From 4b7c6c8e7d076430e334a42a2a6d012d81b44dcc Mon Sep 17 00:00:00 2001 From: ostorlab Date: Mon, 25 Dec 2023 12:10:47 +0100 Subject: [PATCH 1/5] Standardize semgrep description --- agent/utils.py | 12 +++++++++++- tests/utils_test.py | 25 +++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/agent/utils.py b/agent/utils.py index 8f44390..2ca14d8 100644 --- a/agent/utils.py +++ b/agent/utils.py @@ -2,6 +2,7 @@ import dataclasses import mimetypes import os +import re from typing import Any, Iterator from urllib import parse @@ -69,6 +70,15 @@ def construct_vulnerability_title(check_id: str | None) -> str: return check_id.split(".")[-1].replace("-", " ").title() +def filter_description(description: str) -> str: + description = re.sub( + r"RegExp\(\) called with a (.*) function argument", + "RegExp() called with a function argument", + description, + ) + return description + + def parse_results(json_output: dict[str, Any]) -> Iterator[Vulnerability]: """Parses JSON generated Semgrep results and yield vulnerability entries. @@ -84,7 +94,7 @@ def parse_results(json_output: dict[str, Any]) -> Iterator[Vulnerability]: for vulnerability in vulnerabilities: extra = vulnerability.get("extra", {}) - description = extra.get("message", "") + description = filter_description(extra.get("message", "")) title = construct_vulnerability_title(vulnerability.get("check_id")) metadata = extra.get("metadata", {}) impact = metadata.get("impact", "UNKNOWN") diff --git a/tests/utils_test.py b/tests/utils_test.py index 918c290..430a5f1 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -125,3 +125,28 @@ def testConstructVulnerabilityTitle_whenCheckIdIsNotAvailable_raisesException() assert exception.typename == "ValueError" assert exception.value.args[0] == "Check ID is not defined" + + +def testFilterDescription_caseRegexRedos_returnFilteredDescription() -> None: + """Unittest for filter_descirption: + case when regex Redos description + """ + description = ( + "RegExp() called with a token function argument, this might allow an attacker to cause " + "a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks " + "the main thread. For this reason, it is recommended to use hardcoded regexes instead. If " + "your regex is run on user-controlled input, consider performing input validation or use a " + "regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify " + "that the regex does not appear vulnerable to ReDoS." + ) + filtered_description = utils.filter_description(description) + + assert ( + filtered_description + == "RegExp() called with a function argument, this might allow an attacker to cause a Regular " + "Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. " + "For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on " + "user-controlled input, consider performing input validation or use a regex checking/sanitization " + "library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear " + "vulnerable to ReDoS." + ) From 14fe89d2ab46600d4c49a6a3959aa3bf63cbe082 Mon Sep 17 00:00:00 2001 From: ostorlab Date: Mon, 25 Dec 2023 12:11:08 +0100 Subject: [PATCH 2/5] Standardize semgrep description --- tests/utils_test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/utils_test.py b/tests/utils_test.py index 430a5f1..4b76332 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -139,6 +139,7 @@ def testFilterDescription_caseRegexRedos_returnFilteredDescription() -> None: "regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify " "that the regex does not appear vulnerable to ReDoS." ) + filtered_description = utils.filter_description(description) assert ( From de7158a4e095b8f5f1e77b08ef455157e83b439f Mon Sep 17 00:00:00 2001 From: ostorlab Date: Mon, 25 Dec 2023 12:11:39 +0100 Subject: [PATCH 3/5] Standardize semgrep description --- tests/utils_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/utils_test.py b/tests/utils_test.py index 4b76332..d5ddd97 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -129,7 +129,7 @@ def testConstructVulnerabilityTitle_whenCheckIdIsNotAvailable_raisesException() def testFilterDescription_caseRegexRedos_returnFilteredDescription() -> None: """Unittest for filter_descirption: - case when regex Redos description + case when regex ReDos description """ description = ( "RegExp() called with a token function argument, this might allow an attacker to cause " From 5273476e0f6d3a6e4ffe6d00e13b9b1791f729f5 Mon Sep 17 00:00:00 2001 From: ostorlab Date: Mon, 25 Dec 2023 12:11:59 +0100 Subject: [PATCH 4/5] Optimize imports --- agent/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/utils.py b/agent/utils.py index 2ca14d8..d1982b2 100644 --- a/agent/utils.py +++ b/agent/utils.py @@ -4,8 +4,8 @@ import os import re from typing import Any, Iterator - from urllib import parse + import magic from ostorlab.agent.kb import kb from ostorlab.agent.mixins import agent_report_vulnerability_mixin From 8b2dfa48d85685d0138dc20855f905700c190b9e Mon Sep 17 00:00:00 2001 From: ostorlab Date: Mon, 25 Dec 2023 13:28:30 +0100 Subject: [PATCH 5/5] typo --- tests/utils_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/utils_test.py b/tests/utils_test.py index d5ddd97..ddc31e8 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -128,7 +128,7 @@ def testConstructVulnerabilityTitle_whenCheckIdIsNotAvailable_raisesException() def testFilterDescription_caseRegexRedos_returnFilteredDescription() -> None: - """Unittest for filter_descirption: + """Unit test for filter description: case when regex ReDos description """ description = (