Merge branch 'master' into rule/add-RSPEC-S7192

SonarSource · Feb 7, 2025 · 33e4264 · 33e4264
2 parents 9be020f + d9e2903
commit 33e4264
Show file tree

Hide file tree

Showing 23 changed files with 611 additions and 33 deletions.
diff --git a/rspec-tools/rspec_tools/coverage.py b/rspec-tools/rspec_tools/coverage.py
@@ -18,7 +18,7 @@
   'sonar-dataflow-bug-detection',
   'sonar-dotnet-enterprise',
   'sonar-flex',
-  'sonar-go',
+  'sonar-go-enterprise',
   'sonar-html',
   'sonar-iac-enterprise',
   'sonar-java',
@@ -27,7 +27,7 @@
   'sonar-php',
   'sonar-pli',
   'sonar-plsql',
-  'sonar-python',
+  'sonar-python-enterprise',
   'sonar-rpg',
   'sonar-ruby',
   'sonar-scala',

diff --git a/rspec-tools/rspec_tools/utils.py b/rspec-tools/rspec_tools/utils.py
@@ -19,7 +19,7 @@
                  'dart': 'dart',
                  'docker': 'iac',
                  'flex': 'flex',
-                 'go': 'slang',
+                 'go': 'go',
                  'html': 'html',
                  'java': 'java',
                  'javascript': 'jsts',

diff --git a/rules/S2053/go/metadata.json b/rules/S2053/go/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S2053/go/rule.adoc b/rules/S2053/go/rule.adoc
@@ -0,0 +1,71 @@
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+include::../exceptions.adoc[]
+
+// How to fix it section
+
+== How to fix it
+
+=== Code examples
+
+include::../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,go,diff-id=1,diff-type=noncompliant]
+----
+import (
+    "crypto/sha256"
+    "golang.org/x/crypto/pbkdf2"
+)
+
+func example(password []byte) {
+    pbkdf2.Key(password, []byte("fixedSalt"), 4096, 32, sha256.New) // Noncompliant
+}
+----
+
+==== Compliant solution
+
+[source,go,diff-id=1,diff-type=compliant]
+----
+import (
+    "crypto/rand"
+    "crypto/sha256"
+    "golang.org/x/crypto/pbkdf2"
+)
+
+func example(password []byte) {
+    randomSalt := make([]byte, 32)
+    rand.Read(randomSalt)
+    pbkdf2.Key(password, randomSalt, 4096, 32, sha256.New)
+}
+----
+
+=== How does this work?
+
+include::../common/fix/salt.adoc[]
+
+Here, the compliant code example ensures the salt is random and has a sufficient
+length by calling the `crypto.rand.Read` function. This function internally
+uses a cryptographically secure pseudo-random number generator.
+
+
+== Resources
+
+include::../common/resources/standards.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+endif::env-github,rspecator-view[]
diff --git a/rules/S4036/go/rule.adoc b/rules/S4036/go/rule.adoc
@@ -15,7 +15,7 @@ out, _ := exec.Command("ls").CombinedOutput() // Sensitive
 
 [source,go]
 ----
-out, _ := exec.Command("/bin/ls").CombinedOutput() // Compliant
+out, _ := exec.Command("/bin/ls").CombinedOutput()
 ----
 
 include::../see.adoc[]

diff --git a/rules/S4487/csharp/rule.adoc b/rules/S4487/csharp/rule.adoc
@@ -13,13 +13,13 @@ public class Rectangle
   {
     this.length = length;
     this.width = width;
-  }
+  } 
 
   public int Surface
   {
     get
     {
-      return length * width;
+      return length * length;
     }
   }
 }
@@ -56,4 +56,4 @@ public class Rectangle
 
 * CWE - https://cwe.mitre.org/data/definitions/563[CWE-563 - Assignment to Variable without Use ('Unused Variable')]
 
-include::../rspecator.adoc[]
+include::../rspecator.adoc[]
diff --git a/rules/S4507/python/rule.adoc b/rules/S4507/python/rule.adoc
@@ -28,6 +28,7 @@ DEBUG = True  # Sensitive
 DEBUG_PROPAGATE_EXCEPTIONS = True  # Sensitive
 ----
 
+
 Flask application startup:
 
 [source,python,diff-id=3,diff-type=noncompliant]
@@ -39,6 +40,25 @@ app.debug = True  # Sensitive
 app.run(debug=True)  # Sensitive
 ----
 
+The following code defines a GraphQL endpoint with GraphiQL enabled. While this might be a useful configuration during development, it should never be enabled for applications deployed in production:
+
+[source,python,diff-id=4,diff-type=noncompliant]
+----
+from flask import Flask
+from graphql_server.flask import GraphQLView
+
+app = Flask(__name__)
+
+app.add_url_rule(
+    '/graphql',
+    view_func=GraphQLView.as_view(
+        'graphql',
+        schema=schema,
+        graphiql=True # Sensitive
+    )
+)
+----
+
 == Compliant Solution
 
 [source,python,diff-id=1,diff-type=compliant]
@@ -67,6 +87,22 @@ app.debug = False
 app.run(debug=False)
 ----
 
+[source,python,diff-id=4,diff-type=compliant]
+----
+from flask import Flask
+from graphql_server.flask import GraphQLView
+
+app = Flask(__name__)
+
+app.add_url_rule(
+    '/graphql',
+    view_func=GraphQLView.as_view(
+        'graphql',
+        schema=schema
+    )
+)
+----
+
 include::../see.adoc[]
 
 ifdef::env-github,rspecator-view[]

diff --git a/rules/S5144/python/how-to-fix-it/aiohttp.adoc b/rules/S5144/python/how-to-fix-it/aiohttp.adoc
@@ -0,0 +1,50 @@
+== How to fix it in aiohttp
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,python,diff-id=31,diff-type=noncompliant]
+----
+from fastapi import FastAPI
+import aiohttp
+
+app = FastAPI()
+@app.get('/example')
+async def example(url: str):
+    async with aiohttp.request('GET', url) as response: # Noncompliant
+        return {"response": await response.text()}
+----
+
+==== Compliant solution
+
+[source,python,diff-id=31,diff-type=compliant]
+----
+from fastapi import FastAPI
+from fastapi.responses import JSONResponse
+import aiohttp
+from urllib.parse import urlparse
+
+DOMAINS_ALLOWLIST = ['trusted1.example.com', 'trusted2.example.com'];
+app = FastAPI()
+
+@app.get('/example')
+async def example(url: str):
+    if urlparse(url).hostname not in DOMAINS_ALLOWLIST:
+        return JSONResponse({"error": f"URL {url} is not whitelisted."}, 400)
+
+    async with aiohttp.request('GET', url.unicode_string()) as response:
+        return {"response": await response.text()}
+----
+
+=== How does this work?
+
+include::../../common/fix/pre-approved-list.adoc[]
+
+The compliant code example uses such an approach.
+
+=== Pitfalls
+
+include::../../common/pitfalls/starts-with.adoc[]
diff --git a/rules/S5144/python/rule.adoc b/rules/S5144/python/rule.adoc
@@ -10,6 +10,8 @@ include::how-to-fix-it/python.adoc[]
 
 include::how-to-fix-it/requests.adoc[]
 
+include::how-to-fix-it/aiohttp.adoc[]
+
 include::how-to-fix-it/httpx.adoc[]
 
 == Resources

diff --git a/rules/S5443/go/metadata.json b/rules/S5443/go/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S5443/go/rule.adoc b/rules/S5443/go/rule.adoc
@@ -0,0 +1,65 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Sensitive Code Example
+
+Examples of sensitive file creation:
+
+[source,go]
+----
+file, _ = os.Create("/tmp/tempfile.txt") // Sensitive
+
+file, _ = os.Create(os.TempDir()+"/tempfile.txt") // Sensitive
+
+file, _ := os.OpenFile("/tmp/tempfile.txt", os.O_CREATE, 0755) // Sensitive
+
+os.WriteFile("/tmp/tempfile.txt", []byte{"sensitive"}, 0755)  // Sensitive
+----
+
+Example of sensitive directory creation:
+
+[source,go]
+----
+tempdir := "/tmp/tempdir/"
+os.Mkdir(tempdir, 0755)  // Sensitive
+file, _ := os.Create("/tmp/tempdir/tempfile.txt")
+----
+
+== Compliant Solution
+
+Compliant temporary file creation:
+
+[source,go]
+----
+file, _ := os.CreateTemp("", "example-pattern")
+----
+
+Compliant temporary directory creation:
+
+[source,go]
+----
+dir, _ := os.MkdirTemp("", "example-directory")
+filename := filepath.Join(dir, "tempfile.txt")
+file, _ := os.Create(filename)
+----
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]
diff --git a/rules/S5542/go/metadata.json b/rules/S5542/go/metadata.json
@@ -0,0 +1,2 @@
+{
+}