Merge pull request #3591 from semgrep/merge-develop-to-release

Merge Develop into Release

Author: LewisArdern

javascript/browser/security/wildcard-postmessage-configuration.js

@@ -1,11 +1,21 @@
 let data={pName : "Bob", pAge: "35"};
 var popup = window.open(/* popup details */);
+const transfer = new Uint8Array(1024 * 1024 * 8).map((v, i) => i);
+const targetOrigin = "https://example.com"
 
 //ruleid:wildcard-postmessage-configuration
 popup.postMessage(data, '*');
 //ruleid:wildcard-postmessage-configuration
 popup.postMessage( JSON.stringify( data ), '*' );
+//ruleid:wildcard-postmessage-configuration
+window.top?.postMessage("data", "*", [
+    transfer,
+]);
 
 //postMessage Safe Usage
+//ok:wildcard-postmessage-configuration
 popup.postMessage("hello there!", "http://domain.tld");
+//ok:wildcard-postmessage-configuration
 popup.postMessage( JSON.stringify( data ), 'semgrep.dev/editor');
+//ok:wildcard-postmessage-configuration
+popup.postMessage( data, targetOrigin, transfer);

javascript/browser/security/wildcard-postmessage-configuration.yaml

@@ -22,4 +22,4 @@ rules:
   - javascript
   - typescript
   severity: WARNING
-  pattern: $OBJECT.postMessage(...,'*')
+  pattern: $OBJECT.postMessage(...,'*',...)

php/lang/security/md5-loose-equality.yaml

@@ -35,7 +35,7 @@ rules:
     - 'CWE-697: Incorrect Comparison'
     references:
     - https://www.php.net/manual/en/types.comparisons.php
-    - https://www.whitehatsec.com/blog/magic-hashes/
+    - https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/
     category: security
     technology:
     - php

python/jwt/security/jwt-hardcode.yaml

@@ -24,9 +24,6 @@ rules:
     confidence: HIGH
   patterns:
   - pattern: |
-      jwt.encode($X, $SECRET, ...)
-  - focus-metavariable: $SECRET
-  - pattern: |
-      "..."
+      jwt.encode($_, "...", ...)
   languages: [python]
   severity: ERROR

ruby/rails/security/audit/avoid-logging-everything.rb

@@ -0,0 +1,77 @@
+# ruleid:avoid-logging-everything
+Rails.logger.info(params)
+
+# ruleid:avoid-logging-everything
+Rails.logger.info(params.inspect)
+
+# ruleid:avoid-logging-everything
+Rails.logger.info "my private info :)! #{params}"
+
+# ruleid:avoid-logging-everything
+Rails.logger.info "my private info :)! #{params.inspect}"
+
+# ruleid:avoid-logging-everything
+Rails.logger.info do
+  params
+end
+
+# ruleid:avoid-logging-everything
+Rails.logger.info do
+  params.inspect
+end
+
+# ruleid:avoid-logging-everything
+Rails.logger.info do
+  "my private info :)! #{params}"
+end
+
+# ruleid:avoid-logging-everything
+Rails.logger.info do
+  "my private info :)! #{params.inspect}"
+end
+
+# ruleid:avoid-logging-everything
+Rails.logger.info do
+  params
+end
+
+# ok:avoid-logging-everything
+Rails.logger.info("some static string")
+
+# ok:avoid-logging-everything
+Rails.logger.info(something_that_isnt_params)
+
+# ok:avoid-logging-everything
+Rails.logger.info(params[:a_specific_parameter])
+
+# ok:avoid-logging-everything
+Rails.logger.info("#{params[:a_specific_parameter]}")
+
+# ok:avoid-logging-everything
+Rails.logger.info("not sensitive :( #{params[:a_specific_parameter]}")
+
+# ok:avoid-logging-everything
+Rails.logger.info do
+  "#{not_params} #{still_not_params.inspect} #{params[:test]}"
+end
+
+# ok:avoid-logging-everything
+Rails.logger.info do
+  params[:test]
+end
+
+# ok:avoid-logging-everything
+Rails.logger.debug("go wild #{params} #{params.inspect}")
+
+# ok:avoid-logging-everything
+Rails.logger.debug(params)
+
+# ok:avoid-logging-everything
+Rails.logger.debug do 
+  params
+end
+
+# ok:avoid-logging-everything
+Rails.logger.debug do 
+  params.inspect
+end

ruby/rails/security/audit/avoid-logging-everything.yaml

@@ -0,0 +1,52 @@
+rules:
+- id: avoid-logging-everything
+  languages: [ruby]
+  severity: ERROR
+  message: Avoid logging `params` and `params.inspect` as this bypasses Rails filter_parameters and may inadvertently log sensitive data. Instead, reference specific fields to ensure only expected data is logged.
+  metadata:
+    category: security
+    technology:
+      - rails
+    references:
+      - https://guides.rubyonrails.org/configuring.html#config-filter-parameters
+      - https://api.rubyonrails.org/v7.1/classes/ActiveSupport/ParameterFilter.html
+    cwe: 
+    - 'CWE-532: Insertion of Sensitive Information into Log File'
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: LOW
+    subcategory:
+      - audit
+  patterns:
+    - pattern-either:
+      - pattern: Rails.logger.$METHOD(params)
+      - pattern: Rails.logger.$METHOD("...#{params}...")
+      - pattern: Rails.logger.$METHOD(params.inspect)
+      - pattern: Rails.logger.$METHOD("...#{params.inspect}...")
+      - pattern: |
+          Rails.logger.$METHOD do
+            "...#{params}..."
+          end
+      - pattern: |
+          Rails.logger.$METHOD do
+            "...#{params.inspect}..."
+          end
+      - pattern: |
+          Rails.logger.$METHOD do
+            params
+          end
+      - pattern: |
+          Rails.logger.$METHOD do
+            params.inspect
+          end
+    - pattern-not: |
+        Rails.logger.$METHOD do
+          params[...]
+        end
+    - pattern-not: |
+        Rails.logger.$METHOD do
+          "#{params.inspect[...]}"
+        end
+    - metavariable-regex:
+        metavariable: $METHOD
+        regex: (info|warn|error|fatal|unknown)