Example #1
0
def test_invalid_rule_with_null():
    rule = dedent("""
        rules:
        - id: blah
          message: ~
          severity: INFO
          languages: [python]
          patterns:
          - pattern-either:
            - pattern: $X == $Y
            - pattern-not: $Z == $Z
        """)

    with pytest.raises(InvalidRuleSchemaError):
        parse_config_string("testfile", rule, None)
Example #2
0
def test_invalid_metavariable_comparison2():
    rule = dedent("""
        rules:
        - id: boto3-internal-network
          patterns:
          - pattern-inside: $MODULE.client(host=$HOST, port=$PORT)
          - metavariable-comparison:
              metavariable: $PORT
              comparison: $PORT > 9999
              metavariable: $MODULE
              regex: '(server|servers)'
          message: "Boto3 connection to internal network"
          languages: [python]
          severity: ERROR
        """)

    with pytest.raises(InvalidRuleSchemaError):
        parse_config_string("testfile", rule, None)
Example #3
0
def test_invalid_metavariable_regex():
    rule = dedent("""
        rules:
        - id: boto3-internal-network
          patterns:
          - pattern-inside: $MODULE.client(host=$HOST)
          - metavariable-regex:
              metavariable: $HOST
              regex: '192.168\\.\\d{1,3}\\.\\d{1,3}'
              metavariable: $MODULE
              regex: (boto|boto3)
          message: "Boto3 connection to internal network"
          languages: [python]
          severity: ERROR
        """)

    with pytest.raises(InvalidRuleSchemaError):
        parse_config_string("testfile", rule, None)
Example #4
0
def test_parse_taint_rules():
    yaml_contents = """
rules:
  - id: stupid_equal
    pattern: $X == $X
    message: Dude, $X == $X is always true (Unless X is NAN ...)
    languages: [python, javascript]
    severity: WARNING
  - id: stupid_equal2
    mode: search
    pattern: $X == $X
    message: Dude, $X == $X is always true (Unless X is NAN ...)
    languages: [python, javascript]
    severity: WARNING
  - id: example_id
    mode: taint
    pattern-sources:
      - source(...)
      - source1(...)
    pattern-sinks:
      - sink(...)
      - sink1(...)
      - eval(...)
    pattern-sanitizers:
      - sanitize(...)
      - sanitize1(...)
    message: A user input source() went into a dangerous sink()
    languages: [python, javascript]
    severity: WARNING
    """
    yaml = parse_config_string("testfile", yaml_contents, "file.py")
    config = yaml["testfile"].value
    rules = config.get(RULES_KEY)
    for rule_dict in rules.value:
        validate_single_rule("testfile", rule_dict)
    assert True