase(); | ||
| for (String eachStr : listOfStrings) { | ||
| if (inputStrUpper.contains(eachStr)) { | ||
| return true; | ||
| } | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| public static boolean isAnAuthTokenField(String fieldName) { | ||
| return isAPartialMatchInList(fieldName.toUpperCase(), AUTH_FIELD_MAPPINGS_LIST); | ||
| } | ||
|
|
||
| public static boolean isAnInsecurePrivacyField(String fieldName) { | ||
| return isAPartialMatchInList(fieldName.toUpperCase(), PRIVACY_FIELD_MAPPINGS_LIST); | ||
| } | ||
|
|
||
| public static boolean isAPotentialSecret(String attrName) { | ||
| return isAPartialMatchInList(attrName, POTENTIAL_SECERT_VARS_LIST ); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
.../code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_html.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <ruleset name="AppExchange_html" | ||
| xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd"> | ||
| <description>AppExchange Security Rules for HTML Language</description> | ||
|
|
||
|
|
||
| <rule name="AvoidHardCodedCredentialsInAura" | ||
| language="html" | ||
| class="com.salesforce.security.pmd.html.DetectHardCodedCredentialsInAura" | ||
| message="Detected use of hard coded credentials in Aura component" | ||
| externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidhardcodedcredentialsinaura"> | ||
| <description>Detects use of hard coded credentials in Aura components.</description> | ||
| <priority>2</priority> | ||
| </rule> | ||
|
|
||
|
|
||
| <rule name="AvoidUnescapedHtmlInAura" | ||
| language="html" | ||
| class="com.salesforce.security.pmd.html.DetectUnescapedHtmlInAura" | ||
| message="Detected use of aura:unescapedHtml" | ||
| externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#avoidunescapedhtmlinaura"> | ||
| <description>Detects use of aura:unescapedHtml,which should be used cautiously. Developers should ensure that the unescapedHtml should not use tainted input to protect against XSS.</description> | ||
| <priority>2</priority> | ||
| </rule> | ||
|
|
||
|
|
||
| <rule name="DetectUseLwcDomManual" | ||
| language="html" | ||
| class="net.sourceforge.pmd.lang.rule.xpath.XPathRule" | ||
| message="Protect against XSS when using lwc:dom="manual"." | ||
| externalInfoUrl="https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/rules-pmd-appexchange.html#detectuselwcdommanual"> | ||
| <description>Detects instances of lwc:dom="manual" that could allow unintentional or malicious user input. Don't allow user input on these elements.</description> | ||
| <priority>3</priority> | ||
| <properties> | ||
| <property name="xpath"> | ||
| <value><![CDATA[ | ||
| //*[@*[local-name()="lwc:dom" and .="manual"]] | ||
| ]]></value> | ||
| </property> | ||
| </properties> | ||
| </rule> | ||
|
|
||
| </ruleset> |
Oops, something went wrong.