Semgrep validation

adelinowona · adelinowona · commit 07b209f987c4 · 2025-05-30T16:35:15.000-04:00
diff --git a/src/MongoDB.Driver.Encryption/VulnerableCrypto.cs b/src/MongoDB.Driver.Encryption/VulnerableCrypto.cs
@@ -0,0 +1,62 @@
+/* Copyright 2010-present MongoDB Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace MongoDB.Driver.Encryption
+{
+    /// <summary>
+    ///
+    /// </summary>
+    public static class VulnerableCryptography
+    {
+        // Weak hashing - Semgrep should flag
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="password"></param>
+        /// <returns></returns>
+        public static string HashPassword(string password)
+        {
+            using (var md5 = MD5.Create()) // VULNERABLE - MD5 is weak
+            {
+                var hash = md5.ComputeHash(Encoding.UTF8.GetBytes(password));
+                return Convert.ToBase64String(hash);
+            }
+        }
+
+        // Hardcoded encryption key - Semgrep should flag
+        private static readonly byte[] EncryptionKey = {
+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+            0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10
+        };
+
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="data"></param>
+        /// <returns></returns>
+        public static byte[] EncryptData(byte[] data)
+        {
+            using (var aes = Aes.Create())
+            {
+                aes.Key = EncryptionKey; // VULNERABLE - hardcoded key
+                // ... encryption logic
+                return data; // simplified
+            }
+        }
+    }
+}
diff --git a/src/MongoDB.Driver/MongoClient.cs b/src/MongoDB.Driver/MongoClient.cs
@@ -751,4 +751,33 @@ private async Task<TResult> UsingImplicitSessionAsync<TResult>(Func<IClientSessi
             }
         }
     }
+
+    /// <summary>
+    ///
+    /// </summary>
+    public class VulnerableConnectionExample
+    {
+        // Hardcoded credentials
+        private const string DefaultConnectionString = "mongodb://admin:password123@prod-server:27017/sensitive_db";
+
+        /// <summary>
+        ///
+        /// </summary>
+        /// <returns></returns>
+        public MongoClient CreateClient()
+        {
+            return new MongoClient(DefaultConnectionString);
+        }
+
+        // Weak random session ID -
+        /// <summary>
+        ///
+        /// </summary>
+        /// <returns></returns>
+        public string GenerateSessionId()
+        {
+            var random = new Random(); // Cryptographically weak
+            return random.Next().ToString();
+        }
+    }
 }
diff --git a/src/MongoDB.Driver/VulnerableNullHandling.cs b/src/MongoDB.Driver/VulnerableNullHandling.cs
@@ -0,0 +1,52 @@
+/* Copyright 2010-present MongoDB Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+using System;
+using System.Collections.Generic;
+using MongoDB.Bson;
+
+namespace MongoDB.Driver
+{
+    /// <summary>
+    ///
+    /// </summary>
+    public class VulnerableNullHandling
+    {
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="document"></param>
+        /// <returns></returns>
+        public string ProcessDocument(BsonDocument document)
+        {
+            // Remove null checks - Semgrep should flag potential null reference
+            var name = document["name"].AsString; // Could be null
+            return name.ToUpper(); // VULNERABLE - potential null reference
+        }
+
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="documents"></param>
+        public void ProcessCollection(List<BsonDocument> documents)
+        {
+            // Missing null check on collection
+            foreach (var doc in documents) // VULNERABLE if documents is null
+            {
+                Console.WriteLine(doc["_id"]);
+            }
+        }
+    }
+}
diff --git a/src/MongoDB.Driver/VulnerableQuery.cs b/src/MongoDB.Driver/VulnerableQuery.cs
@@ -0,0 +1,64 @@
+/* Copyright 2010-present MongoDB Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using MongoDB.Bson;
+
+namespace MongoDB.Driver
+{
+    /// <summary>
+    ///
+    /// </summary>
+    public class VulnerableQueryBuilder
+    {
+        private readonly IMongoCollection<BsonDocument> _collection;
+
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="collection"></param>
+        public VulnerableQueryBuilder(IMongoCollection<BsonDocument> collection)
+        {
+            _collection = collection;
+        }
+
+        // Vulnerable: String concatenation in query - Semgrep should flag
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="username"></param>
+        /// <returns></returns>
+        public async Task<List<BsonDocument>> FindUserByName(string username)
+        {
+            var queryJson = "{ 'username': '" + username + "' }"; // VULNERABLE
+            var filter = BsonDocument.Parse(queryJson);
+            return await _collection.Find(filter).ToListAsync().ConfigureAwait(false);
+        }
+
+        // Another injection pattern
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="field"></param>
+        /// <param name="value"></param>
+        /// <returns></returns>
+        public async Task<BsonDocument> FindByDynamicField(string field, string value)
+        {
+            var query = $"{{ {field}: '{value}' }}"; // VULNERABLE
+            return await _collection.Find(BsonDocument.Parse(query)).FirstOrDefaultAsync().ConfigureAwait(false);
+        }
+    }
+}
