added yar files and updated new rules

truefinder · Apr 7, 2021 · 11b8889 · 11b8889
1 parent 013aec2
commit 11b8889
Show file tree

Hide file tree

Showing 10 changed files with 375 additions and 43 deletions.
diff --git a/platform/codeigniter.yar b/platform/codeigniter.yar
@@ -0,0 +1,52 @@
+/* codeigniter vulnerable code auditing rules */ 
+
+rule xss : codeigniter config
+{
+    strings : 
+        $xss1 = "$config['global_xss_filtering']"
+        $false = /.*:.*false/ nocase 
+    condition : 
+        $xss1 and $false 
+
+}
+
+rule csrf : codeigniter config 
+{
+    strings : 
+        $csrf1 = "$config['csrf_exclude_uris']"
+        $csrf2 = "$config['csrf_regenerate']"
+        $csrf3 = "$config['csrf_protection']"
+        $false = /.*:.*false/ nocase 
+    condition : 
+        1 of ($csrf*) and $false 
+
+}
+
+rule directory : codeigniter
+{
+    strings : 
+        $dir1 = "sanitize_filename("
+        $false = /.*:.*false/ nocase 
+    condition : 
+        $dir1 and $false 
+
+}
+
+rule sql_injection : codeigniter
+{
+    strings : 
+        $sql1 = /$this->db->(query|simple_query)\(/  
+    condition : 
+        any of them 
+
+}
+
+rule debug : codeigniter
+{
+    strings : 
+        $dbg1 = "$db['default']['db_debug']"
+        $true = /.*:.*true/ nocase 
+    condition : 
+        $dbg1  and $true 
+        
+}
diff --git a/platform/django.yar b/platform/django.yar
@@ -0,0 +1,26 @@
+
+/* django vulnerable code auditing rules */ 
+
+rule redirect : django
+{
+    strings:
+        $redir1 = "redirect("
+    condition:
+        any of them 
+}
+
+rule xss : django
+{
+    strings:
+        $xss1 = /__setitem__(.*Content-Type/
+    condition:
+       any of them  
+}
+
+rule sql_injection : django 
+{
+    strings : 
+        $sql1 = "cursor.execute("
+    condition:
+        any of them 
+}
diff --git a/platform/ethna.yar b/platform/ethna.yar
diff --git a/platform/flask.yar b/platform/flask.yar
@@ -0,0 +1,40 @@
+
+rule xss : flask 
+{
+    strings : 
+        $xss = /\.add\(.* Content-Type/
+    condition : 
+        any of them 
+}
+
+rule code_injection : flask 
+{
+    strings : 
+        $code1 = "exec("
+        $code2 = /yml\.load\(.*yaml\.Loader/
+    condition:
+        any of them 
+}
+
+rule flask1 
+{
+    strings:
+        
+        $fl2 = "HttpResponseRedirect("
+        $fl3 = "pickle.load(" 
+        $fl4 = "send_file(" 
+        $fl5 = "root.findall(" 
+    condition:
+        any of them 
+}
+rule flask2 
+{
+    strings: 
+        $fl1 = "yml.load(" 
+        $opt1 = "yaml.Loader"
+  
+    condition:
+        ($fl1 and $opt1 ) or  
+        ($fl2 and $opt2 ) 
+
+}
diff --git a/platform/gorilla.yar b/platform/gorilla.yar
@@ -0,0 +1,28 @@
+/* gorilla vulnerable code auditing rules */ 
+
+rule xss : gorilla 
+{
+    strings : 
+        $xss1 = "text/template" 
+    condition:
+        any of them 
+
+}
+
+rule csrf : gorilla 
+{
+    strings :
+        $csrf1 = "csrf.Protect(" 
+    condition:
+        any of them 
+
+}
+
+rule origin : gorilla 
+{
+    strings : 
+        $orig1 = "AllowedOrigins" 
+    condition:
+        any of them 
+
+}
diff --git a/platform/laravel.yar b/platform/laravel.yar
@@ -0,0 +1,54 @@
+/* laravel vulnerable code audting rule */ 
+
+rule xss : laravel 
+{
+    strings : 
+        $xss1 = /{!!.*!!}/
+    condition : 
+        any of them 
+}
+
+rule sql_injection : laravel 
+{
+    strings : 
+        $sql1 = "unprepared("
+        $sql2 = "DB::raw("
+        $sql3 = /DB::(select|insert|delete|update|statement)\(/
+        $sql4 = /(fromRaw|whereRaw)\(/
+
+    condition : 
+        any of them 
+}
+
+rule  sql_injection2 : laravel 
+{
+    strings : 
+        
+        $sql1 = "raw" nocase 
+        $sql2 = "query" nocase 
+        $sql3 = "sql" nocase
+        $sql4 = "fmt" nocase 
+        $sql5 = "stmt" nocase 
+        $sql6 = "statement" nocase 
+        $param = /.*=.*%s/ nocase 
+        
+    condition : 
+       1 of ($sql*) and $param 
+}
+
+rule cmd_injection : laravel 
+{
+    strings : 
+        $cmd1 = /Artisan::(call|queue)\(/
+        $cmd2 = /$this->(call|callSilently)\(/
+    condition : 
+        any of them 
+}
+
+rule upload : laravel 
+{
+    strings :
+        $upload = /\'filename\'.*=>/  
+    condition : 
+        any of them 
+}
diff --git a/platform/typescript.yar b/platform/typescript.yar
@@ -0,0 +1,103 @@
+/* typescript vulnerable code auditing rules */ 
+
+rule   xss : typescript
+{
+    strings : 
+        $xss1 = ".send("
+        $xss2 = /Mustache\.escape.*=/
+        $xss3 = /Handlebars\.compile.*noEscape/
+        $xss4 = /markdownIt\(.*html.*true/
+        $xss5 = /marked\.setOptions\(.*sanitize.*false/
+        $xss6 = /Renderer\(.*sanitize.*false/
+
+     condition: 
+        any of them 
+
+}
+
+rule   sql_injection : typescript
+{
+    strings : 
+        $sql1 = /db\.query\(/ 
+        $sql2 = /\.query\(.*\+/
+     condition: 
+        any of them 
+
+}
+rule  sql_injection2 : typescript 
+{
+    strings : 
+        
+        $sql1 = "raw" nocase 
+        $sql2 = "query" nocase 
+        $sql3 = "sql" nocase
+        $sql4 = "fmt" nocase 
+        $sql5 = "stmt" nocase 
+        $sql6 = "statement" nocase 
+        $param = /.*=.*%s/ nocase 
+        
+    condition : 
+       1 of ($sql*) and $param 
+}
+
+
+
+rule   xxe : typescript
+{
+    strings : 
+        $xxe1 = /libxmljs\.parseXmlString.*noent.*true/
+     condition: 
+        any of them 
+
+}
+
+rule   cmd_injection: typescript
+{
+    strings : 
+        $cmd1 = ".exec("
+        $cmd2 = ".execSync("
+        $cmd3 = ".spawn("
+        $cmd4 = ".spanSync("
+        $cmd5 = ".execFile("
+        $cmd6 = ".execFileSync("
+     condition: 
+        any of them 
+
+}
+
+rule   code_injection : typescript
+{
+    strings : 
+        $code1 = "eval("
+        $code2 = "Function(" 
+     condition : 
+        any of them 
+}
+
+rule   directory : typescript
+{
+    strings : 
+        $dir1 = ".readFileSync("
+     condition: 
+        any of them 
+
+}
+
+rule   crypto : typescript
+{
+    strings : 
+        $crypto1 = /crypto\.createHash\(.*sha1/ 
+        $crypto2 = /crypto\.createCipheriv.*AES-128-/ 
+     condition: 
+        any of them 
+
+}
+
+rule    dns : typescript
+{
+    strings : 
+        $dns1 = /dnsPrefetchControl\(.*allow.*true/ 
+     condition: 
+        any of them 
+
+}
diff --git a/plugin/go/go_danger_functions.rule b/plugin/go/go_danger_functions.rule
@@ -38,6 +38,16 @@ rule sql_injection2
        1 of ($sql*) and $param 
 }
 
+
+rule sql_injection3 
+{
+    strings : 
+        $sql1 = /(select|update|insert|delete|values|with)/ 
+        $param = /.*(%s|\+)/ nocase 
+    condition:
+       1 of ($sql*) and $param 
+}
+
 rule cmd_excute
 {
     strings : 

diff --git a/plugin/nodejs/nodejs_danger_functions.rule b/plugin/nodejs/nodejs_danger_functions.rule
@@ -76,6 +76,15 @@ rule sql_injection2
        1 of ($sql*) and $param 
 }
 
+rule sql_injection3 
+{
+    strings : 
+        $sql1 = /(select|update|insert|delete|values|with)/ 
+        $param = /.*.*%s/ nocase 
+    condition:
+       1 of ($sql*) and $param 
+}
+
 rule js_excute 
 {
     strings :