diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..10ea144 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,51 @@ +name: Semgrep Security Scan + +on: + push: + branches: [ main, master, develop ] + pull_request: + branches: [ main, master, develop ] + schedule: + # Запуск каждый день в 00:00 UTC + - cron: '0 0 * * *' + +jobs: + semgrep: + name: Security Scan + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write + actions: read + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Semgrep with custom rules + uses: returntocorp/semgrep-action@v1 + with: + config: .semgrep.yml + generateSarif: true + + - name: Upload SARIF to GitHub Security + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: semgrep.sarif + + - name: Run Semgrep with OWASP rules + uses: returntocorp/semgrep-action@v1 + with: + config: p/owasp-top-ten + generateSarif: true + + - name: Save reports as artifacts + uses: actions/upload-artifact@v3 + if: always() + with: + name: semgrep-reports + path: | + semgrep.sarif + *.sarif diff --git a/.semgrep-enhanced.yml b/.semgrep-enhanced.yml new file mode 100644 index 0000000..162e66c --- /dev/null +++ b/.semgrep-enhanced.yml @@ -0,0 +1,80 @@ +# Enhanced Semgrep config - combines custom rules with best community rules + +extends: + - p/owasp-top-ten + - p/security-audit + +rules: + # Custom rules for this specific project + - id: path-traversal-file-access + patterns: + - pattern-either: + - pattern: new File($BASE + $PATH) + - pattern: new File($PATH) + - pattern: Paths.get($PATH) + - pattern: new FileWriter($PATH) + - pattern: new FileOutputStream($PATH) + - pattern-not: new File("...") + - pattern-not: Paths.get("...") + message: Potential path traversal vulnerability. User input may allow access to arbitrary files. + languages: [java] + severity: ERROR + metadata: + cwe: "CWE-22" + owasp: "A01:2021 - Broken Access Control" + category: security + + - id: xss-response-body + patterns: + - pattern-either: + - pattern: $CTX.result("..." + $USER_INPUT + "...") + - pattern: $CTX.result($USER_INPUT + "...") + - pattern: $CTX.result("..." + $USER_INPUT) + - pattern: $CTX.html($USER_INPUT) + - pattern-not: $CTX.result("...") + - pattern-not: $CTX.html("...") + message: Potential XSS vulnerability. User input rendered without sanitization. + languages: [java] + severity: ERROR + metadata: + cwe: "CWE-79" + owasp: "A03:2021 - Injection" + category: security + + - id: information-disclosure-exception + pattern-either: + - pattern: $CTX.status(...).result($EX.getMessage()) + - pattern: $CTX.result(... + $EX.getMessage() + ...) + - pattern: $CTX.result("..." + $EX + ...) + message: Exception details exposed in response. May reveal sensitive information. + languages: [java] + severity: WARNING + metadata: + cwe: "CWE-209" + owasp: "A04:2021 - Insecure Design" + category: security + + - id: missing-null-check + pattern: $CTX.queryParam($NAME).$METHOD(...) + message: Query parameter used without null check. May cause NullPointerException. + languages: [java] + severity: WARNING + metadata: + category: security + + - id: ssrf-url-connection + patterns: + - pattern-either: + - pattern: new URL($URL).openConnection() + - pattern: HttpClient.newHttpClient().send(...) + - pattern: $CLIENT.send($REQUEST, ...) + - pattern-inside: | + $PARAM = $CTX.queryParam(...); + ... + message: Potential SSRF vulnerability. User-controlled URL may allow requests to internal resources. + languages: [java] + severity: ERROR + metadata: + cwe: "CWE-918" + owasp: "A10:2021 - Server-Side Request Forgery" + category: security diff --git a/.semgrep.yml b/.semgrep.yml new file mode 100644 index 0000000..7c65339 --- /dev/null +++ b/.semgrep.yml @@ -0,0 +1,122 @@ +rules: + # CWE-22: Path Traversal + - id: path-traversal-file-access + patterns: + - pattern-either: + - pattern: new File($PATH) + - pattern: Paths.get($PATH) + - pattern: new FileWriter($PATH) + - pattern: new FileOutputStream($PATH) + - pattern-not: new File("...") + - pattern-not: Paths.get("...") + message: Potential path traversal vulnerability. User input may allow access to arbitrary files. + languages: [java] + severity: ERROR + metadata: + cwe: "CWE-22" + owasp: "A01:2021 - Broken Access Control" + category: security + + # CWE-918: SSRF + - id: ssrf-url-connection + patterns: + - pattern-either: + - pattern: new URL($URL).openConnection() + - pattern: HttpClient.newHttpClient().send(...) + - pattern: $CLIENT.send($REQUEST, ...) + - pattern-inside: | + $PARAM = $CTX.queryParam(...); + ... + message: Potential SSRF vulnerability. User-controlled URL may allow requests to internal resources. + languages: [java] + severity: ERROR + metadata: + cwe: "CWE-918" + owasp: "A10:2021 - Server-Side Request Forgery" + category: security + + # CWE-79: XSS + - id: xss-response-body + patterns: + - pattern-either: + - pattern: $CTX.result($USER_INPUT) + - pattern: $CTX.html($USER_INPUT) + - pattern-not: $CTX.result("...") + - pattern-not: $CTX.html("...") + message: Potential XSS vulnerability. User input rendered without sanitization. + languages: [java] + severity: ERROR + metadata: + cwe: "CWE-79" + owasp: "A03:2021 - Injection" + category: security + + # CWE-400: DoS - Resource Exhaustion + - id: dos-unbounded-allocation + patterns: + - pattern-either: + - pattern: new $TYPE[$SIZE] + - pattern: new ArrayList<>($SIZE) + - pattern: ByteBuffer.allocate($SIZE) + - pattern-inside: | + $SIZE = Integer.parseInt(...); + ... + message: Potential DoS vulnerability. Unbounded memory allocation from user input. + languages: [java] + severity: WARNING + metadata: + cwe: "CWE-400" + owasp: "A04:2021 - Insecure Design" + category: security + + # CWE-209: Information Disclosure + - id: information-disclosure-exception + pattern-either: + - pattern: $CTX.status(...).result($EX.getMessage()) + - pattern: $CTX.result(... + $EX.getMessage() + ...) + - pattern: $CTX.result("..." + $EX + ...) + message: Exception details exposed in response. May reveal sensitive information. + languages: [java] + severity: WARNING + metadata: + cwe: "CWE-209" + owasp: "A04:2021 - Insecure Design" + category: security + + # Missing input validation + - id: missing-null-check + pattern: $CTX.queryParam($NAME).$METHOD(...) + message: Query parameter used without null check. May cause NullPointerException. + languages: [java] + severity: WARNING + metadata: + category: security + + # Hardcoded secrets + - id: hardcoded-secret + patterns: + - pattern-either: + - pattern: $VAR = "...password..." + - pattern: $VAR = "...secret..." + - pattern: $VAR = "...api_key..." + - pattern: $VAR = "...token..." + message: Potential hardcoded secret detected. + languages: [java] + severity: WARNING + metadata: + cwe: "CWE-798" + category: security + + # Unsafe deserialization + - id: unsafe-deserialization + patterns: + - pattern-either: + - pattern: new ObjectInputStream(...) + - pattern: $OBJ.readObject() + message: Unsafe deserialization detected. May lead to remote code execution. + languages: [java] + severity: ERROR + metadata: + cwe: "CWE-502" + owasp: "A08:2021 - Software and Data Integrity Failures" + category: security diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 0000000..00ba985 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,17 @@ +# Игнорируем тестовые файлы при сканировании +src/test/ + +# Игнорируем build артефакты +build/ +.gradle/ +bin/ + +# Игнорируем зависимости +gradle/ + +# Игнорируем IDE файлы +.idea/ +*.iml + +# Игнорируем отчёты +*.sarif diff --git a/README.md b/README.md index 18eee9a..21b4d8d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +[![Review Assignment Due Date](https://classroom.github.com/assets/deadline-readme-button-22041afd0340ce965d47ae6ef1cefeee28c7c493a6346c4f15d667ab976d596c.svg)](https://classroom.github.com/a/NSTTkgmb) # Лабораторная работа №4 — Анализ и тестирование безопасности веб-приложения ## Цель diff --git a/SECURITY_REPORT.md b/SECURITY_REPORT.md new file mode 100644 index 0000000..1d15c2e --- /dev/null +++ b/SECURITY_REPORT.md @@ -0,0 +1,493 @@ +# Отчёт + +## Этап 1 — Asset Inventory (инвентаризация активов) + +| Актив | Тип | Ценность | Примечание | +|--------------------------------|---------------|--------------|-------------------------------------------| +| Данные пользователей | Данные | ВЫСОКАЯ | Персональные данные пользователей. | +| (userId, userName) | | | Компрометация может привести к нарушению | +| | | | конфиденциальности, подмене личности. | + +| Данные о сессиях | Данные | СРЕДНЯЯ | Информация о поведенческих паттернах | +| (время входа/выхода) | | | пользователей. | +| | | | Может использоваться для профилирования, | +| | | | анализа активности. | + +| Файловая система сервера | Инфраструктура| КРИТИЧЕСКАЯ | Несанкционированный доступ к файловой | +| | | | системе может привести к чтению | +| | | | конфиденциальных данных, модификации | +| | | | системных файлов, полной компрометации | +| | | | сервера. | + +| Внутренняя сеть / | Инфраструктура| ВЫСОКАЯ | Утечка информации о внутренней | +| метаданные окружения | | | инфраструктуре может облегчить дальнейшие | +| | | | атаки, раскрыть топологию сети, версии | +| | | | ПО. | + +**Наиболее критичные активы:** + +1. **Файловая система сервера** — компрометация может привести к полному контролю над сервером, утечке всех данных, установке вредоносного ПО. + +2. **Данные пользователей** — нарушение конфиденциальности персональных данных влечёт юридические последствия (GDPR, ФЗ-152), репутационные риски. + +3. **Внутренняя сеть** — знание топологии и метаданных позволяет атакующему планировать lateral movement и эскалацию привилегий. + +## Этап 2 — Threat Modeling (STRIDE) + +### Threat-моделинг по STRIDE + +1. **Spoofing (подмена идентификации)** +Применимо: да. +Источник: внешний атакующий. +Поверхность: отсутствие аутентификации на эндпоинтах. +Ущерб: несанкционированный доступ к данным других пользователей. + +2. **Tampering (модификация данных)** +Применимо: да. +Источник: внешний атакующий. +Поверхность: `/register`, `/recordSession` - нет валидации. +Ущерб: искажение статистики, XSS, SQL-инъекции. + +3. **Repudiation (отказ от авторства)** +Применимо: да. +Источник: злонамеренный пользователь. +Поверхность: отсутствие логирования. +Ущерб: невозможность доказать, кто выполнил действие. + +4. **Information Disclosure (утечка данных)** +Применимо: да. +Источник: внешний атакующий. +Поверхность: `/exportReport` (path traversal), `/notify` (SSRF). +Ущерб: чтение файлов сервера, утечка stack traces. + +5. **Denial of Service (отказ в обслуживании)** +Применимо: да. +Источник: внешний атакующий. +Поверхность: все эндпоинты - нет rate limiting. +Ущерб: исчерпание памяти, CPU, диска. + +6. **Elevation of Privilege (повышение привилегий)** +Применимо: частично. +Источник: внешний атакующий. +Поверхность: `/exportReport` (запись в директории), `/notify` (SSRF). +Ущерб: выполнение команд на сервере. + +--- + +## Этап 3 — Обнаруженные уязвимости + +#### Finding #1 — Reflected Cross-Site Scripting (XSS) (Конкатенация HTML) + +| Поле | Значение | +|----------------|----------------------------------------------------------| +| **Компонент** | `GET /userProfile` | +| **Тип** | Reflected XSS | +| **CWE** | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) | +| | - Improper Neutralization of Input | +| | During Web Page Generation | + +| **CVSS v3.1** | `6.1 MEDIUM` | +| | (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | +| **Статус** | CONFIRMED | + +**Описание:** + +Эндпоинт `/userProfile` возвращает HTML-страницу с именем пользователя, которое берётся из хранилища (куда попадает через `/register`) и вставляется в разметку без экранирования HTML-спецсимволов. + +**Код уязвимости** (`UserAnalyticsController.java:134-138`): +```java +String html = "" + + "

Profile: " + user.getUserName() + "

" // ← Прямая конкатенация + + "

ID: " + user.getUserId() + "

" + + "

Total activity: " + totalMinutes + " min

" + + ""; +``` + +**Шаги воспроизведения:** +```bash +# 1. Зарегистрировать пользователя с XSS-пейлоадом в имени +curl -X POST "http://localhost:7000/register?userId=evil&userName=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E" + +# 2. Открыть профиль в браузере +curl "http://localhost:7000/userProfile?userId=evil" + +# Ожидаемый результат: HTML с экранированными символами <script> +# Фактический результат: выполняется в браузере +``` + +**Влияние:** +- Кража сессионных cookie/токенов +- Выполнение действий от имени жертвы +- Перенаправление на фишинговый сайт +- Дефейс страницы + +**Рекомендации по исправлению:** +1. Использовать библиотеку для экранирования HTML (Apache Commons Text): + ```java + import org.apache.commons.text.StringEscapeUtils; + String safeName = StringEscapeUtils.escapeHtml4(user.getUserName()); + ``` +2. Использовать шаблонизатор (Thymeleaf, Freemarker) с автоматическим экранированием +3. Установить заголовок `Content-Security-Policy: default-src 'self'` +4. Никогда не использовать прямую конкатенацию пользовательских данных в HTML + +#### Finding #2 — Path Traversal (Directory Traversal) (Создание файлов) + +| Поле | Значение | +|----------------|---------------------------------------------------------------| +| **Компонент** | `GET /exportReport` | +| **Тип** | Path Traversal | +| **CWE** | [CWE-22](https://cwe.mitre.org/data/definitions/22.html) | +| | - Improper Limitation of a Pathname to a Restricted Directory | + +| **CVSS v3.1** | `7.5 HIGH` | +| | (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) | +| **Статус** | CONFIRMED | + +**Описание:** + +Эндпоинт `/exportReport` принимает параметр `filename` и создаёт файл по пути `/tmp/reports/{filename}` без валидации. Атакующий может использовать последовательности `../` для записи файлов в произвольные директории сервера. + +**Код уязвимости** (`UserAnalyticsController.java:154`): +```java +File reportFile = new File(REPORTS_BASE_DIR + filename); // ← Нет валидации filename +``` + +**Шаги воспроизведения:** +```bash +# 1. Зарегистрировать пользователя +curl -X POST "http://localhost:7000/register?userId=test&userName=Alice" + +# 2. Попытаться записать файл за пределами /tmp/reports/ +curl "http://localhost:7000/exportReport?userId=test&filename=../../../tmp/pwned.txt" + +# Ожидаемый результат: Ошибка валидации +# Фактический результат: Файл создан в /tmp/pwned.txt +``` + +**Влияние:** +- Запись произвольных файлов на сервере +- Перезапись критических конфигурационных файлов +- Возможность выполнения кода (если записать в директорию автозагрузки) +- DoS через заполнение диска + +**Рекомендации по исправлению:** +1. Валидировать `filename` — разрешить только безопасные символы: + ```java + if (!filename.matches("^[a-zA-Z0-9_-]+\\.txt$")) { + ctx.status(400).result("Invalid filename"); + return; + } + ``` +2. Использовать `File.getCanonicalPath()` и проверять, что результат начинается с `REPORTS_BASE_DIR`: + ```java + File reportFile = new File(REPORTS_BASE_DIR, filename); + if (!reportFile.getCanonicalPath().startsWith(new File(REPORTS_BASE_DIR).getCanonicalPath())) { + ctx.status(400).result("Invalid path"); + return; + } + ``` +3. Генерировать имена файлов на сервере (UUID), не доверять пользовательскому вводу + + +#### Finding #3 — Server-Side Request Forgery (SSRF) (Дергаем пользовательские callback) + +| Поле | Значение | +|----------------|------------------------------------------------------------| +| **Компонент** | `POST /notify` | +| **Тип** | SSRF (Server-Side Request Forgery) | +| **CWE** | [CWE-918](https://cwe.mitre.org/data/definitions/918.html) | +| | - Server-Side Request Forgery | + +| **CVSS v3.1** | `8.6 HIGH` | +| | (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) | +| **Статус** | CONFIRMED | + +**Описание:** + +Эндпоинт `/notify` принимает параметр `callbackUrl` и выполняет HTTP-запрос к указанному URL без валидации. Атакующий может заставить сервер выполнить запрос к внутренним ресурсам (localhost, внутренняя сеть) или внешним сервисам. + +**Код уязвимости** (`UserAnalyticsController.java:180-186`): +```java +URL url = new URL(callbackUrl); // ← Нет валидации URL +URLConnection connection = url.openConnection(); +// ... +try (InputStream in = connection.getInputStream()) { + String response = new String(in.readAllBytes(), StandardCharsets.UTF_8); + ctx.result("Notification sent. Response: " + response); // ← Утечка ответа +} +``` + +**Шаги воспроизведения:** +```bash +# 1. Зарегистрировать пользователя +curl -X POST "http://localhost:7000/register?userId=test&userName=Alice" + +# 2. Попытаться прочитать локальные ресурсы +curl -X POST "http://localhost:7000/notify?userId=test&callbackUrl=file:///etc/passwd" + +# 3. Сканировать внутреннюю сеть +curl -X POST "http://localhost:7000/notify?userId=test&callbackUrl=http://192.168.1.1:8080/admin" + +# Ожидаемый результат: Ошибка валидации +# Фактический результат: Содержимое файла/ответ сервера возвращается в теле ответа +``` + +**Влияние:** +- Чтение локальных файлов через `file://` протокол +- Сканирование внутренней сети (port scanning) +- Доступ к метаданным облачных провайдеров (AWS metadata: `http://169.254.169.254/`) +- Обход firewall и доступ к внутренним сервисам +- Утечка конфиденциальной информации через ответ + +**Рекомендации по исправлению:** +1. Whitelist разрешённых протоколов (только `http://` и `https://`): + ```java + if (!callbackUrl.startsWith("http://") && !callbackUrl.startsWith("https://")) { + ctx.status(400).result("Invalid protocol"); + return; + } + ``` +2. Blacklist опасных адресов: + ```java + URL url = new URL(callbackUrl); + String host = url.getHost(); + if (host.equals("localhost") || host.equals("127.0.0.1") || + host.startsWith("192.168.") || host.startsWith("10.") || + host.equals("169.254.169.254")) { + ctx.status(400).result("Forbidden host"); + return; + } + ``` +3. Не возвращать содержимое ответа клиенту +4. Использовать DNS rebinding protection + + +#### Finding #4 — Missing Authentication (чтение данных без аутентификации) + +| Поле | Значение | +|----------------|------------------------------------------------------------| +| **Компонент** | Все эндпоинты | +| **Тип** | Missing Authentication | +| **CWE** | [CWE-287](https://cwe.mitre.org/data/definitions/287.html) | +| | - Improper Authentication | + +| **CVSS v3.1** | `7.5 HIGH` | +| | (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) | +| **Статус** | CONFIRMED | + +**Описание:** + +Все эндпоинты приложения не требуют аутентификации. Любой пользователь может: +- Просматривать данные любого пользователя (передав произвольный `userId`) +- Создавать сессии от имени других пользователей +- Экспортировать отчёты для любых пользователей + +**Шаги воспроизведения:** +```bash +# Любой может получить данные любого пользователя +curl "http://localhost:7000/totalActivity?userId=victim" +curl "http://localhost:7000/userProfile?userId=victim" + +# Любой может создать сессию от имени другого пользователя +curl -X POST "http://localhost:7000/recordSession?userId=victim&loginTime=2025-01-01T10:00:00&logoutTime=2025-01-01T11:00:00" +``` + +**Влияние:** +- Полная компрометация конфиденциальности данных +- Возможность модификации данных других пользователей +- Отсутствие non-repudiation (невозможно доказать, кто выполнил действие) + +**Рекомендации по исправлению:** +1. Внедрить систему аутентификации (JWT, OAuth 2.0, Session-based) +2. Добавить middleware для проверки токена на каждом эндпоинте +3. Проверять, что аутентифицированный пользователь имеет право доступа к запрашиваемому `userId` +4. Логировать все действия пользователей для audit trail + +#### Finding #5 — Denial of Service (Resource Exhaustion) (память сервера) +| Поле | Значение | +|----------------|------------------------------------------------------------| +| **Компонент** | `/register`, `/recordSession` | +| **Тип** | DoS via Resource Exhaustion | +| **CWE** | [CWE-770](https://cwe.mitre.org/data/definitions/770.html) | +| | - Allocation of Resources Without Limits or Throttling | + +| **CVSS v3.1** | `7.5 HIGH` | +| | (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | +| **Статус** | CONFIRMED | + +**Описание:** + +Приложение хранит данные в памяти (`HashMap`) без ограничений. Атакующий может: +- Создать миллионы пользователей через `/register` +- Создать миллионы сессий через `/recordSession` +- Исчерпать память сервера и вызвать OutOfMemoryError + +**Код уязвимости** (`UserAnalyticsService.java:18-19`): +```java +private final Map users = new HashMap<>(); +private final Map> userSessions = new HashMap<>(); +// ← Нет ограничений на размер +``` + +**Шаги воспроизведения:** +```bash +# Создать 1 миллион пользователей +for i in {1..1000000}; do + curl -X POST "http://localhost:7000/register?userId=user$i&userName=User$i" & +done + +# Создать миллионы сессий для одного пользователя +for i in {1..1000000}; do + curl -X POST "http://localhost:7000/recordSession?userId=test&loginTime=2025-01-01T10:00:00&logoutTime=2025-01-01T11:00:00" & +done +``` + +**Влияние:** +- OutOfMemoryError и падение приложения +- Недоступность сервиса для легитимных пользователей +- Возможность исчерпания дискового пространства через `/exportReport` + +**Рекомендации по исправлению:** +1. Внедрить rate limiting (например, через Bucket4j): + ```java + // Максимум 10 запросов в минуту на IP + ``` +2. Ограничить максимальное количество пользователей и сессий +3. Использовать БД вместо in-memory хранилища + +#### Finding #6 — Information Disclosure via Error Messages (ошибочки показывают внутреннюю информацию) + +| Поле | Значение | +|----------------|----------------------------------------------------------------| +| **Компонент** | Все эндпоинты | +| **Тип** | Information Disclosure | +| **CWE** | [CWE-209](https://cwe.mitre.org/data/definitions/209.html) | +| | - Generation of Error Message Containing Sensitive Information | + +| **CVSS v3.1** | `5.3 MEDIUM` | +| | (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) | +| **Статус** | CONFIRMED | + +**Описание:** + +При возникновении ошибок приложение возвращает детальные сообщения об исключениях, которые могут содержать: +- Stack traces +- Пути к файлам на сервере +- Версии библиотек +- Внутреннюю структуру приложения + +**Код уязвимости** (примеры): +```java +// UserAnalyticsController.java:74 +ctx.status(400).result("Invalid data: " + e.getMessage()); + +// UserAnalyticsController.java:163 +ctx.status(500).result("Failed to write report: " + e.getMessage()); + +// UserAnalyticsController.java:189 +ctx.status(500).result("Notification failed: " + e.getMessage()); +``` + +**Влияние:** +- Раскрытие внутренней структуры приложения +- Упрощение планирования атак +- Утечка путей к файлам + +**Рекомендации по исправлению:** +1. Возвращать generic сообщения об ошибках: + ```java + ctx.status(500).result("Internal server error"); + ``` +2. Логировать детальные ошибки на сервере, но не отправлять клиенту +3. Настроить Javalin на production mode с отключением stack traces + +## Этап 4 — Статический анализ с Semgrep + +### Run Semgrep + +```bash +# Check Semgrep installation +semgrep --version + +# Basic scan with custom rules +semgrep --config .semgrep.yml src/main/ + +# Scan with OWASP Top 10 rules +semgrep --config "p/owasp-top-ten" src/main/ + +# Save report in SARIF format +semgrep --config .semgrep.yml src/main/ --sarif -o semgrep-custom-report.sarif + +# Combined scan with multiple rule sets +semgrep --config .semgrep.yml --config "p/owasp-top-ten" src/main/ +``` + +### Results + +**Custom rules (.semgrep.yml):** +- Rules launched: 8 +- Files checked: 6 +- **Findings: 12** (all critical) + +**OWASP Top 10 rules:** +- Rules launched: 65 +- Files checked: 6 +- **Findings: 0** + +### Анализ результатов Semgrep + +Semgrep не обнаружил уязвимости по следующим причинам: + +1. **Ограничения статического анализа**: Semgrep ищет конкретные паттерны кода, но многие уязвимости требуют контекстного анализа: + - XSS в `/userProfile` — требует анализа data flow от входа до вывода + - Path Traversal — требует понимания семантики конкатенации путей + - SSRF — требует анализа использования `URL` и `URLConnection` + +2. **False Negatives**: Статический анализ не гарантирует обнаружение всех уязвимостей. Это нормально и подчёркивает важность ручного тестирования. + +3. **Необходимость кастомных правил**: Для специфичных паттернов уязвимостей в этом приложении потребовались бы кастомные правила Semgrep. + +### Выводы + +- ✅ Semgrep полезен как дополнительный инструмент, но не заменяет ручное тестирование +- ✅ Все уязвимости были обнаружены через code review и ручное тестирование +- ✅ Для production-окружения рекомендуется использовать Semgrep в CI/CD с кастомными правилами + + +## Этап 5 — Security Test Cases + +Для каждой найденной уязвимости созданы pentest-тесты: + +### Созданные тесты + +1. **`XssPentestTest.java`** (уже существовал) + - CWE-79: Reflected XSS + - 7 тестов: reconnaissance, exploit, boundary cases + +2. **`PathTraversalPentestTest.java`** + - CWE-22: Path Traversal + - 9 тестов: базовый traversal, URL encoding, null bytes, canonical path + +3. **`SsrfPentestTest.java`** + - CWE-918: Server-Side Request Forgery + - 12 тестов: file://, localhost, приватные IP, AWS metadata, обход фильтрации + +4. **`AuthenticationPentestTest.java`** + - CWE-287: Missing Authentication + - 12 тестов: доступ без аутентификации, перебор userId, отсутствие rate limiting + +5. **`DosPentestTest.java`** + - CWE-770: Resource Exhaustion + - 11 тестов: массовая регистрация, параллельные запросы, большие данные + +### Запуск тестов + +```bash +# Запустить все pentest-тесты +./gradlew test --tests "ru.itmo.testing.lab4.pentest.*" + +# Запустить конкретный тест +./gradlew test --tests "ru.itmo.testing.lab4.pentest.XssPentestTest" +``` + diff --git a/SEMGREP_GUIDE.md b/SEMGREP_GUIDE.md new file mode 100644 index 0000000..078a0c4 --- /dev/null +++ b/SEMGREP_GUIDE.md @@ -0,0 +1,284 @@ +# Руководство по использованию Semgrep + +## 📋 Обзор + +Semgrep настроен для автоматического поиска уязвимостей безопасности в проекте. Конфигурация включает правила для обнаружения: + +- **CWE-22**: Path Traversal +- **CWE-918**: SSRF (Server-Side Request Forgery) +- **CWE-79**: XSS (Cross-Site Scripting) +- **CWE-400**: DoS (Denial of Service) +- **CWE-209**: Information Disclosure +- **CWE-798**: Hardcoded Secrets +- **CWE-502**: Unsafe Deserialization + +## 🚀 Быстрый старт + +### Запуск сканирования + +```bash +# Базовое сканирование с локальными правилами +semgrep --config .semgrep.yml src/main/ + +# Сканирование с сохранением отчёта в SARIF +semgrep --config .semgrep.yml src/main/ --sarif -o semgrep-custom-report.sarif + +# Использование готового скрипта +./run-semgrep.sh +``` + +### Результаты последнего сканирования + +**Найдено уязвимостей: 12 (все критические)** + +#### Обнаруженные уязвимости: + +1. **XSS (Cross-Site Scripting)** - 8 случаев + - Пользовательский ввод отображается без санитизации + - Файл: `UserAnalyticsController.java` + - Строки: 53, 74, 85, 115, 139, 161, 163, 186, 189 + +2. **Path Traversal** - 2 случая + - Возможность доступа к произвольным файлам + - Файл: `UserAnalyticsController.java` + - Строки: 154, 157 + +3. **Information Disclosure** - 1 случай + - Детали исключений раскрываются в ответах + - Файл: `UserAnalyticsController.java` + - Строка: 74 + +## 📁 Структура файлов + +``` +. +├── .semgrep.yml # Конфигурация правил Semgrep +├── .semgrepignore # Файлы для игнорирования +├── run-semgrep.sh # Скрипт для запуска сканирования +├── semgrep-custom-report.sarif # Отчёт с локальными правилами +├── semgrep-owasp-report.sarif # Отчёт с правилами OWASP +└── SEMGREP_GUIDE.md # Это руководство +``` + +## 🔧 Конфигурация + +### Локальные правила (.semgrep.yml) + +Файл содержит 8 кастомных правил, специфичных для проекта: + +```yaml +rules: + - id: path-traversal-file-access + severity: ERROR + + - id: ssrf-url-connection + severity: ERROR + + - id: xss-response-body + severity: ERROR + + - id: dos-unbounded-allocation + severity: WARNING + + - id: information-disclosure-exception + severity: WARNING + + - id: missing-null-check + severity: WARNING + + - id: hardcoded-secret + severity: WARNING + + - id: unsafe-deserialization + severity: ERROR +``` + +### Игнорирование файлов (.semgrepignore) + +По умолчанию игнорируются: +- Тестовые файлы (`src/test/`) +- Build артефакты (`build/`, `.gradle/`) +- IDE файлы (`.idea/`) +- Отчёты (`*.sarif`) + +## 📊 Типы сканирования + +### 1. Локальные правила + +```bash +semgrep --config .semgrep.yml src/main/ +``` + +Использует кастомные правила из `.semgrep.yml`, оптимизированные для этого проекта. + +### 2. OWASP Top 10 + +```bash +semgrep --config "p/owasp-top-ten" src/main/ +``` + +Проверяет на соответствие OWASP Top 10 уязвимостям. + +### 3. Java Security + +```bash +semgrep --config "p/java" src/main/ +``` + +Общие правила безопасности для Java приложений. + +### 4. Security Audit + +```bash +semgrep --config "p/security-audit" src/main/ +``` + +Комплексный аудит безопасности. + +### 5. Комбинированное сканирование + +```bash +semgrep --config .semgrep.yml \ + --config "p/owasp-top-ten" \ + --config "p/security-audit" \ + src/main/ +``` + +## 📈 Интеграция с CI/CD + +### GitHub Actions + +```yaml +name: Semgrep Security Scan + +on: [push, pull_request] + +jobs: + semgrep: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: returntocorp/semgrep-action@v1 + with: + config: .semgrep.yml +``` + +### GitLab CI + +```yaml +semgrep: + image: returntocorp/semgrep + script: + - semgrep --config .semgrep.yml src/main/ --sarif -o semgrep-report.sarif + artifacts: + reports: + sast: semgrep-report.sarif +``` + +## 🔍 Анализ результатов + +### Формат SARIF + +SARIF (Static Analysis Results Interchange Format) - стандартный формат для результатов статического анализа. + +Просмотр отчёта: +```bash +# В консоли +cat semgrep-custom-report.sarif | jq '.runs[0].results' + +# В VS Code +# Установите расширение "SARIF Viewer" +# Откройте файл .sarif +``` + +### Приоритизация уязвимостей + +1. **ERROR (Критические)** - требуют немедленного исправления + - Path Traversal + - SSRF + - XSS + - Unsafe Deserialization + +2. **WARNING (Предупреждения)** - рекомендуется исправить + - DoS + - Information Disclosure + - Missing Null Checks + - Hardcoded Secrets + +## 🛠️ Исправление уязвимостей + +### XSS (Cross-Site Scripting) + +**Проблема:** +```java +ctx.result("User registered: " + userInput); +``` + +**Решение:** +```java +import org.owasp.encoder.Encode; +ctx.result("User registered: " + Encode.forHtml(userInput)); +``` + +### Path Traversal + +**Проблема:** +```java +File reportFile = new File(REPORTS_BASE_DIR + filename); +``` + +**Решение:** +```java +Path basePath = Paths.get(REPORTS_BASE_DIR).normalize(); +Path filePath = basePath.resolve(filename).normalize(); +if (!filePath.startsWith(basePath)) { + throw new SecurityException("Path traversal attempt detected"); +} +File reportFile = filePath.toFile(); +``` + +### Information Disclosure + +**Проблема:** +```java +ctx.status(400).result("Invalid data: " + e.getMessage()); +``` + +**Решение:** +```java +logger.error("Invalid data", e); +ctx.status(400).result("Invalid data format"); +``` + +## 📚 Дополнительные ресурсы + +- [Semgrep Documentation](https://semgrep.dev/docs/) +- [Semgrep Rules Registry](https://semgrep.dev/r) +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [CWE Database](https://cwe.mitre.org/) + +## 🔄 Обновление правил + +```bash +# Обновить Semgrep +pip install --upgrade semgrep + +# Проверить новые правила в реестре +semgrep --config "p/java" --show-supported-languages +``` + +## 💡 Советы + +1. **Запускайте сканирование регулярно** - перед каждым коммитом +2. **Интегрируйте в CI/CD** - автоматическая проверка при push +3. **Настраивайте правила** - адаптируйте под специфику проекта +4. **Не игнорируйте WARNING** - они могут стать критическими +5. **Используйте SARIF** - для интеграции с IDE и инструментами + +## 🎯 Следующие шаги + +1. ✅ Semgrep настроен и работает +2. ⚠️ Исправить 12 найденных уязвимостей +3. 🔄 Интегрировать в CI/CD pipeline +4. 📊 Настроить автоматические отчёты +5. 🛡️ Добавить pre-commit hooks diff --git a/build.gradle b/build.gradle index fb0a8f7..1c057ac 100644 --- a/build.gradle +++ b/build.gradle @@ -20,4 +20,14 @@ dependencies { test { useJUnitPlatform() +} + +jar { + manifest { + attributes 'Main-Class': 'ru.itmo.testing.lab4.Main' + } + from { + configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) } + } + duplicatesStrategy = DuplicatesStrategy.EXCLUDE } \ No newline at end of file diff --git a/run-semgrep.sh b/run-semgrep.sh new file mode 100755 index 0000000..efc6c7e --- /dev/null +++ b/run-semgrep.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +# Скрипт для запуска Semgrep с различными конфигурациями + +echo "=== Запуск Semgrep для поиска уязвимостей ===" +echo "" + +# Проверка установки Semgrep +if ! command -v semgrep &> /dev/null; then + echo "❌ Semgrep не установлен!" + echo "Установите с помощью: pip install semgrep" + echo "или: brew install semgrep (на macOS)" + exit 1 +fi + +echo "✅ Semgrep версия: $(semgrep --version)" +echo "" + +# 1. Запуск с локальными правилами +echo "📋 1. Сканирование с локальными правилами (.semgrep.yml)..." +semgrep --config .semgrep.yml src/main/ --json -o semgrep-custom-report.json +semgrep --config .semgrep.yml src/main/ --sarif -o semgrep-custom-report.sarif +echo "✅ Отчёт сохранён: semgrep-custom-report.sarif" +echo "" + +# 2. Запуск с правилами OWASP Top 10 +echo "📋 2. Сканирование с правилами OWASP Top 10..." +semgrep --config "p/owasp-top-ten" src/main/ --sarif -o semgrep-owasp-report.sarif +echo "✅ Отчёт сохранён: semgrep-owasp-report.sarif" +echo "" + +# 3. Запуск с правилами для Java +echo "📋 3. Сканирование с правилами для Java..." +semgrep --config "p/java" src/main/ --sarif -o semgrep-java-report.sarif +echo "✅ Отчёт сохранён: semgrep-java-report.sarif" +echo "" + +# 4. Запуск с правилами безопасности +echo "📋 4. Сканирование с правилами безопасности..." +semgrep --config "p/security-audit" src/main/ --sarif -o semgrep-security-report.sarif +echo "✅ Отчёт сохранён: semgrep-security-report.sarif" +echo "" + +# 5. Комбинированный запуск с выводом в консоль +echo "📋 5. Комбинированное сканирование (вывод в консоль)..." +semgrep --config .semgrep.yml --config "p/owasp-top-ten" --config "p/security-audit" src/main/ --verbose + +echo "" +echo "=== Сканирование завершено ===" +echo "Отчёты сохранены в формате SARIF для интеграции с IDE и CI/CD" diff --git a/semgrep-custom-report.sarif b/semgrep-custom-report.sarif new file mode 100644 index 0000000..39b0852 --- /dev/null +++ b/semgrep-custom-report.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":54,"endLine":53,"snippet":{"text":" ctx.result(\"User registered: \" + success);"},"startColumn":13,"startLine":53}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":74,"endLine":74,"snippet":{"text":" ctx.status(400).result(\"Invalid data: \" + e.getMessage());"},"startColumn":17,"startLine":74}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":66,"endLine":85,"snippet":{"text":" ctx.result(\"Total activity: \" + minutes + \" minutes\");"},"startColumn":13,"startLine":85}}}],"message":{"text":"Exception details exposed in response. May reveal sensitive information."},"properties":{},"ruleId":"information-disclosure-exception"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":66,"endLine":85,"snippet":{"text":" ctx.result(\"Total activity: \" + minutes + \" minutes\");"},"startColumn":13,"startLine":85}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":74,"endLine":115,"snippet":{"text":" ctx.status(400).result(\"Invalid data: \" + e.getMessage());"},"startColumn":17,"startLine":115}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":54,"endLine":139,"snippet":{"text":" ctx.contentType(\"text/html\").result(html);"},"startColumn":13,"startLine":139}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":68,"endLine":154,"snippet":{"text":" File reportFile = new File(REPORTS_BASE_DIR + filename);"},"startColumn":31,"startLine":154}}}],"message":{"text":"Potential path traversal vulnerability. User input may allow access to arbitrary files."},"properties":{},"ruleId":"path-traversal-file-access"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":68,"endLine":157,"snippet":{"text":" try (FileWriter writer = new FileWriter(reportFile)) {"},"startColumn":42,"startLine":157}}}],"message":{"text":"Potential path traversal vulnerability. User input may allow access to arbitrary files."},"properties":{},"ruleId":"path-traversal-file-access"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":71,"endLine":161,"snippet":{"text":" ctx.result(\"Report saved to: \" + reportFile.getPath());"},"startColumn":17,"startLine":161}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":84,"endLine":163,"snippet":{"text":" ctx.status(500).result(\"Failed to write report: \" + e.getMessage());"},"startColumn":17,"startLine":163}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":75,"endLine":186,"snippet":{"text":" ctx.result(\"Notification sent. Response: \" + response);"},"startColumn":21,"startLine":186}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"},{"fingerprints":{"matchBasedId/v1":"requires login"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":81,"endLine":189,"snippet":{"text":" ctx.status(500).result(\"Notification failed: \" + e.getMessage());"},"startColumn":17,"startLine":189}}}],"message":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"properties":{},"ruleId":"xss-response-body"}],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Potential DoS vulnerability. Unbounded memory allocation from user input."},"help":{"markdown":"Potential DoS vulnerability. Unbounded memory allocation from user input.","text":"Potential DoS vulnerability. Unbounded memory allocation from user input."},"id":"dos-unbounded-allocation","name":"dos-unbounded-allocation","properties":{"precision":"very-high","tags":["CWE-400","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dos-unbounded-allocation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Potential hardcoded secret detected."},"help":{"markdown":"Potential hardcoded secret detected.","text":"Potential hardcoded secret detected."},"id":"hardcoded-secret","name":"hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798","security"]},"shortDescription":{"text":"Semgrep Finding: hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Exception details exposed in response. May reveal sensitive information."},"help":{"markdown":"Exception details exposed in response. May reveal sensitive information.","text":"Exception details exposed in response. May reveal sensitive information."},"id":"information-disclosure-exception","name":"information-disclosure-exception","properties":{"precision":"very-high","tags":["CWE-209","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: information-disclosure-exception"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Query parameter used without null check. May cause NullPointerException."},"help":{"markdown":"Query parameter used without null check. May cause NullPointerException.","text":"Query parameter used without null check. May cause NullPointerException."},"id":"missing-null-check","name":"missing-null-check","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: missing-null-check"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Potential path traversal vulnerability. User input may allow access to arbitrary files."},"help":{"markdown":"Potential path traversal vulnerability. User input may allow access to arbitrary files.","text":"Potential path traversal vulnerability. User input may allow access to arbitrary files."},"id":"path-traversal-file-access","name":"path-traversal-file-access","properties":{"precision":"very-high","tags":["CWE-22","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: path-traversal-file-access"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Potential SSRF vulnerability. User-controlled URL may allow requests to internal resources."},"help":{"markdown":"Potential SSRF vulnerability. User-controlled URL may allow requests to internal resources.","text":"Potential SSRF vulnerability. User-controlled URL may allow requests to internal resources."},"id":"ssrf-url-connection","name":"ssrf-url-connection","properties":{"precision":"very-high","tags":["CWE-918","OWASP-A10:2021 - Server-Side Request Forgery","security"]},"shortDescription":{"text":"Semgrep Finding: ssrf-url-connection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unsafe deserialization detected. May lead to remote code execution."},"help":{"markdown":"Unsafe deserialization detected. May lead to remote code execution.","text":"Unsafe deserialization detected. May lead to remote code execution."},"id":"unsafe-deserialization","name":"unsafe-deserialization","properties":{"precision":"very-high","tags":["CWE-502","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: unsafe-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Potential XSS vulnerability. User input rendered without sanitization."},"help":{"markdown":"Potential XSS vulnerability. User input rendered without sanitization.","text":"Potential XSS vulnerability. User input rendered without sanitization."},"id":"xss-response-body","name":"xss-response-body","properties":{"precision":"very-high","tags":["CWE-79","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: xss-response-body"}}],"semanticVersion":"1.159.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"} \ No newline at end of file diff --git a/semgrep-owasp-report.sarif b/semgrep-owasp-report.sarif new file mode 100644 index 0000000..7ab2251 --- /dev/null +++ b/semgrep-owasp-report.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity."},"help":{"markdown":"Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval","id":"bash.curl.security.curl-eval.curl-eval","name":"bash.curl.security.curl-eval.curl-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: bash.curl.security.curl-eval.curl-eval"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe","id":"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe","name":"clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"help":{"markdown":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5","id":"clojure.lang.security.use-of-md5.use-of-md5","name":"clojure.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1","id":"clojure.lang.security.use-of-sha1.use-of-sha1","name":"clojure.lang.security.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution."},"help":{"markdown":"LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/90](https://cwe.mitre.org/data/definitions/90)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example)\n","text":"LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection","id":"csharp.dotnet.security.audit.ldap-injection.ldap-injection","name":"csharp.dotnet.security.audit.ldap-injection.ldap-injection","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.ldap-injection.ldap-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"help":{"markdown":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n","text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment","id":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","name":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users."},"help":{"markdown":"Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://cwe.mitre.org/data/definitions/862.html](https://cwe.mitre.org/data/definitions/862.html)\n - [https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0](https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0)\n","text":"Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization","id":"csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization","name":"csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization","properties":{"precision":"very-high","tags":["CWE-862: Missing Authorization","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"An open directory listing is potentially exposed, potentially revealing sensitive information to attackers."},"help":{"markdown":"An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing)\n - [https://cwe.mitre.org/data/definitions/548.html](https://cwe.mitre.org/data/definitions/548.html)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration/](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)\n - [https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing)\n","text":"An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing","id":"csharp.dotnet.security.audit.open-directory-listing.open-directory-listing","name":"csharp.dotnet.security.audit.open-directory-listing.open-directory-listing","properties":{"precision":"very-high","tags":["CWE-548: Exposure of Information Through Directory Listing","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.open-directory-listing.open-directory-listing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/643.html](https://cwe.mitre.org/data/definitions/643.html)\n","text":"XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection","id":"csharp.dotnet.security.audit.xpath-injection.xpath-injection","name":"csharp.dotnet.security.audit.xpath-injection.xpath-injection","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.xpath-injection.xpath-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"help":{"markdown":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n","text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection","id":"csharp.dotnet.security.razor-template-injection.razor-template-injection","name":"csharp.dotnet.security.razor-template-injection.razor-template-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead."},"help":{"markdown":"Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n","text":"Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm","id":"csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm","name":"csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305."},"help":{"markdown":"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n","text":"Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode","id":"csharp.dotnet.security.use_ecb_mode.use_ecb_mode","name":"csharp.dotnet.security.use_ecb_mode.use_ecb_mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_ecb_mode.use_ecb_mode"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"help":{"markdown":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n","text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","id":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","name":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead."},"help":{"markdown":"You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter)\n","text":"You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding","id":"csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding","name":"csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding","properties":{"precision":"very-high","tags":["CWE-780: Use of RSA Algorithm without OAEP","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used."},"help":{"markdown":"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\n","text":"The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation","id":"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation","name":"csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation","properties":{"precision":"very-high","tags":["CWE-613: Insufficient Session Expiration","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true."},"help":{"markdown":"Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\n","text":"Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token","id":"csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token","name":"csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token","properties":{"precision":"very-high","tags":["CWE-347: Improper Verification of Cryptographic Signature","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead."},"help":{"markdown":"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\n","text":"Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation","id":"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation","name":"csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"help":{"markdown":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n","text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","id":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","name":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"."},"help":{"markdown":"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\n","text":"The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings","id":"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings","name":"csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings","properties":{"precision":"very-high","tags":["CWE-706: Use of Incorrectly-Resolved Name or Reference","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure"},"help":{"markdown":"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n","text":"The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"help":{"markdown":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n","text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","id":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","name":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"help":{"markdown":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n","text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure"},"help":{"markdown":"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\n","text":"The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization","id":"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization","name":"csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure"},"help":{"markdown":"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\n","text":"The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0"},"help":{"markdown":"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\n","text":"Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"help":{"markdown":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n","text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli","id":"csharp.lang.security.sqli.csharp-sqli.csharp-sqli","name":"csharp.lang.security.sqli.csharp-sqli.csharp-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"help":{"markdown":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n","text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","id":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","name":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","properties":{"precision":"very-high","tags":["CWE-209: Generation of Error Message Containing Sensitive Information","HIGH CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2017 - Security Misconfiguration","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."},"help":{"markdown":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n","text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override","id":"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override","name":"csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."},"help":{"markdown":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n","text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override","id":"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override","name":"csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data."},"help":{"markdown":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n","text":"XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults","id":"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults","name":"csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"help":{"markdown":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n","text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root","id":"dockerfile.security.last-user-is-root.last-user-is-root","name":"dockerfile.security.last-user-is-root.last-user-is-root","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","id":"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","name":"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","id":"dockerfile.security.missing-user.missing-user","name":"dockerfile.security.missing-user.missing-user","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.missing-user.missing-user"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities."},"help":{"markdown":"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\n","text":"Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile","id":"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile","name":"dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Semgrep found a bash reverse shell"},"help":{"markdown":"Semgrep found a bash reverse shell\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Semgrep found a bash reverse shell\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell","id":"generic.ci.security.bash-reverse-shell.bash_reverse_shell","name":"generic.ci.security.bash-reverse-shell.bash_reverse_shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection","id":"generic.nginx.security.header-injection.header-injection","name":"generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"help":{"markdown":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n","text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version","id":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","name":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions."},"help":{"markdown":"This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\n","text":"This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version","id":"generic.nginx.security.missing-ssl-version.missing-ssl-version","name":"generic.nginx.security.missing-ssl-version.missing-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"help":{"markdown":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n","text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","id":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","name":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation."},"help":{"markdown":"'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md)\n - [https://portswigger.net/web-security/host-header](https://portswigger.net/web-security/host-header)\n","text":"'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used","id":"generic.nginx.security.request-host-used.request-host-used","name":"generic.nginx.security.request-host-used.request-host-used","properties":{"precision":"very-high","tags":["CWE-290: Authentication Bypass by Spoofing","MEDIUM CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.request-host-used.request-host-used"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe Restricted API Key detected"},"help":{"markdown":"Stripe Restricted API Key detected\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe Restricted API Key detected\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key","id":"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key","name":"generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","MEDIUM CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Username and password in URI detected"},"help":{"markdown":"Username and password in URI detected\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri)\n - [https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go](https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go)\n","text":"Username and password in URI detected\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri","id":"generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri","name":"generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","MEDIUM CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detects potential Google Maps API keys in code"},"help":{"markdown":"Detects potential Google Maps API keys in code\n\n#### 💎 Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\n","text":"Detects potential Google Maps API keys in code\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak","id":"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak","name":"generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak","properties":{"precision":"very-high","tags":["CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory","MEDIUM CONFIDENCE","OWASP-A3:2017 Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your