-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathspring-cve-2024-22243_loose.yaml
133 lines (123 loc) · 4.76 KB
/
spring-cve-2024-22243_loose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Author: Sean Pesce
rules:
# Basic search for direct calls to UriComponentsBuilder.fromUriString, etc.
#rules:
- id: cve-2024-22243-uricomponentsbuilder_loose
languages:
- java
options:
interfile: true
patterns:
- pattern: $CLAZZ. ... .$FUNC(...)
- pattern-not: $CLAZZ. ... .$FUNC("...")
- metavariable-regex:
metavariable: $CLAZZ
regex: ^(UriComponentsBuilder|ServletUriComponentsBuilder)$
- metavariable-regex:
metavariable: $FUNC
regex: ^(fromUriString|fromHttpUrl)$
message: >-
Potential unsafe use of Spring UriComponentsBuilder (fromUriString/fromHttpUrl), which can cause a host name mismatch (potentially resulting in open redirect or SSRF) for specially-crafted inputs.
severity: WARNING
metadata:
cwe:
- 'CWE-601: URL Redirection to Untrusted Site (Open Redirect)'
- 'CWE-918: Server-Side Request Forgery (SSRF)'
source-rule-url: 'https://spring.io/security/'
references:
- https://spring.io/security/
category: security
technology:
- java
- spring
likelihood: LOW
impact: MEDIUM
confidence: LOW
interfile: true
# Basic search for direct calls to RestTemplate.exchange, etc.
#rules:
- id: cve-2024-22243-resttemplate_loose
languages:
- java
options:
interfile: true
patterns:
- pattern-either:
# - pattern: ($CLAZZ $INST). ... .$FUNC($URISTR, ...)
- pattern: (RestOperations $INST). ... .$FUNC($URISTR, ...)
- pattern: (RestTemplate $INST). ... .$FUNC($URISTR, ...)
- pattern: (InterceptingHttpAccessor $INST). ... .$FUNC($URISTR, ...)
- pattern: (HttpAccessor $INST). ... .$FUNC($URISTR, ...)
- pattern-not: ($CLAZZ $INST). ... .$FUNC("...", ...)
# Having problems getting metavariables working for types of typed variables
# - metavariable-regex:
# metavariable: $CLAZZ
# regex: ^(RestTemplate|RestOperations|InterceptingHttpAccessor|HttpAccessor)$
- metavariable-regex:
metavariable: $FUNC
regex: ^(delete|doExecute|exchange|execute|getForEntity|getForObject|headForHeaders|optionsForAllow|patchForObject|postForEntity|postForLocation|postForObject|put)$
message: >-
Potential unsafe use of Spring RestTemplate HTTP client, which can cause a host name mismatch (potentially resulting in SSRF) for specially-crafted inputs.
severity: WARNING
metadata:
cwe:
- 'CWE-918: Server-Side Request Forgery (SSRF)'
source-rule-url: 'https://spring.io/security/'
references:
- https://spring.io/security/
category: security
technology:
- java
- spring
likelihood: LOW
impact: MEDIUM
confidence: LOW
interfile: true
# Basic search for direct calls to WebClient and related classes/methods using untrusted Strings
#rules:
- id: cve-2024-22243-webclient_loose
languages:
- java
options:
interfile: true
patterns:
- pattern-either:
- pattern: (WebClient $INST). ... .$FUNC((String $URISTR), ...)
- pattern: (WebClient.Builder $INST). ... .$FUNC((String $URISTR), ...)
- pattern: (WebClient.RequestHeadersUriSpec $INST). ... .$FUNC((String $URISTR), ...)
- pattern: (WebClient.RequestHeadersUriSpec<?> $INST). ... .$FUNC((String $URISTR), ...)
- pattern: (RestClient $INST). ... .$FUNC((String $URISTR), ...)
- pattern: (RestClient.Builder $INST). ... .$FUNC((String $URISTR), ...)
- pattern: (RestClient.RequestHeadersUriSpec $INST). ... .$FUNC((String $URISTR), ...)
- pattern: (RestClient.RequestHeadersUriSpec<?> $INST). ... .$FUNC((String $URISTR), ...)
- pattern-not: (WebClient $INST). ... .$FUNC("...", ...)
- pattern-not: (WebClient.Builder $INST). ... .$FUNC("...", ...)
- pattern-not: (WebClient.RequestHeadersUriSpec $INST). ... .$FUNC("...", ...)
- pattern-not: (WebClient.RequestHeadersUriSpec<?> $INST). ... .$FUNC("...", ...)
- pattern-not: (RestClient $INST). ... .$FUNC("...", ...)
- pattern-not: (RestClient.Builder $INST). ... .$FUNC("...", ...)
- pattern-not: (RestClient.RequestHeadersUriSpec $INST). ... .$FUNC("...", ...)
- pattern-not: (RestClient.RequestHeadersUriSpec<?> $INST). ... .$FUNC("...", ...)
- metavariable-regex:
metavariable: $FUNC
regex: ^(uri|create|baseUrl)$
# - metavariable-pattern:
# metavariable: $URITYPE
# pattern-not-regex: ^URI$
message: >-
Potential unsafe use of org.springframework.web.reactive.function.client.WebClient (or RestClient), which can cause a host name mismatch (potentially resulting in SSRF) for specially-crafted inputs.
severity: WARNING
metadata:
cwe:
- 'CWE-918: Server-Side Request Forgery (SSRF)'
source-rule-url: 'https://spring.io/security/'
references:
- https://spring.io/security/
category: security
technology:
- java
- spring
likelihood: LOW
impact: MEDIUM
confidence: LOW
interfile: true