Skip to content

Commit

Permalink
Merge pull request #15 from Ostorlab/feature/standardize_description
Browse files Browse the repository at this point in the history
standardize description
  • Loading branch information
3asm authored Dec 25, 2023
2 parents ff1fcd1 + 8b2dfa4 commit cb5c55b
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 2 deletions.
14 changes: 12 additions & 2 deletions agent/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@
import dataclasses
import mimetypes
import os
import re
from typing import Any, Iterator

from urllib import parse

import magic
from ostorlab.agent.kb import kb
from ostorlab.agent.mixins import agent_report_vulnerability_mixin
Expand Down Expand Up @@ -69,6 +70,15 @@ def construct_vulnerability_title(check_id: str | None) -> str:
return check_id.split(".")[-1].replace("-", " ").title()


def filter_description(description: str) -> str:
description = re.sub(
r"RegExp\(\) called with a (.*) function argument",
"RegExp() called with a function argument",
description,
)
return description


def parse_results(json_output: dict[str, Any]) -> Iterator[Vulnerability]:
"""Parses JSON generated Semgrep results and yield vulnerability entries.
Expand All @@ -84,7 +94,7 @@ def parse_results(json_output: dict[str, Any]) -> Iterator[Vulnerability]:

for vulnerability in vulnerabilities:
extra = vulnerability.get("extra", {})
description = extra.get("message", "")
description = filter_description(extra.get("message", ""))
title = construct_vulnerability_title(vulnerability.get("check_id"))
metadata = extra.get("metadata", {})
impact = metadata.get("impact", "UNKNOWN")
Expand Down
26 changes: 26 additions & 0 deletions tests/utils_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,29 @@ def testConstructVulnerabilityTitle_whenCheckIdIsNotAvailable_raisesException()

assert exception.typename == "ValueError"
assert exception.value.args[0] == "Check ID is not defined"


def testFilterDescription_caseRegexRedos_returnFilteredDescription() -> None:
"""Unit test for filter description:
case when regex ReDos description
"""
description = (
"RegExp() called with a token function argument, this might allow an attacker to cause "
"a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks "
"the main thread. For this reason, it is recommended to use hardcoded regexes instead. If "
"your regex is run on user-controlled input, consider performing input validation or use a "
"regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify "
"that the regex does not appear vulnerable to ReDoS."
)

filtered_description = utils.filter_description(description)

assert (
filtered_description
== "RegExp() called with a function argument, this might allow an attacker to cause a Regular "
"Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. "
"For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on "
"user-controlled input, consider performing input validation or use a regex checking/sanitization "
"library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear "
"vulnerable to ReDoS."
)

0 comments on commit cb5c55b

Please sign in to comment.