def test_invalid_rule_with_null():
rule = dedent("""
rules:
- id: blah
message: ~
severity: INFO
languages: [python]
patterns:
- pattern-either:
- pattern: $X == $Y
- pattern-not: $Z == $Z
""")
with pytest.raises(InvalidRuleSchemaError):
parse_config_string("testfile", rule, None)
def test_invalid_metavariable_comparison2():
rule = dedent("""
rules:
- id: boto3-internal-network
patterns:
- pattern-inside: $MODULE.client(host=$HOST, port=$PORT)
- metavariable-comparison:
metavariable: $PORT
comparison: $PORT > 9999
metavariable: $MODULE
regex: '(server|servers)'
message: "Boto3 connection to internal network"
languages: [python]
severity: ERROR
""")
with pytest.raises(InvalidRuleSchemaError):
parse_config_string("testfile", rule, None)
def test_invalid_metavariable_regex():
rule = dedent("""
rules:
- id: boto3-internal-network
patterns:
- pattern-inside: $MODULE.client(host=$HOST)
- metavariable-regex:
metavariable: $HOST
regex: '192.168\\.\\d{1,3}\\.\\d{1,3}'
metavariable: $MODULE
regex: (boto|boto3)
message: "Boto3 connection to internal network"
languages: [python]
severity: ERROR
""")
with pytest.raises(InvalidRuleSchemaError):
parse_config_string("testfile", rule, None)
def test_parse_taint_rules():
yaml_contents = """
rules:
- id: stupid_equal
pattern: $X == $X
message: Dude, $X == $X is always true (Unless X is NAN ...)
languages: [python, javascript]
severity: WARNING
- id: stupid_equal2
mode: search
pattern: $X == $X
message: Dude, $X == $X is always true (Unless X is NAN ...)
languages: [python, javascript]
severity: WARNING
- id: example_id
mode: taint
pattern-sources:
- source(...)
- source1(...)
pattern-sinks:
- sink(...)
- sink1(...)
- eval(...)
pattern-sanitizers:
- sanitize(...)
- sanitize1(...)
message: A user input source() went into a dangerous sink()
languages: [python, javascript]
severity: WARNING
"""
yaml = parse_config_string("testfile", yaml_contents, "file.py")
config = yaml["testfile"].value
rules = config.get(RULES_KEY)
for rule_dict in rules.value:
validate_single_rule("testfile", rule_dict)
assert True