Semgrep
💎Vulnerabiltiies to be discovered
The next vulnerabilities should be discovered in this sections:
UBUSEC-FLASK-DEBUGUBUSEC-TAR-SLIPUBUSEC-LOGGING-PERMSUBUSEC-SECRET-LOGUBUSEC-UID-IDORUBUSEC-ARCHIVE-WRITEUBUSEC-HASH-LEN
⚙️Semgrep setup
If you didn't set up the
Use
static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.Use
docker exec --interactive --tty static-analysers bash to enter the container where the CLI application is contained.⚙️Coder setup
If you didn't set up the
Access this link to interact with the application's web user interface. Use the
static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.Access this link to interact with the application's web user interface. Use the
oss-fortress password for login.📚Semgrep documentation
The Semgrep documentation is available here.
Steps
Scanning
- Create a Semgrep command that scans the entire codebase with the default configuration (
auto) and creates a SARIF output file,/root/analysis/semgrep.sarif. - Validate each warning produced by Semgrep by manually inspecting the code. Use the Coder instance in the Docker infrastructure to review the results.
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.
Writing rules
info
For live testing of your rules, you can also use the Playground.
- The vulnerabilities listed below were not detected by any technique that we've seen so far. Inspect the Semgrep documentation and write rules to catch them in the
/root/analysis/semgrep-rulesfolder. The rules should have as many metadata fields filled as possible.
| Vulnerability ID | Hints on how to catch it with Semgrep |
|---|---|
UBUSEC-SECRET-LOG | Calls to functions from logging where the parameters have sensitive names |
UBUSEC-UID-IDOR | execute_string_command calls with dynamic arguments |
UBUSEC-ARCHIVE-WRITE | os.path.join calls where the arguments came from the parameters of the function |
UBUSEC-HASH-LEN | sha256_update calls where the parameter is created by concatenation |
- Modify the command from the first section to use them and to save the resulting SARIF file in
/root/analysis/semgrep.custom.sarif.
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.