Merge Develop into Release (#3594)

* Improve `insecure-load-balancer-tls-version` AWS rule (#3584)

Add support for `ELBSecurityPolicy-TLS13-1-2-Res-2021-06`, which is the
most secure TLS 1.2+ policy that AWS ALBs offer. Recommend it as the preferred
fix for rule failures.

`ELBSecurityPolicy-TLS13-1-2-Res-2021-06` removes the following (insecure)
cipher suites as compared to `ELBSecurityPolicy-TLS13-1-2-2021-06` because
they are CBC-based instead of GCM-based:

- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html#tls-security-policies

Also, improve/clean-up related test.

Co-authored-by: Vasilii Ermilov <[email protected]>

* Add subprocess-list-passed-as-string for Python (#3579)

* Add subprocess-list-passed-as-string for Python

subprocess.run and similar takes either a string or a sequence. Some calling code has a sequence, but converts it to string themselves. This is both unnecessary and insecure, as it removes the distinction between arguments. I.e. if arguments contain spaces or quotes this gives the wrong result.

* Update subprocess-list-passed-as-string.yaml

* Rename python/lang/security/subprocess-list-passed-as-string.py to python/lang/security/audit/subprocess-list-passed-as-string.py

* Rename python/lang/security/subprocess-list-passed-as-string.yaml to python/lang/security/audit/subprocess-list-passed-as-string.yaml

---------

Co-authored-by: Vasilii Ermilov <[email protected]>
Co-authored-by: Vasilii Ermilov <[email protected]>

* bump Ubuntu version in Github actions (#3593)

* bump Ubuntu version in Github actions

* bump setup-python version

* bump python versions in Github actions

* bump python versions in Github actions

---------

Co-authored-by: Reed Loden <[email protected]>
Co-authored-by: Vasilii Ermilov <[email protected]>
Co-authored-by: Sjoerd Langkemper <[email protected]>
Co-authored-by: Vasilii Ermilov <[email protected]>

Author: 4 people

.github/workflows/semgrep-rule-lints.yaml

@@ -7,13 +7,13 @@ on:
 
 jobs:
   semgrep:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     name: semgrep-rule-lints
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
-          python-version: 3.9.2
+          python-version: '3.10'
       - name: install semgrep
         run: pip3 install semgrep
       - name: lints for semgrep rules

.github/workflows/semgrep-rules-test-develop.yml

@@ -16,7 +16,7 @@ jobs:
     name: rules-test-develop
     # alt: use directly the semgrep/semgrep:pro-develop container here so we
     # don't need the calls to 'docker run ...' below
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     # TODO: remove the with: path: below to simplify
     steps:
     - uses: actions/checkout@v2

.github/workflows/semgrep-rules-test-historical.yml

@@ -11,15 +11,15 @@ on:
 jobs:
   test-historical:
     name: rules-test-historical
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v2
         with:
           path: semgrep-rules
           fetch-depth: 0
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
-          python-version: 3.9.2
+          python-version: '3.10'
       - name: Find merge base with develop
         id: merge_base
         run: echo "BASE_COMMIT=$(git -C semgrep-rules merge-base origin/develop HEAD)" >> $GITHUB_ENV

.github/workflows/semgrep-rules-test.yml

@@ -11,12 +11,12 @@ on:
 jobs:
   test-latest:
     name: rules-test-latest
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v5
       with:
-        python-version: 3.9.2
+        python-version: '3.10'
     - name: install semgrep via pip
       run: pip3 install semgrep
     - name: remove stats directory

.github/workflows/trigger-pro-benchmark-scan.yaml

@@ -11,7 +11,7 @@ jobs:
     # do not run automatically if rule is posted from the playground (can still be started manually)
     # PRs posted by first time contributors already need approval as well
     if: github.actor != 'semgrep-dev-pr-bot'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - id: trigger-run
         name: Trigger semgrep-rules-pro benchmarking argo workflow on PR/push to develop or release

.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml

@@ -11,7 +11,7 @@ jobs:
     # do not run automatically if rule is posted from the playground (can still be started manually)
     # PRs posted by first time contributors already need approval as well
     if: github.actor != 'semgrep-dev-pr-bot'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v2
         with:

.github/workflows/validate-r2c-registry-metadata.yaml

@@ -15,7 +15,7 @@ jobs:
   validate-metadata:
     if: github.repository == 'semgrep/semgrep-rules'
     name: Validate r2c registry metadata
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v2
         with:
@@ -32,9 +32,9 @@ jobs:
           CHANGED_FILES: ${{ steps.changed-files.outputs.CHANGED_FILES }}
         name: debugging step - print changed files
         run: echo $CHANGED_FILES
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
-          python-version: 3.9.2
+          python-version: '3.10'
       - name: install deps
         run: pip install jsonschema pyyaml
       - name: validate metadata

python/lang/security/audit/subprocess-list-passed-as-string.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python
+from sys import argv
+import subprocess
+
+# ruleid: subprocess-list-passed-as-string
+subprocess.run(" ".join(["snakemake", "-R", "`snakemake --list-params-changes`"] + argv[1:]), shell=True)
+
+# ok: subprocess-list-passed-as-string
+subprocess.run(["snakemake", "-R", "`snakemake --list-params-changes`"] + argv[1:], shell=True)

python/lang/security/audit/subprocess-list-passed-as-string.yaml

@@ -0,0 +1,42 @@
+rules:
+- id: subprocess-list-passed-as-string
+  languages: [python]
+  severity: WARNING
+  message: >-
+    Detected `" ".join(...)` being passed to `subprocess.run`. This can lead to
+    argument splitting issues and potential security vulnerabilities. Instead, pass
+    the list directly to `subprocess.run` to preserve argument separation.
+  mode: taint
+  pattern-sources:
+    - pattern: |
+        " ".join($LIST)
+  pattern-sinks:
+    - patterns:
+      - pattern: subprocess.run($ARGS, ...)
+      - focus-metavariable: $ARGS
+    - patterns:
+      - pattern: subprocess.Popen($ARGS, ...)
+      - focus-metavariable: $ARGS
+    - patterns:
+      - pattern: subprocess.call($ARGS, ...)
+      - focus-metavariable: $ARGS
+    - patterns:
+      - pattern: subprocess.check_call($ARGS, ...)
+      - focus-metavariable: $ARGS
+    - patterns:
+      - pattern: subprocess.check_output($ARGS, ...)
+      - focus-metavariable: $ARGS
+  metadata:
+    category: security
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+    references:
+      - "https://docs.python.org/3/library/subprocess.html#frequently-used-arguments"
+    owasp:
+    - A03:2021 - Injection
+    technology:
+    - python
+    confidence: LOW
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH

terraform/aws/security/insecure-load-balancer-tls-version.tf

@@ -137,6 +137,48 @@ resource "aws_alb_listener" "https_fs_1_2" {
   }
 }
 
+resource "aws_alb_listener" "tls_1_3_1_2" {
+  load_balancer_arn = var.aws_lb_arn
+  protocol          = "TLS"
+  port              = "8080"
+  # ok: insecure-load-balancer-tls-version
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+  certificate_arn   = var.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = var.aws_lb_target_group_arn
+  }
+}
+
+resource "aws_alb_listener" "tls_1_3_1_2_res" {
+  load_balancer_arn = var.aws_lb_arn
+  protocol          = "TLS"
+  port              = "8080"
+  # ok: insecure-load-balancer-tls-version
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
+  certificate_arn   = var.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = var.aws_lb_target_group_arn
+  }
+}
+
+resource "aws_alb_listener" "tls_1_3_1_3" {
+  load_balancer_arn = var.aws_lb_arn
+  protocol          = "TLS"
+  port              = "8080"
+  # ok: insecure-load-balancer-tls-version
+  ssl_policy        = "ELBSecurityPolicy-TLS13-1-3-2021-06"
+  certificate_arn   = var.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = var.aws_lb_target_group_arn
+  }
+}
+
 resource "aws_lb_target_group" "foo" {
     name = "foo"
     port = 80
@@ -207,12 +249,12 @@ resource "aws_alb_listener" "tls_fs_1_1" {
   }
 }
 
-resource "aws_alb_listener" "tls_1_3" {
+resource "aws_alb_listener" "tls_fs_1_0" {
   load_balancer_arn = var.aws_lb_arn
   protocol          = "TLS"
   port              = "8080"
-  # ok: insecure-load-balancer-tls-version
-  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-068"
+  # ruleid: insecure-load-balancer-tls-version
+  ssl_policy        = "ELBSecurityPolicy-FS-2018-06"
   certificate_arn   = var.certificate_arn
 
   default_action {