diff --git a/Changelog.md b/Changelog.md index 24111a3f..2f26ba6f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.38] - 2024-6-05 +### Incomplete Guidance +Expanded content for rule guidance containing "TO DO"s. + ## [1.0.37] - 2024-5-23 ### Missing Guidance Added guidance for several rules such as weak hash algorithm, disabling certificate validation, and TLS client configuration. diff --git a/DevSkim-DotNet/Microsoft.DevSkim.Tests/DefaultRulesTests.cs b/DevSkim-DotNet/Microsoft.DevSkim.Tests/DefaultRulesTests.cs index 057d431e..58d29280 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim.Tests/DefaultRulesTests.cs +++ b/DevSkim-DotNet/Microsoft.DevSkim.Tests/DefaultRulesTests.cs @@ -148,7 +148,6 @@ public void Rule_guidance_file_should_be_specified_and_exist(DevSkimRule rule) Assert.IsTrue(File.Exists(guidanceFile), $"Guidance file {guidanceFile} does not exist."); } - [Ignore] // TODO: temporary to get missing guidance in. [TestMethod] [DynamicData(nameof(DefaultRules))] public void Rule_guidance_should_be_complete(DevSkimRule rule) @@ -170,8 +169,12 @@ public void Rule_guidance_should_be_complete(DevSkimRule rule) } string guidance = File.ReadAllText(guidanceFile); - if(guidance.Contains("TODO", StringComparison.OrdinalIgnoreCase) - || guidance.Contains("TO DO", StringComparison.OrdinalIgnoreCase)) + bool hasContent = !string.IsNullOrEmpty(guidance); + Assert.IsTrue(hasContent, $"Guidance file {guidanceFile} is empty."); + + if (rule.Id != "DS176209" && // "Suspicious comment" - a TODO comment + (guidance.Contains("TODO", StringComparison.OrdinalIgnoreCase) + || guidance.Contains("TO DO", StringComparison.OrdinalIgnoreCase))) { Assert.Fail($"Guidance file {guidanceFile} contains TODO."); } diff --git a/guidance/DS101155.md b/guidance/DS101155.md deleted file mode 100644 index bb922aeb..00000000 --- a/guidance/DS101155.md +++ /dev/null @@ -1,11 +0,0 @@ -## Disabled certificate validation - -### Summary -Extend default certificate validation, but do not disable or override default rules. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS101159.md b/guidance/DS101159.md index 1fe6085b..c7580afd 100644 --- a/guidance/DS101159.md +++ b/guidance/DS101159.md @@ -1,11 +1,23 @@ -## Initializing Security Context +# Initializing Security Context -### Summary -SecurityContext initialization, look here for cryptography functions. +## Summary -### Details -TO DO - put more details of problem and solution here +The `InitializeSecurityContext` function was detected; its usage and surrounding code should be reviewed for security issues. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The `InitializeSecurityContext` function is used to build a security context between the client application and a remote peer. +A security context contains security data relevant to the connection (such as user identifiers or session key.) + +Proper initialization, usage, and cleanup of security contexts can be a complex process and mistakes can lead to security issues. +See the [InitializeSecurityContext documentation](https://learn.microsoft.com/en-us/windows/win32/secauthn/initializesecuritycontext--general#remarks) +for more guidance. In particular, use of cryptography in this area should be carefully reviewed for potential problems. + +## Severity Considerations + +Code including usage of the `InitializeSecurityContext` function should be very carefully reviewed +by a security expert or cryptographer to identify security issues and understand the risks involved. + +## References + +* [Microsoft Learn: InitializeSecurityContext function](https://learn.microsoft.com/en-us/windows/win32/secauthn/initializesecuritycontext--general) diff --git a/guidance/DS104456.md b/guidance/DS104456.md index 60c1624b..1c7bb9aa 100644 --- a/guidance/DS104456.md +++ b/guidance/DS104456.md @@ -1,11 +1,35 @@ -## Use of restricted functions. +# Use of Restricted Functions -### Summary -Use of restricted functions. +## Summary -### Details -TO DO - put more details of problem and solution here +* A restricted PowerShell function was detected. +* Remove or replace usage of the restricted function if possible. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +Use of several different PowerShell functions open up applications to classes of vulnerabilities that would otherwise not normally occur. +We refer to these functions as restricted functions. +For example, `System.Runtime.InteropServices.Marshal` functions could be used to allocate memory in a way that an attacker could use to corrupt memory and potentially execute code. + +## Solution + +Replace usage of the restricted function with a conventional function if possible (for example, replace `Invoke-Command` or `Invoke-Expression` with `Start-Process`). + +## Severity Considerations + +Usage of restricted PowerShell functions should be very carefully reviewed +by a security expert to identify security issues and understand the risks involved. + +## Restricted Function List + +* `GetDelegateForFunctionPointer` +* `System.Runtime.InteropServices.Marshal` +* `WriteByte` +* `Microsoft.Win32.UnsafeNativeMethods` +* `PtrToStructure` +* `StructureToPtr` +* `NtCreateThreadEx` +* `CreateRemoteThread` +* `Invoke-Command` +* `Invoke-Expression` +* `VirtualProtect` diff --git a/guidance/DS106864.md b/guidance/DS106864.md index a173b8b9..31fa7983 100644 --- a/guidance/DS106864.md +++ b/guidance/DS106864.md @@ -6,11 +6,11 @@ The DES cipher was found, which is widely considered to be broken. ## Details -The [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard), or DES, +The [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard), or DES, is a symmetric block cipher created in the 1970s. It has since been broken and should not be used anywhere. -In general, the [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), +In general, the [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), or AES, algorithm, is preferred for all cases where symmetric encryption is needed. ### Solution diff --git a/guidance/DS108330.md b/guidance/DS108330.md index 16d522a7..563bded1 100644 --- a/guidance/DS108330.md +++ b/guidance/DS108330.md @@ -1,11 +1,27 @@ -## Banned C function detected (strncat) +# Banned C function detected (strncat) -### Summary -strncat adds the null terminator at character 'n + 1', rather than at the nth character. this frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer. +## Summary -### Details -TO DO - put more details of problem and solution here +* Use of the `strncat` function to concatenate strings can lead to a buffer overrun vulnerability. +* Resolve this issue by using secure versions such as `strncat_s` to help prevent buffer overruns. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The `strncat` function does not check for sufficient space in the destination string which is a potential cause of buffer overruns. +The `strncat` function appends characters to a string followed by the null terminator at character 'n + 1', rather than at the nth character. +This behavior frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer. + +## Solution + +Use secure versions such as `strncat_s` to help prevent buffer overruns. + +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [CodeQL: Potentially unsafe call to strncat](https://codeql.github.com/codeql-query-help/cpp/cpp-unsafe-strncat/) +* [Microsoft Learn: strncat_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncat-s-strncat-s-l-wcsncat-s-wcsncat-s-l-mbsncat-s-mbsncat-s-l?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS109501.md b/guidance/DS109501.md index 433154f8..529ced8e 100644 --- a/guidance/DS109501.md +++ b/guidance/DS109501.md @@ -1,11 +1,25 @@ -## Do not use the 3DES symmetric block cipher. +# Do not use the 3DES symmetric block cipher -### Summary -The 3DES cipher was found, which is only secure if three independent keys are used. +## Summary -### Details -TO DO - put more details of problem and solution here +* The 3DES cipher was found which does not provide sufficient security. +* Replace usage of 3DES with AES if possible. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The [Data Encryption Standard](https://en.wikipedia.org/wiki/Triple_DES), or 3DES, is a symmetric block cipher created in the 1970s. +TripleDES is broken due to its inadequate key size and [CVE-2016-2183](https://nvd.nist.gov/vuln/detail/CVE-2016-2183) and should not be used anywhere. + +## Severity Considerations + +Any use of the 3DES algorithm should be very carefully reviewed by a security expert or cryptographer to understand the risks involved. + +## Solution + +### .NET + +Use the following method: `System.Security.Cryptography.Aes.Create()` + +## References + +* [CodeQL: Use of a broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/cpp/cpp-weak-cryptographic-algorithm/) diff --git a/guidance/DS109733.md b/guidance/DS109733.md index 11577e85..58826348 100644 --- a/guidance/DS109733.md +++ b/guidance/DS109733.md @@ -1,11 +1,30 @@ -## Source implementation of a weak/broken cryptography hash function +# Source Implementation of a Weak/Broken Cryptographic Hash Function -### Summary -An implementation of a weak/broken hash function was found in source code. +## Summary -### Details -TO DO - put more details of problem and solution here +* An implementation of a weak/broken hash function such as MD-5 or SHA-1 was found in source code. +* Remove the implementation of the weak/broken hash function. +* Replace the use of insecure hashing algorithms with more secure alternatives such as an algorithm from the SHA-2 family (SHA256, SHA384, and SHA512). -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +### Custom Cryptographic Implementation + +Correct and secure implementation of cryptographic algorithms is very complex and difficult. +Developers should always use well-vetted libraries for cryptographic operations rather than producing their own implementations of those functions. + +### Weak Hash Algorithms + +Hash collisions are computationally feasible for older, weak hash algorithms such as MD2, MD4, MD5, and SHA-1. +A hash collision allows an attacker to substitute an alternative input that results in the same hash value. +Collision attacks allow attackers to undermine the security of systems using an insecure hash algorithm (e.g., by forging digital signatures, concealing data tampering, or cracking passwords). + +## Severity Considerations + +Developers should almost never implement their own versions of cryptographic operations. Furthermore, weak hash algorithms should not be used, especially for security purposes. + +## Solution + +### .NET + +Replace usages of insecure hash algorithms with `System.Security.Cryptography.SHA512Cng`, `System.Security.Cryptography.SHA384Cng`, or `System.Security.Cryptography.SHA256Cng`. diff --git a/guidance/DS111237.md b/guidance/DS111237.md index cefd29bf..3f1fe040 100644 --- a/guidance/DS111237.md +++ b/guidance/DS111237.md @@ -1,11 +1,26 @@ -## Banned C function detected (strncpy) +# Banned C function detected (strncpy) -### Summary -strncpy is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination. +## Summary -### Details -TO DO - put more details of problem and solution here +* Use of the `strncpy` function to copy strings can lead to a buffer overrun vulnerability. +* Resolve this issue by using secure versions such as `strncpy_s` to help prevent buffer overruns. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The `strncpy` function does NOT check for sufficient space in the destination buffer which may lead to a buffer overrun vulnerability. +The `strncpy` function is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination. + +## Solution + +Use secure versions such as `strncpy_s` to help prevent buffer overruns. + +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [CodeQL: Potentially unsafe call to strncpy](https://codeql.github.com/codeql-query-help/cpp/cpp-bad-strncpy-size/) +* [Microsoft Learn: strncpy_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS112266.md b/guidance/DS112266.md index ca7605a1..8fb18497 100644 --- a/guidance/DS112266.md +++ b/guidance/DS112266.md @@ -1,11 +1,24 @@ -## ProtectedData used without additional entropy +# ProtectedData used without additional entropy -### Summary -The ProtectedData class should be used with additional entropy to reduce the risk of other application calling DPAPI to access the data. +## Summary -### Details -TO DO - put more details of problem and solution here +The DPAPI `ProtectedData.Protect` method should be used with additional entropy to reduce the risk of other applications accessing the data. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The `ProtectedData.Protect` method's `optionalEntropy` parameter is an "optional additional byte array used to increase the complexity of the encryption." +Depending on the value of the `scope` parameter, user data encrypted without entropy can be accessed: + +* **DataProtectionScope.CurrentUser**: by other threads or applications running under the current user. +* **DataProtectionScope.LocalMachine**: by any process running on the computer. + +The `optionalEntropy` parameter should be set to a non-null value unique to your application. + +## Severity Considerations + +The severity of this finding should be increased if the underlying security +context is highly sensitive or if the environment hosting the application has low trust. + +## References + +* [Microsoft Learn: How to: Use Data Protection](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection) diff --git a/guidance/DS112835.md b/guidance/DS112835.md index cf39f98f..da59eee0 100644 --- a/guidance/DS112835.md +++ b/guidance/DS112835.md @@ -22,6 +22,10 @@ Software with hardcoded cryptographic algorithms may require code changes in the * When `Switch.System.Net.DontEnableSchUseStrongCrypto` is `false`, the application will use more secure network protocols. Do not set `DontEnableSchUseStrongCrypto` to `true`. * When application code sets a value for `System.Net.ServicePointManager.SecurityProtocol`, the application will override the TLS protocol chosen by the operating system. This makes the application less crypto-agile and may make the application less secure. Do not set a value for `System.Net.ServicePointManager.SecurityProtocol` in application code. +#### C++ (Schannel) + +* Ensure that you do not set `grbitEnabledProtocols` to anything but `0`. Setting this field to zero instructs the operating system to use its configured TLS version. + ## References * [TLS Best Practices with .NET Framework](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls) @@ -29,3 +33,4 @@ Software with hardcoded cryptographic algorithms may require code changes in the * [Microsoft SDL Cryptographic Recommendations](http://download.microsoft.com/download/6/3/A/63AFA3DF-BB84-4B38-8704-B27605B99DA7/Microsoft%20SDL%20Cryptographic%20Recommendations.pdf) * [SSL Labs: SSL and TLS Deployment Best Practices](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) * [OWASP: Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html) +* [Microsoft Learn: SCHANNEL_CRED structure](https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred) diff --git a/guidance/DS113286.md b/guidance/DS113286.md index 6c500e8e..96bd07df 100644 --- a/guidance/DS113286.md +++ b/guidance/DS113286.md @@ -1,11 +1,26 @@ -## Do not include user-input directly in format strings +# Do Not Include User Input Directly in Format Strings -### Summary -Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings +## Summary -### Details -TO DO - put more details of problem and solution here +* Do not create NSString objects using a user-provided format string, as this could lead to a vulnerability. +* Either remove creation of the NSString object entirely or remove the user-provided format string from the NSString object. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +If an attacker is able to control a format string then the attacker may be able to execute arbitrary code, +read data in memory, or crash the application. This is known as an uncontrolled format string vulnerability. +Format string vulnerabilities commonly occur when a developer intends to output user-controlled data (to a screen, buffer, or file) +but mistakenly outputs a buffer directly or treats user data as a format string. + +## Solution + +Either remove creation of the NSString object entirely or remove the user-provided format string from the NSString object. + +## Severity Considerations + +In the worst case, a format string vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [SEI CERT C Coding Standard: FIO30-C. Exclude user input from format strings](https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings) +* [CWE-134: Use of Externally-Controlled Format String](https://cwe.mitre.org/data/definitions/134.html) diff --git a/guidance/DS121708.md b/guidance/DS121708.md index a51408a0..a9fb48e6 100644 --- a/guidance/DS121708.md +++ b/guidance/DS121708.md @@ -1,11 +1,24 @@ -## Problematic C function detected (memcpy) +# Problematic C Function Detected (memcpy) -### Summary -There are a number of conditions in which memcpy can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternatives perform additional validation of the source and destination buffer. +## Summary -### Details -TO DO - put more details of problem and solution here +* Use of the `memcpy` function can lead to a buffer overrun vulnerability. +* Resolve this issue by using secure versions such as `memcpy_s` to help prevent buffer overruns. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +There are a number of conditions in which `memcpy` can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternatives perform additional validation of the source and destination buffer. + +## Solution + +Usages of `memcpy` should be replaced with more secure versions such as `memcpy_s` to help prevent buffer overruns. + +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [Microsoft Learn: memcpy_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/memcpy-s-wmemcpy-s?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS126858.md b/guidance/DS126858.md index b5ddcce8..5d75a587 100644 --- a/guidance/DS126858.md +++ b/guidance/DS126858.md @@ -2,9 +2,8 @@ ## Summary -A weak or broken hash algorithm was detected. -Any usage of MD2, MD4, MD5 or SHA-1 is considered insecure. -Replace the use of insecure hashing algorithms with more secure alternatives such as an algorithm from the SHA-2 family (SHA256, SHA384, and SHA512). +* A weak or broken hash algorithm was detected. Any usage of MD2, MD4, MD5 or SHA-1 is considered insecure. +* Replace the use of insecure hashing algorithms with more secure alternatives such as an algorithm from the SHA-2 family (SHA256, SHA384, and SHA512). ## Details diff --git a/guidance/DS127101.md b/guidance/DS127101.md deleted file mode 100644 index e3d47de0..00000000 --- a/guidance/DS127101.md +++ /dev/null @@ -1,11 +0,0 @@ -## Hardcoding TLS protocol version - -### Summary -It's usually better to rely on the operating system configuration, rather than hardcoding a specific list of protocols. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS128921.md b/guidance/DS128921.md index e377d808..a64c7ad5 100644 --- a/guidance/DS128921.md +++ b/guidance/DS128921.md @@ -1,11 +1,12 @@ -## Hardcoded initialization vector size +# Hardcoded initialization vector size -### Summary -An initialization vector was created to a static size, rather than determining it based on the encryption algorithm used. +## Summary -### Details -TO DO - put more details of problem and solution here +* An initialization vector was created to a static size, rather than determining it based on the encryption algorithm used. +* Use `mcrypt_get_iv_size` to get the correct IV size based on the cipher and mode. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Severity Considerations +Using an initialization vector that is shorter than the expected size may or re-use of initialization vectors +may reveal information about the data being encrypted, particularly when using streaming cipher modes like +Output Feedback (OFB) or Counter (CTR). diff --git a/guidance/DS132779.md b/guidance/DS132779.md index ffef8900..eba732fd 100644 --- a/guidance/DS132779.md +++ b/guidance/DS132779.md @@ -1,11 +1,29 @@ -## Do not enable external entity resolution. +# Do Not Enable XML External Entity Resolution -### Summary -Do not enable external entity resolution. +## Summary -### Details -TO DO - put more details of problem and solution here +* Code that enabled external entity resolution was found. +* Do not enable external entity resolution. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The XML 1.0 standard defines a number of different entity types, including the **external entity** type. +An XML external entity (XXE) specifies a URI that can be accessed by the XML processor by replacing the entity with specified remote content. +An attacker that is able to control the content of an XML document could use XXE to execute specific attacks. +XXE attacks may result in disclosure of local file contents, attacks against internal services (SSRF), denial-of-service, +or in the case of vulnerable XML parsers, execute arbitrary code. + +Modern XML parsers disable the resolution of external entities by default but allow the developer to opt-in, or enable, external entity resolution. +XML parsers should not be configured to resolve external entities. + +## Severity Considerations + +XML XXE vulnerabilities require the application to (1) parse XML documents, (2) use an XML parser configured to resolve external entities, and +(3) for the XML document to contain untrusted data. +The risk of XXE is lower when only parsing trusted XML documents. +However, not opting-in to external entity resolution (or disabling external entity resolution in older XML parsers) should be fairly straightforward and is the safest choice. + +## References + +* [OWASP XML External Entity (XXE) Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing) +* [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) diff --git a/guidance/DS132780.md b/guidance/DS132780.md deleted file mode 100644 index ffef8900..00000000 --- a/guidance/DS132780.md +++ /dev/null @@ -1,11 +0,0 @@ -## Do not enable external entity resolution. - -### Summary -Do not enable external entity resolution. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS132781.md b/guidance/DS132781.md deleted file mode 100644 index f5c1aaa5..00000000 --- a/guidance/DS132781.md +++ /dev/null @@ -1,12 +0,0 @@ -## XSLT scripting should be disabled if possible - -### Summary -XSLT scripting contains significant security risks if used on untrustworthy data. - -### Details -TO DO - put more details of problem and solution here - -### References - -*[https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms763800(v=vs.85)](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms763800(v=vs.85)) -* [https://learn.microsoft.com/en-us/dotnet/api/system.xml.xsl.xsltsettings.enablescript?view=net-8.0](https://learn.microsoft.com/en-us/dotnet/api/system.xml.xsl.xsltsettings.enablescript?view=net-8.0) diff --git a/guidance/DS132790.md b/guidance/DS132790.md deleted file mode 100644 index ffef8900..00000000 --- a/guidance/DS132790.md +++ /dev/null @@ -1,11 +0,0 @@ -## Do not enable external entity resolution. - -### Summary -Do not enable external entity resolution. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS134411.md b/guidance/DS134411.md deleted file mode 100644 index bb922aeb..00000000 --- a/guidance/DS134411.md +++ /dev/null @@ -1,11 +0,0 @@ -## Disabled certificate validation - -### Summary -Extend default certificate validation, but do not disable or override default rules. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS137038.md b/guidance/DS137038.md deleted file mode 100644 index a535256c..00000000 --- a/guidance/DS137038.md +++ /dev/null @@ -1,11 +0,0 @@ -## Notice: Outbound HTTP Connection - -### Summary -Inbound HTTP - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS137138.md b/guidance/DS137138.md index a5e32b5c..644f5643 100644 --- a/guidance/DS137138.md +++ b/guidance/DS137138.md @@ -1,10 +1,11 @@ -## Insecure Transport (HTTP) +# Insecure Transport (HTTP) -### Summary +## Summary -An HTTP-based URL without TLS was detected. If possible, change this to an HTTPS-based URL to enforce transport-layer encryption. +* An HTTP-based URL without TLS was detected, potentially exposing confidential information to man-in-the-middle attacks. +* If possible, change this to an HTTPS-based URL to enforce transport-layer encryption. -### Details +## Details One important aspect of application security involves protecting data as it is transferred between clients and servers. In the case of a web-application, this means between your web-browser and a web-server. One of the most important mechanisms for @@ -13,7 +14,7 @@ that any party with access to network traffic will not be able to view or modify Many web-servers already support TLS, as do many CDNs. -### Severity Considerations +## Severity Considerations If the application is handling sensitive data, this finding should generally be rated as 'critical'. diff --git a/guidance/DS140021.md b/guidance/DS140021.md index 6d064736..8697d16a 100644 --- a/guidance/DS140021.md +++ b/guidance/DS140021.md @@ -11,16 +11,17 @@ The `strlen` function counts characters until the null terminator is encountered When a string is missing the null terminator, the resulting value returned is larger than the string. Code that relies on the result of `strlen` can suffer from a buffer overrun vulnerability. -## Severity Considerations - -In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. - ## Solution Use secure versions such as `strlen_s` or `strnlen` to help prevent buffer overruns. See [Microsoft C Runtime Reference: strnlen](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strnlen-strnlen-s) for more information. +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + ## References -* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) * [Microsoft C Runtime Reference: strlen](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strlen-wcslen-mbslen-mbslen-l-mbstrlen-mbstrlen-l) * [Microsoft C Runtime Reference: strnlen](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strnlen-strnlen-s) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS141863.md b/guidance/DS141863.md index 5293b7a2..c9e8ef1a 100644 --- a/guidance/DS141863.md +++ b/guidance/DS141863.md @@ -1,11 +1,27 @@ -## Banned C function detected (strcat) +# Banned C function detected (strcat) -### Summary -If the combination of strings is larger than the destination buffer, strcat will cbuffer overflow the destination buffer +## Summary -### Details -TO DO - put more details of problem and solution here +* Use of the `strcat` function to concatenate strings can lead to a buffer overrun vulnerability. +* Use secure versions such as `strcat_s` to help prevent buffer overruns. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The `strcat` function does not check for sufficient space in the destination buffer. +If the combination of strings is larger than the destination buffer, the `strcat` will overflow the destination buffer. +This is a potential cause of a buffer overrun vulnerability. + +## Solution + +Use secure versions such as `strcat_s` to help prevent buffer overruns. + +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [CodeQL: Potentially unsafe call to strcat](https://codeql.github.com/codeql-query-help/cpp/cpp-unsafe-strcat/) +* [Microsoft Learn: strcat_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strcat-s-wcscat-s-mbscat-s?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS144436.md b/guidance/DS144436.md deleted file mode 100644 index 74485e18..00000000 --- a/guidance/DS144436.md +++ /dev/null @@ -1,11 +0,0 @@ -## Do not use outdated SSL/TLS protocols - -### Summary -It's usually better to rely on the operating system configuration, rather than hardcoding a specific SecurityProtocolType. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS148264.md b/guidance/DS148264.md index c2e85c80..42f827ce 100644 --- a/guidance/DS148264.md +++ b/guidance/DS148264.md @@ -1,11 +1,32 @@ -## Do not use weak/non-cryptographic random number generators +# Do not use weak/non-cryptographic random number generators -### Summary -Use cryptographic random numbers generators for anything even close to a security function. +## Summary -### Details -TO DO - put more details of problem and solution here +* Do not use weak random number generators in security-sensitive contexts. +* Security functions should use cryptographically secure random number generators. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +Computers are generally unable to produce truly random numbers. +Random number generation (RNG) techniques are divided into two types: statistical and cryptographic. +Statistical RNG produce predictable results that are not suitable when security depends on unpredictable random values. +Cryptographic RNG produces output that is highly improbably for an attacker to predict or guess. +Therefore, cryptographic RNG should be used in security-sensitive contexts. + +## Severity Considerations + +There have been multiple instances where weak RNG wa used in the implementation of SSL and elliptic curve digital signature algorithms, +which lead to attackers being able to recover private keys. +Such attacks may compromise the security of the entire system or communication scheme. + +## Solution + +Replace usages of weak random number generation with a cryptographically secure alternative. + +### .NET + +* Replace usages of the insecure `System.Random` with the cryptographically secure `RandomNumberGenerator.Create` + +## References + +* [OWASP Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness) diff --git a/guidance/DS149435.md b/guidance/DS149435.md index 2f7edabf..b0802689 100644 --- a/guidance/DS149435.md +++ b/guidance/DS149435.md @@ -1,11 +1,27 @@ -## Do not seed randomness based on system time or a static value. +# Do Not Seed Randomness Based on System Time or a Static Value -### Summary -Passing a predicable value to srand() is very insecure and should be avoided. +## Summary -### Details -TO DO - put more details of problem and solution here +* Passing a predictable value to `srand` is very insecure and should be avoided. +* If possible, replace usage of `srand` with `rand_s`. Otherwise, use an unpredictable seed (such as reading from `/dev/random` on Linux.) -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +Random number generation is an important part of several security scenarios such as cryptography or generation of unique IDs. +Using a weak random number generator (RNG) or predictable seed for RNG undermines security and may introduce a vulnerability. + +## Solution + +* Use `BCryptGenRandom` or `rand_s` on Windows +* Linux + * C++ 11 or newer, use `std::mt19937 eng` in combination with `std::random_device` to generate a seed. + * Read from `/dev/random` for a seed. + +## Severity Considerations + +The severity of this finding is increased if the random number is used in a security context (e.g., creation of an initialization vector.) + +## References + +* [OWASP: Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness) +* [CWE: Use of Insufficiently Random Values](https://cwe.mitre.org/data/definitions/330.html) diff --git a/guidance/DS154189.md b/guidance/DS154189.md index 6f612295..03685876 100644 --- a/guidance/DS154189.md +++ b/guidance/DS154189.md @@ -1,11 +1,103 @@ -## Banned C function detected +# Banned C function detected -### Summary -These functions are historically error-prone and have been associated with a significant number of vulnerabilities. Most of these functions have safer alternatives, such as replacing 'strcpy' with 'strlcpy' or 'strcpy_s'. +## Summary -### Details -TO DO - put more details of problem and solution here +* An error-prone and potentially dangerous C function was detected. +* Replace the potentially dangerous function with a more secure version. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +These functions are historically error-prone and have been associated with a significant number of vulnerabilities, especially buffer overflow vulnerabilities. Most of these functions have safer alternatives, such as replacing `strcpy` with `strlcpy` or `strcpy_s`. See [Microsoft Learn: Security-enhanced versions of CRT functions](https://learn.microsoft.com/en-us/cpp/c-runtime-library/security-enhanced-versions-of-crt-functions?view=msvc-170) for a list of alternative secure functions. + +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## Dangerous Function List + +* `sprintf` +* `_getts` +* `_getws` +* `_snprintf` +* `_sntprintf` +* `_snwprintf` +* `_stprintf` +* `_tcsat` +* `_tcscpy` +* `_tcslen` +* `_tcsncpy` +* `_vsnprintf` +* `_vsntprintf` +* `_vsnwprintf` +* `_vstprintf` +* `alloca` +* `asctime` +* `atof` +* `atoi` +* `atoll` +* `bsearch` +* `ctime` +* `fopen` +* `fprintf` +* `freopen` +* `fscanf` +* `fwprintf` +* `fwscanf` +* `getenv` +* `getwd` +* `gmtime` +* `localtime` +* `lstrcat` +* `lstrcpy` +* `mbsrtowcs` +* `mbstowcs` +* `memmove` +* `mktemp` +* `printf` +* `qsort` +* `rewind` +* `scanf` +* `setbuf` +* `sscanf` +* `strcatbuff` +* `strerror` +* `strtok` +* `swprintf` +* `swscanf` +* `tmpnam` +* `vfprintf` +* `vfscanf` +* `vfwscanf` +* `vprintf` +* `vscanf` +* `vsnprintf` +* `vsprintf` +* `vsscanf` +* `vswprintf` +* `vswscanf` +* `vwprintf` +* `vwscanf` +* `wcrtomb` +* `wcrtombs` +* `wcscat` +* `wcscpy` +* `wcslen` +* `wcsncat` +* `wcsncpy` +* `wcsrtombs` +* `wcstok` +* `wctomb` +* `wmemcpy` +* `wmemmove` +* `wnsprintf` +* `wprintf` +* `wscanf` +* `wsprintf` +* `wvnsprintf` +* `wvsprintf` + +## References + +* [Microsoft Learn: Security-enhanced versions of CRT functions](https://learn.microsoft.com/en-us/cpp/c-runtime-library/security-enhanced-versions-of-crt-functions?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS161085.md b/guidance/DS161085.md index 63f219bd..841aa2b2 100644 --- a/guidance/DS161085.md +++ b/guidance/DS161085.md @@ -1,11 +1,33 @@ -## Problematic C function detected (malloc) +# Problematic C function detected (malloc) -### Summary -If the value provided to malloc is the result of unsafe integer math, it can result in an exploitable condition. +## Summary -### Details -TO DO - put more details of problem and solution here +* Use of the `malloc` function is error-prone and can lead to exploitable conditions. +* If possible, replace usages of `malloc` with the `new` operator. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +Secure usage of `malloc` is difficult and error-prone. +Unsafe usage of `malloc` can lead to heap corruption, heap overflow, and buffer overflow conditions. +If the value provided to `malloc` is the result of unsafe integer math, it can also result in an exploitable condition. + +The `malloc` function allocates memory space. +Each successful `malloc` call requires a corresponding `free` call to free the allocated memory. +Using memory after it has been can lead to a use-after-free vulnerability. + +## Solution + +Developers should use the `new` operator when possible rather than the problematic `malloc` function. +The `new` operator is type safe and automatically calls the type's constructor and destructor, which +should handle any necessary memory allocation and deletion. + +## Severity Considerations + +In the worst case, unsafe `malloc` usage can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [Microsoft Learn: malloc](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/malloc?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) +* [OWASP: Using Freed Memory](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) diff --git a/guidance/DS162092.md b/guidance/DS162092.md index a34135a6..cfed4aee 100644 --- a/guidance/DS162092.md +++ b/guidance/DS162092.md @@ -1,11 +1,19 @@ -## Do not leave debug code in production +# Do not leave debug code in production + +## Summary + +* Code referencing "localhost" or "127.0.0.1" was found which may indicate debug code. + +## Details -### Summary Accessing localhost could indicate debug code, or could hinder scaling. +Debug code is a common source of vulnerabilities or security risks as debug code +often lacks security controls enforced elsewhere in the application. + +## Severity Considerations -### Details -TO DO - put more details of problem and solution here +The severity of this issue depends on the functionality exposed by debugging capabilities. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Resources +* [CWE-489: Active Debug Code](https://cwe.mitre.org/data/definitions/489.html) diff --git a/guidance/DS163877.md b/guidance/DS163877.md index 73a2b359..966c3507 100644 --- a/guidance/DS163877.md +++ b/guidance/DS163877.md @@ -8,6 +8,13 @@ When using $_GET/POST/COOKIE values via echo, failure to encode the values will HTML Entity Encode (for content going into HTML) or URL Encode (for content going into JavaScript variables) the data. +## Severity Considerations + +An XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the victim's browser. +The attacker's code may be able to access sensitive information retained by the victim's browser. +XSS attacks can also rewrite page contents, redirect the victim's browser, and/or deliver malware to the victim's machine. + ## References -- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) +* [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) +* [OWASP XSS Attacks](https://owasp.org/www-community/attacks/xss/) diff --git a/guidance/DS165348.md b/guidance/DS165348.md index 2134da11..60b0baf9 100644 --- a/guidance/DS165348.md +++ b/guidance/DS165348.md @@ -1,11 +1,26 @@ -## Do not attempt to access device UDID +# Do not attempt to access device UDID -### Summary -Access to the device UDID (via [[UIDevice currentDevice] uniqueIdentifier]) is deprecated as of iOS 5 and should not be used or relied upon. +## Summary -### Details -TO DO - put more details of problem and solution here +* Code that references `uniqueIdentifier` was found. +* Replace usage of `uniqueIdentifier` with `identifierForVendor` or if your application has a service component, +use the `DeviceCheck` API. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +Access to the device `UDID` (via [[UIDevice currentDevice] uniqueIdentifier]) is deprecated as of iOS 5 and removed as of iOS7. + +## Solution + +Replace usage of `uniqueIdentifier` with `identifierForVendor`. +Note that `identifierForVendor` may change if the user uninstalls all applications from a vendor and then re-installs an application from that vendor. +If your application has a service component, consider using the `DeviceCheck` API. + +## Severity Considerations + +Applications relying on `uniqueIdentifier` can no longer target current, supported iOS versions and must be updated. + +## Resources + +* [Apple API Documentation: identifierForVendor](https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor) +* [Apple API Documentation: DeviceCheck](https://developer.apple.com/documentation/devicecheck) diff --git a/guidance/DS165746.md b/guidance/DS165746.md index 30cba3ab..81e1b3e9 100644 --- a/guidance/DS165746.md +++ b/guidance/DS165746.md @@ -1,11 +1,29 @@ -## Do not execute user-provided JavaScript +# Do not execute user-provided JavaScript -### Summary -This line of code shows the dynamic evaluation of JavaScript, sourced from a string. It's important that this string not contain unsanitized user-supplied data, as it could be a vector for a cross-site scripting (XSS) attack. +## Summary -### Details -TO DO - put more details of problem and solution here +* Code that may execute user-provided JavaScript was found. +* If possible, do not use user-provided data in strings to be executed as JavaScript. +* If user-provided strings must be included then they should be properly sanitized and encoded. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The application uses `stringByEvaluatingJavaScriptFromString`, `evaluateJavaScript`, or `callAsyncJavaScript` +to dynamically evaluate strings as JavaScript. This may lead to a cross-site scripting vulnerability if +user supplied-data that has not been properly sanitized is executed as JavaScript. + +## Solution + +If possible, do not use user-provided data in strings to be executed as JavaScript. +If user-provided strings must be included then they should be properly sanitized and encoded. + +## Severity Considerations + +An XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the victim's browser. +The attacker's code may be able to access sensitive information retained by the victim's browser. +XSS attacks can also rewrite page contents, redirect the victim's browser, and/or deliver malware to the victim's machine. + +## References + +* [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) +* [OWASP XSS Attacks](https://owasp.org/www-community/attacks/xss/) diff --git a/guidance/DS169125.md b/guidance/DS169125.md deleted file mode 100644 index f200e84f..00000000 --- a/guidance/DS169125.md +++ /dev/null @@ -1,11 +0,0 @@ -## Do not use outdated SSL/TLS protocols - -### Summary -An outdated SSL/TLS protocol version is specified. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS169126.md b/guidance/DS169126.md index ae59c99e..0a2e333d 100644 --- a/guidance/DS169126.md +++ b/guidance/DS169126.md @@ -1,11 +1,33 @@ -## An Outdated or Banned SSL/TLS Protocol is Used +# An Outdated or Banned SSL/TLS Protocol is Used -### Summary -An Outdated or Banned SSL/TLS Protocol is Used +## Summary -### Details -TO DO - put more details of problem and solution here +* An outdated and insecure SSL/TLS protocol is used. +* Use TLSv1.3 if possible or TLSv1.2 if 1.3 cannot be used. +* It is generally better to rely on operating system configuration rather than hardcoding a specific TLS version. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +There are multiple versions of the SSL/TLS protocol. As of March +2020, their security posture is generally agreed to be: + +* SSLv2 - Broken, do not use under any circumstances. +* SSLv3 - Broken, do not use under any circumstances. +* TLSv1 - Weak, strongly consider disabling unless absolutely required. +* TLSv1.1 - Weak, strongly consider disabling unless absolutely required. +* TLSv1.2 - Strong, acceptable for use for the foreseeable future. +* TLSv1.3 - Strong, acceptable for use for the foreseeable future. + +Generally speaking, you should target TLS 1.2 and TLS 1.3 on all clients +and servers. + +## Severity Considerations + +The severity of this finding should be increased if the underlying security +context is highly sensitive or if the network has low trust. + +## References + +* [Microsoft SDL Cryptographic Recommendations](http://download.microsoft.com/download/6/3/A/63AFA3DF-BB84-4B38-8704-B27605B99DA7/Microsoft%20SDL%20Cryptographic%20Recommendations.pdf) +* [SSL Labs: SSL and TLS Deployment Best Practices](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) +* [OWASP: Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html) diff --git a/guidance/DS173237.md b/guidance/DS173237.md index 40b7f66e..85261065 100644 --- a/guidance/DS173237.md +++ b/guidance/DS173237.md @@ -1,11 +1,25 @@ -## Do not store tokens or keys in source code. +# Do Not Store Tokens or Keys in Source Code -### Summary -A token or key was found in source code. If this represents a secret, it should be moved somewhere else. +## Summary -### Details -TO DO - put more details of problem and solution here +* A token or key was found in source code. +* Secrets should be moved to location where they can be securely managed such as a key vault. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +Secrets are commonly used for authentication or cryptography (e.g., signing or encryption of data.) +Secrets may include passwords, API keys, certificates, or encryption keys. +The security of authentication and cryptography relies on keeping these secrets out of the hands of attackers. + +Storing secrets in source code is not secure. +There have been many scenarios where an attacker has gotten access to source code, leading to a security breach +leveraging hardcoded secrets. + +Storing secrets in source code also makes it more difficult to manage the lifecycle of a secret. +Secrets should be periodically changed (e.g., API keys rotated.) +Modifying source code, building, and deploying an application is typically more difficult than updating values in +a secure secret management technology (e.g., a key vault.) + +## Severity Considerations + +The severity of this issue depends on the sensitivity of the data or operations protected by the secret. diff --git a/guidance/DS175862.md b/guidance/DS175862.md index 53cf3d15..15314b94 100644 --- a/guidance/DS175862.md +++ b/guidance/DS175862.md @@ -1,11 +1,22 @@ -## Do not use the mcrypt module, use OpenSSL instead. +# Do Not Use the mcrypt Module, use OpenSSL -### Summary -The PHP mcrypt module is based on libmcrypt, which has been abanonded since 2007. +## Summary -### Details -TO DO - put more details of problem and solution here +* Usage of a function from the end-of-life `mcrypt` module was found. +* Replace usages of `mcrypt` with `OpenSSL`. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +PHP's `mcrypt` module is end-of-life, no longer supported, and should not be considered secure. +The functions of the `mcrypt` module were deprecated in PHP 7.1.0 and removed in PHP 7.2.0 in 2017. +The PHP `mcrypt` module is based on `libmcrypt`, which has been abandoned since 2007. +End-of-life libraries may contain vulnerabilities that will not be fixed and developers are +encouraged to moved to a library that is actively maintained. + +## Solution + +Replace usages of `mcrypt` with `OpenSSL`. + +## Severity Considerations + +The severity of this issue corresponds to the sensitivity of the data being encrypted by the application. diff --git a/guidance/DS176209.md b/guidance/DS176209.md index ef79da34..588cdf40 100644 --- a/guidance/DS176209.md +++ b/guidance/DS176209.md @@ -1,11 +1,5 @@ -## Suspicious comment +# Suspicious comment -### Summary -A "TODO" or similar was left in source code, possibly indicating incomplete functionality - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Summary +A "TODO" or similar was left in source code, possibly indicating incomplete functionality diff --git a/guidance/DS179924.md b/guidance/DS179924.md index cbbf532d..52cb3d99 100644 --- a/guidance/DS179924.md +++ b/guidance/DS179924.md @@ -1,11 +1,20 @@ -## Do not copy a FILE object (CERT FIO38-C) +# Do Not Copy a FILE object (CERT FIO38-C) + +## Summary + +* Code was found that may create a by-value copy of a `FILE` object. +* Use a pointer to the `FILE` object rather than creating a copy. + +## Details -### Summary The CERT Secure Coding Standard recommends that FILE objects not be copied. +According to the C standard, +> The address of the FILE object used to control a stream may be significant; a copy of a FILE object need not serve in place of the original. + +## Severity Considerations -### Details -TO DO - put more details of problem and solution here +Using a copy of a FILE object in place of the original may result in an application crash. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## References +* [FIO38-C. Do not copy a FILE object](https://wiki.sei.cmu.edu/confluence/display/c/FIO38-C.+Do+not+copy+a+FILE+object) diff --git a/guidance/DS181021.md b/guidance/DS181021.md index 6e3f0971..d0de0adc 100644 --- a/guidance/DS181021.md +++ b/guidance/DS181021.md @@ -1,11 +1,29 @@ -## Banned C function detected (gets) +# Banned C function detected (gets) -### Summary -gets will read in as many bytes as are provided, regardless of the size of buffer recieving the bytes. This allows for conditions that cause a buffer overlow in the destination buffer. +## Summary -### Details -TO DO - put more details of problem and solution here +* Use of the `gets` function to read into a buffer can lead to a buffer overrun vulnerability. +* Resolve this issue by using secure versions such as `gets_s` or `fgets` to help prevent buffer overruns. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The `gets` function will read in as many bytes as are provided, regardless of the size of buffer receiving the bytes. +This allows for conditions that cause a buffer overflow in the destination buffer. + +There is no way to limit the number of characters read by the `gets` function. +Untrusted input can easily cause buffer overruns. + +## Solution + +Usages of `gets` should be replaced with more secure versions such as `gets_s` or `fgets` to help prevent buffer overruns. + +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [Microsoft Learn: gets_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/gets-s-getws-s?view=msvc-170) +* [Microsoft Learn: fgets](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/fgets-fgetws?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS181731.md b/guidance/DS181731.md index 45381b8f..4cf0bac3 100644 --- a/guidance/DS181731.md +++ b/guidance/DS181731.md @@ -1,11 +1,33 @@ -## Don't pass user input to this function +# Don't Pass User Input to File Inclusion or Execution Functions -### Summary -Don't pass user input to this function. +## Summary -### Details -TO DO - put more details of problem and solution here +* Code was found that passes user input to a file inclusion or execution function. +* Attackers may be able to use dynamic inclusion/exclusion functions to execute arbitrary code or obtain sensitive information. +* Remove user input from calls to file inclusion or execution functions. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +PHP offers several functions that can be used to incorporate the code of one file in another such as: + +* `include` +* `include_once` +* `require` +* `require_once` + +A file inclusion vulnerability exists when user input is passed to these file inclusion functions. +An attacker may be able to use a file inclusion vulnerability to have the server execute code from a remote server (AKA remote file inclusion) +or learn the contents of other files on server, potentially disclosing sensitive information. + +PHP also includes functions such as `passthru` and `exec` that can be used to execute operating system commands. +A dynamic code evaluation vulnerability exists when user input is passed to these dynamic execution functions. +An attacker can use a dynamic code evaluation vulnerability to execute arbitrary code on the server. + +## Severity Considerations + +In the worst case, file inclusion and dynamic code evaluation vulnerabilities can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [OWASP Testing Guide: Remote File Inclusion](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion) +* [OWASP: Direct Dynamic Code Execution](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection) diff --git a/guidance/DS182720.md b/guidance/DS182720.md index 446e9120..b91b80bc 100644 --- a/guidance/DS182720.md +++ b/guidance/DS182720.md @@ -1,11 +1,25 @@ -## A weak cipher mode of operation was used +# A Weak Cipher Mode of Operation Was Used -### Summary -A potentially weak cipher mode of operation was used. +## Summary -### Details -TO DO - put more details of problem and solution here +* A potentially weak cipher mode of operation was used. +* Use CBC, CTR, or GCM mode of operation if possible. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +Block cipher algorithms (such as AES) operate on **blocks**, which are fixed-length set of bits. +The mode of operation describes how a block cipher is to be applied on data larger than a single block +(e.g., by taking data from processing of previous blocks and using it in processing of future blocks.) +Different modes of operation provide different security guarantees of confidentiality and integrity of the data. +Some modes of operations (such as ECB) do not provide sufficient security guarantees and are subject to different +cryptographic attacks such as brute force or replay attacks. + +Block cipher algorithms should use CBC, CTR, or GCM mode of operation if possible. + +## Severity Considerations + +Any use of weak modes of operation, especially ECB, should be very carefully reviewed by a security expert or cryptographer to understand the risks involved. + +## References + +* [OWASP Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes) diff --git a/guidance/DS184626.md b/guidance/DS184626.md index c9d6b7d1..0d9ea023 100644 --- a/guidance/DS184626.md +++ b/guidance/DS184626.md @@ -1,11 +1,21 @@ -## All Controllers Should Derive From Controller. +# All Controllers Should Derive From Controller -### Summary -All Controllers Should Derive From Controller. +## Summary -### Details -TO DO - put more details of problem and solution here +* A Controller class was found that does not derive from `System.Web.Mvc.Controller` or `System.Web.Http.ApiController` +* All Controllers Should Derive from the appropriate MVC or Web API Controller class. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The MVC and Web API Controller base classes provide a number of security benefits out of the box. +Controllers that derive from these classes can take advantage of these features such as: + +* Use of `[Authorize]` and related attributes to enforce access control +* Use of `[ValidateAntiForgeryToken]` attribute to protect against cross-site request forgery (CSRF). + +A number of MVC and Web API features such as default routing also rely on custom Controllers deriving from the base Controller classes. + +## References + +* [MVC Controller](https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.controller?view=aspnet-mvc-5.2) +* [Web API Controller](https://learn.microsoft.com/en-us/dotnet/api/system.web.http.apicontroller) diff --git a/guidance/DS185832.md b/guidance/DS185832.md index 7eb63b00..aeaede8e 100644 --- a/guidance/DS185832.md +++ b/guidance/DS185832.md @@ -1,11 +1,26 @@ -## Banned C function detected (strcpy) +# Banned C function detected (strcpy) -### Summary -strcpy is frequently dangerous, as it will cause a buffer overflow if the source is larger than the destination. +## Summary -### Details -TO DO - put more details of problem and solution here +* Use of the `strcpy` function to copy a string can lead to a buffer overrun vulnerability. +* Use secure versions such as `strcpy_s` to help prevent buffer overruns. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The `strcpy` function does not check for sufficient space in the destination buffer. +This is a potential cause of a buffer overrun vulnerability. +A buffer overflow will occur if the source is larger than the destination. + +## Solution + +Use secure versions such as `strcpy_s` to help prevent buffer overruns. + +## Severity Considerations + +In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise. + +## References + +* [Microsoft Learn: strcpy_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strcpy-s-wcscpy-s-mbscpy-s?view=msvc-170) +* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns) +* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) diff --git a/guidance/DS187371.md b/guidance/DS187371.md deleted file mode 100644 index 446e9120..00000000 --- a/guidance/DS187371.md +++ /dev/null @@ -1,11 +0,0 @@ -## A weak cipher mode of operation was used - -### Summary -A potentially weak cipher mode of operation was used. - -### Details -TO DO - put more details of problem and solution here - -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? - diff --git a/guidance/DS188250.md b/guidance/DS188250.md index 1c10ea2f..86b9b11e 100644 --- a/guidance/DS188250.md +++ b/guidance/DS188250.md @@ -1,11 +1,15 @@ -## Missing initialization vector +# Missing initialization vector -### Summary -The mcrypt_encrypt function was used without an initialization vector. +## Summary -### Details -TO DO - put more details of problem and solution here +* The `mcrypt_encrypt` function was used without an initialization vector. +* Use secure random number generation to create an initialization vector. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The security of many symmetric encryption cipher modes is weakened when an initialization vector is not used. +That is, information about the plaintext data may be leaked to an attacker when an initialization vector is not used. + +## Severity Considerations + +The severity of this issue corresponds to the sensitivity of the data being encrypted by the application. diff --git a/guidance/DS189424.md b/guidance/DS189424.md index 13d0a7e4..f3dffc31 100644 --- a/guidance/DS189424.md +++ b/guidance/DS189424.md @@ -1,11 +1,20 @@ -## Review eval for untrusted data +# Review eval for Untrusted Data + +## Summary + -### Summary -If untrusted data is included in an eval statement it can allow an attacker to inject code into the application. Each usage of eval should be reviewed to ensure that no data generated outside of the application (from HTML requests, shared databases, etc.) can find its way into the eval statement ### Details -TO DO - put more details of problem and solution here -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +If untrusted data is included in an eval statement it can allow an attacker to inject code into the application. Each usage of eval should be reviewed to ensure that no data generated outside of the application (from HTML requests, shared databases, etc.) can find its way into the eval statement + +## Severity Considerations + +An XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the victim's browser. +The attacker's code may be able to access sensitive information retained by the victim's browser. +XSS attacks can also rewrite page contents, redirect the victim's browser, and/or deliver malware to the victim's machine. + +## References +* [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) +* [OWASP XSS Attacks](https://owasp.org/www-community/attacks/xss/) diff --git a/guidance/DS191340.md b/guidance/DS191340.md index 8445c318..ed963fc4 100644 --- a/guidance/DS191340.md +++ b/guidance/DS191340.md @@ -1,11 +1,21 @@ -## Do not store sensitive data in NSUserDefaults. +# Do Not Store Sensitive Data in NSUserDefaults -### Summary -Do not store sensitive data in NSUserDefaults. +## Summary -### Details -TO DO - put more details of problem and solution here +* Code was found that stores a secret such as a password or key in `NSUserDefaults`. +* Consider another secret storage mechanism such as the Keychain API. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +The keys and values saved in `NSUserDefaults` are stored in an unencrypted file that can be easily viewed. +Therefore, `NSUserDefaults` is not a secure way to store secrets. +Secrets should be stored using a different mechanism such as the Keychain API. + +## Severity Considerations + +The severity of this issue depends on the sensitivity of the secret and the impact of any attack leveraging that secret. + +## References + +* [Apple iOS API Documentation: Keychain services](https://developer.apple.com/documentation/security/keychain_services) +* [OWASP Testing Guide: iOS Data Storage](https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage/) diff --git a/guidance/DS197836.md b/guidance/DS197836.md index 58742503..415f49d4 100644 --- a/guidance/DS197836.md +++ b/guidance/DS197836.md @@ -1,11 +1,20 @@ -## Do not take the hash of low-entropy content. +# Do Not Take the Hash of Low-Entropy Content -### Summary -Taking a hash of a time value is suspicious, as there is insufficient entropy to protect against brute-force attacks. +## Summary -### Details -TO DO - put more details of problem and solution here +* Taking a hash of a time value is suspicious, as there is insufficient entropy to protect against brute-force attacks. +* Instead, use a high quality source of entropy such as a cryptographic random number generator. -### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? +## Details +In cryptography, entropy is the quality of unpredictable randomness. +The security provided by hashing algorithms relies on attackers inability to find a hash collision (typically via brute force attacks.) +Using a hash algorithm with low quality sources of entropy, such as time, provide insufficient protection against brute-force attacks. + +## Solution + +Use a high quality source of entropy such as a cryptographic random number generator. + +## Severity Considerations + +Use of hashing algorithms with an appropriate source entropy should be very carefully reviewed by a security expert or cryptographer to understand the risks involved. diff --git a/guidance/DS224000.md b/guidance/DS224000.md index 29250bfb..1a12f962 100644 --- a/guidance/DS224000.md +++ b/guidance/DS224000.md @@ -23,4 +23,3 @@ The following strings are flagged: Strictly speaking, all of these can be used safely, provided the data passed to these stored procedures is trusted. Ensure that all data originates from your application or from a trusted user. - diff --git a/guidance/DS440000.md b/guidance/DS440000.md index f24367d1..e7484c1a 100644 --- a/guidance/DS440000.md +++ b/guidance/DS440000.md @@ -75,7 +75,7 @@ A cipher suite is considered "strong" when it provides at least 128-bits of security, forward secrecy, and strong authentication and key exchange methods. These should be at the top of your list. -``` +``` C TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 @@ -86,7 +86,7 @@ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Certificate validation can be complex, but is fundamental to secure communication. Software developers are often tempted to disable -certificate validation due to mis-configurations, but disabling +certificate validation due to mis-configurations, but disabling validation is very nearly the same as disabling encryption altogether. ### Use an Up to Date Implementation diff --git a/guidance/DS440001.md b/guidance/DS440001.md index 778d259e..25bd8f38 100644 --- a/guidance/DS440001.md +++ b/guidance/DS440001.md @@ -1,10 +1,10 @@ -## Hard-coded Cryptography +# Hard-coded Cryptography -### Summary +## Summary Usage of hard-coded cryptography reduces the crypto agility of an application, which can hinder attempts to move away from vulnerable cryptography. -### Details +## Details Crypto agility is the ability of an application to migrate from one cryptographic algorithm to another. This ability is valuable both in situations where new, stronger cryptographic algorithms become available, and new attacks against existing cryptographic algorithms become known, making those algorithms no longer safe to use. @@ -12,6 +12,6 @@ Crypto agility includes being able to switch parameters of an existing algorithm In order to facilitate this ability, hard-coding crypto algorithms and parameters is not recommended. -### References +## References * [https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/brownfield/cryptographic-agility](https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/brownfield/cryptographic-agility) diff --git a/rules/default/security/attack_surface/outbound_network.json b/rules/default/security/attack_surface/outbound_network.json index 4db8d82d..8e192af4 100644 --- a/rules/default/security/attack_surface/outbound_network.json +++ b/rules/default/security/attack_surface/outbound_network.json @@ -12,7 +12,7 @@ ], "confidence": "high", "severity": "ManualReview", - "rule_info": "DS137038.md", + "rule_info": "DS137138.md", "patterns": [ { "pattern": "Net::HTTP", diff --git a/rules/default/security/cryptography/certificate.json b/rules/default/security/cryptography/certificate.json index 90390603..f7ce6786 100644 --- a/rules/default/security/cryptography/certificate.json +++ b/rules/default/security/cryptography/certificate.json @@ -1,36 +1,4 @@ [ - { - "name": "Encryption Marked 'Optional'", - "id": "DS114352", - "description": "Optional encryption or integrity checking can be dangerous.", - "recommendation": "As a best practice, always enable strong encryption and integrity checking.", - "tags": [ - "Cryptography.Optional" - ], - "confidence": "high", - "severity": "important", - "rule_info": "DS114352.md", - "patterns": [ - { - "pattern": "Integrity.*optional", - "type": "regex", - "scopes": [ - "code" - ] - }, - { - "pattern": "Encryption.*optional", - "type": "regex", - "scopes": [ - "code" - ] - } - ], - "must-match": [ - "IntegrityCheck = optional", - "EncryptionEnabled = optional" - ] - }, { "name": "Disabled certificate validation", "id": "DS181865", diff --git a/rules/default/security/cryptography/general.json b/rules/default/security/cryptography/general.json index 551fe9c2..7558e759 100644 --- a/rules/default/security/cryptography/general.json +++ b/rules/default/security/cryptography/general.json @@ -9,7 +9,7 @@ ], "confidence": "high", "severity": "critical", - "rule_info": "DS101155.md", + "rule_info": "DS181865.md", "patterns": [ { "pattern": "encrypt\\s*=\\s*false", diff --git a/rules/default/security/cryptography/protocol.json b/rules/default/security/cryptography/protocol.json index e3956427..641496c0 100644 --- a/rules/default/security/cryptography/protocol.json +++ b/rules/default/security/cryptography/protocol.json @@ -13,7 +13,7 @@ ], "confidence": "high", "severity": "important", - "rule_info": "DS144436.md", + "rule_info": "DS169126.md", "patterns": [ { "pattern": "SecurityProtocolType\\.(Ssl3|Tls|Tls11)", @@ -55,7 +55,7 @@ ], "confidence": "high", "severity": "moderate", - "rule_info": "DS127101.md", + "rule_info": "DS112835.md", "patterns": [ { "pattern": "SecPkgCred_SupportedProtocols", @@ -79,7 +79,7 @@ ], "confidence": "high", "severity": "important", - "rule_info": "DS169125.md", + "rule_info": "DS169126.md", "patterns": [ { "pattern": "(SSLv?2|SSLv?3|TLSv?1|TLSv?10)", diff --git a/rules/default/security/cryptography/weak_cipher_modes.json b/rules/default/security/cryptography/weak_cipher_modes.json index 4e3953c2..51ccdd83 100644 --- a/rules/default/security/cryptography/weak_cipher_modes.json +++ b/rules/default/security/cryptography/weak_cipher_modes.json @@ -9,7 +9,7 @@ ], "confidence": "medium", "severity": "important", - "rule_info": "DS187371.md", + "rule_info": "DS182720.md", "patterns": [ { "pattern": "(ECB|OFB|CFB|CTS|PCBC|GMAC|XCBC|IACBC|IAPM|EAX|OCB|CWC|AEAD|LRW|XEX|XTS|CMC|EME|CBCMAC|OMAC|PMAC)", diff --git a/rules/default/security/xml/external_entities.json b/rules/default/security/xml/external_entities.json index 3f9a05b6..5e581331 100644 --- a/rules/default/security/xml/external_entities.json +++ b/rules/default/security/xml/external_entities.json @@ -60,7 +60,7 @@ ], "confidence": "high", "severity": "moderate", - "rule_info": "DS132780.md", + "rule_info": "DS132779.md", "patterns": [ { "pattern": "shouldResolveExternalEntities\\s*=\\s*TRUE", @@ -104,7 +104,7 @@ ], "confidence": "high", "severity": "moderate", - "rule_info": "DS132790.md", + "rule_info": "DS132779.md", "patterns": [ { "pattern": "setShouldResolveExternalEntities:\\s*YES",