Merge branch 'master' into rule/S7131-add-vbnet

SonarSource · Nov 15, 2024 · ac66c1e · ac66c1e
2 parents b1cdd74 + 3fca2aa
commit ac66c1e
Show file tree

Hide file tree

Showing 27 changed files with 828 additions and 5 deletions.
diff --git a/rules/S6762/secrets/rule.adoc b/rules/S6762/secrets/rule.adoc
@@ -10,13 +10,11 @@ If an attacker gains access to a Grafana personal access token or Granafa Cloud
 
 Depending on the permissions given to the secret, the impact might range from the compromise of the data of some dashboards to a full takeover of the Grafana environment.  
 
-include::../../../shared_content/secrets/impact/data_compromise.adoc[]
-
-==== Application takeover
+:service_name: Grafana
 
-With control over the Grafana application, the attacker can modify dashboards, alter data sources, or inject malicious code. This can result in the manipulation of displayed data, misleading visualizations, or even the introduction of backdoors for further exploitation.
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
 
-The attacker may even attempt to escalate their privileges within the Grafana environment. By gaining administrative access or higher-level permissions, they can perform more significant actions, such as modifying access controls, adding or deleting users, or changing system configurations.
+include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[]
 
 == How to fix it
 

diff --git a/rules/S7133/csharp/metadata.json b/rules/S7133/csharp/metadata.json
@@ -0,0 +1,23 @@
+{
+  "title": "Locks should be released within the same method",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7133",
+  "sqKey": "S7133",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "targeted",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}
diff --git a/rules/S7133/csharp/rule.adoc b/rules/S7133/csharp/rule.adoc
@@ -0,0 +1,78 @@
+This rule raises if you acquire a lock with one of the following methods, and do not release it within the same method.
+
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.acquirereaderlock[ReaderWriterLock.AcquireReaderLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock.acquirewriterlock[ReaderWriterLock.AcquireWriterLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterreadlock[ReaderWriterLockSlim.EnterReadLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterupgradeablereadlock[ReaderWriterLockSlim.EnterUpgradeableReadLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterreadlock[ReaderWriterLockSlim.TryEnterReadLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterupgradeablereadlock[ReaderWriterLockSlim.TryEnterUpgradeableReadLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.enterwritelock[ReaderWriterLockSlim.EnterWriteLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim.tryenterwritelock[ReaderWriterLockSlim.TryEnterWriteLock]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.spinlock.enter[SpinLock.Enter]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.spinlock.tryenter[SpinLock.TryEnter]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.monitor.enter[Monitor.Enter]
+* https://learn.microsoft.com/en-us/dotnet/api/system.threading.monitor.tryenter[Monitor.TryEnter]
+
+
+
+== Why is this an issue?
+
+Not releasing a lock in the same method where you acquire it, and releasing in another one, makes the code less clear and harder to maintain. You are also introducing the risk of not releasing a lock at all which can lead to deadlocks or exceptions.
+
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+public class Example
+{
+    private static ReaderWriterLock rwLock = new();
+
+    public void AcquireWriterLock() =>
+        rwLock.AcquireWriterLock(2000);  // Noncompliant, as the lock release is on the callers responsibilty
+
+    public void DoSomething() 
+    {
+        // ...
+    }
+
+    public void ReleaseWriterLock() => 
+        rwLock.ReleaseWriterLock();
+}
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+public class Example
+{
+    private static ReaderWriterLock rwLock = new();
+
+    public void DoSomething()
+    {
+        rwLock.AcquireWriterLock(2000); // Compliant, locks are released in the same method
+        try
+        {
+            // ...
+        }
+        finally 
+        {
+            rwLock.ReleaseWriterLock();
+        }
+    }
+}
+----
+
+== Resources
+
+=== Documentation
+
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlock[ReaderWriterLock Class]
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.readerwriterlockslim[ReaderWriterLockSlim Classs]
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.spinlock[SpinLock Struct]
+* Microsoft Learn - https://learn.microsoft.com/en-us/dotnet/api/system.threading.monitor[Monitor Classs]
+
+include::../rspecator.adoc[]
diff --git a/rules/S7133/message.adoc b/rules/S7133/message.adoc
@@ -0,0 +1,4 @@
+=== Message
+
+You should release this lock in the same method.
+
diff --git a/rules/S7133/metadata.json b/rules/S7133/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7133/rspecator.adoc b/rules/S7133/rspecator.adoc
@@ -0,0 +1,9 @@
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::message.adoc[]
+
+endif::env-github,rspecator-view[]
diff --git a/rules/S7161/metadata.json b/rules/S7161/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7161/secrets/metadata.json b/rules/S7161/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Tableau secrets should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7161",
+  "sqKey": "S7161",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7161/secrets/rule.adoc b/rules/S7161/secrets/rule.adoc
@@ -0,0 +1,46 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Tableau secrets scopes depend on the type of secret. From the most impactful to
+the least:
+
+1. Account passwords
+2. Personal access tokens (PAT)
+3. "Credentials token", received after a SignIn request
+
+Their scopes vary in terms of lifetime, access, and privileges.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+:secret_type: secret
+:service_name: Tableau
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: FMWBZfscS96flnAPXVY06w|QQsOzThG6hqNvZcd6OPIpZs88lgcYTcb|77bfee95-c689-4fd1-a7e0-2cf050adbbb2
+:example_name: tableau-auth
+:example_env: TABLEAU_AUTH
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
diff --git a/rules/S7162/metadata.json b/rules/S7162/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S7162/secrets/metadata.json b/rules/S7162/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "Dropbox OAuth tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-7162",
+  "sqKey": "S7162",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S7162/secrets/rule.adoc b/rules/S7162/secrets/rule.adoc
@@ -0,0 +1,66 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+// Optional: Give a general description of the secret and what it's used for.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+// Set value that can be used to refer to the type of secret in, for example:
+// "An attacker can use this {secret_type} to ..."
+:secret_type: OAuth token
+
+// Where possible, use predefined content for common impacts. This content can
+// be found in the folder "shared_content/secrets/impact".
+// When using predefined content, search for any required variables to be set and include them in this file.
+// Not adding them will not trigger warnings.
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[]
+
+include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"]
+----
+props.set("dropbox.oauth_token", "sl.B9Ew3GkQCY7vxNhzdGa6bjKf8lggUegupTReFL-dstIjsW8wsjb_7YOM2iZeMCINYAo0JSYIEN9z7MLonvtgSEed2RkTvJDLK1o90tAnsIjxbe3ePcBpXij_FsGQVip8eJ7mlgrQPqfe") // Noncompliant
+----
+
+[source,java,subs="attributes"]
+----
+props.set("dropbox.oauth_token", "rd3FHBwSz3DAAAAAAAAelHp8NrtNkXyIBTk6c-nNqWldG7Ro0fItdawO7ATguBmB") // Noncompliant
+----
+
+==== Compliant solution
+
+[source,java,diff-id=1,diff-type=compliant,subs="attributes"]
+----
+props.set("dropbox.oauth_token", userSettings.get("dropbox_oauth_token"))
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
diff --git a/rules/S7164/metadata.json b/rules/S7164/metadata.json
@@ -0,0 +1,2 @@
+{
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,4 @@
		=== Message

		You should release this lock in the same method.