added python with django, flask

plugin/nodejs/nodejs.py

@@ -24,8 +24,10 @@ def audit(self,audititem):
         '''
         match = self.rules.match(data=audititem.line)
         if match :
+            length, variable, m_string = match[0].strings[0]
             vulnerability  = "==============================================\n"
             vulnerability += "dangerous nodejs function : " + match[0].rule + "\n"
+            vulnerability += "dangerous matches : " + str(m_string,'utf-8') + "\n"
             vulnerability += "filename : " + audititem.filename + "\n"
             vulnerability += "==============================================\n"
             vulnerability += audititem.lines 

plugin/nodejs/nodejs_danger_functions.rule

@@ -12,6 +12,24 @@ rule cmd_excute
         any of them 
 }
 
+rule file_temper
+{
+    strings: 
+        $file1 = ".IncomingForm("
+        $file2 = ".parse("
+        $file3 = ".readFile("
+        $file4 = ".appendFile("
+        $file5 = ".writeFile("
+        $file6 = ".open("
+        $file7 = ".unlink("
+        $file8 = ".rename("
+        $file9 = ".createReadStream("
+        $file10 = ".createServer("
+        $file11 = ".createTransport("
+        $file12 = ".sendMail("
+    condition : 
+        (any of them) and not ("JSON" and $file2)
+}
 
 rule sql_injection1_mysql 
 {
@@ -23,7 +41,6 @@ rule sql_injection1_mysql
         any of them 
 }
 
-
 rule sql_injection1_mongodb 
 {
     strings : 
@@ -40,8 +57,7 @@ rule sql_injection1_mongodb
 
     condition : 
         ($sql1 or $sql2 ) or 
-        $sql3 and 1 of ($sub*)
-
+        ($sql3 and 1 of ($sub*))        
 }
 
 rule sql_injection2 
@@ -50,6 +66,7 @@ rule sql_injection2
         $sql1 = "raw" nocase 
         $sql2 = "query" nocase 
         $sql3 = "sql" nocase
+        $sql4 = "fmt" nocase 
         $op1 = "=" 
         $op2 = "%s" 
         $func1 = "format("  
@@ -76,16 +93,28 @@ rule xss
 
         $xss2 = "dangerouslySetInnerHTML"
         $xss3 = "trustAsHtml"
-        $xss4 = "NODE_TLS_REJECT_UNAUTHORIZED"
-        $xss5 = "rejectUnauthorized"
-        $xss6 = "insecure"
-        $xss7 = "strictSSL"
-        $xss8 = "clientPemCrtSignedBySelfSignedRootCaBuffer"
+
 
     condition : 
         1 of ($xss*) and "="  
 }
 
+rule ssl 
+{
+    strings : 
+        $ssl1 = "NODE_TLS_REJECT_UNAUTHORIZED"
+        $ssl2 = "rejectUnauthorized"
+        $ssl3 = "insecure"
+        $ssl4 = "strictSSL"
+        $ssl5 = "clientPemCrtSignedBySelfSignedRootCaBuffer"
+    condition :
+        ( $ssl1 and "0" ) or 
+        ( $ssl2 and "false" ) or 
+        ( $ssl3 and "true" ) or 
+        ( $ssl4 and "false") or 
+        ( $ssl5 ) 
+}
+
 rule ssi 
 {
     strings : 
@@ -118,17 +147,25 @@ rule electron_setting1
         $tg2 = "safeDialogs"
         $tg3 = "sandbox"
         $tg4 = "webSecurity"
-
+
+        $pre = "preload" 
+
     condition: 
-        1 of ($fg*) and  ":" and "true" or 
-        1 of ($tg*) and ":" and "false" 
+        (1 of ($fg*) and ":" and "true") or 
+        (1 of ($tg*) and ":" and "false") or 
+        ($pre and ":" )
 
 }
 
-rule electron_setting2 
+rule electron_setting3 
 {
     strings : 
-        $set = "preload" 
+        $set1 = "devTools"
+        $set2 = "BrowserWindow.webContents.openDevTools("
+        $set3 = "enableWebSQL"
+        $set4 = "openExternal("
+        $set5 = "ELECTRON_RUN_AS_NODE"
     condition: 
-        $set and ":" 
+        any of them 
+
 }

plugin/python/python.py

@@ -0,0 +1,40 @@
+import re
+import yara 
+
+DEFAULT_YARA_RULE = "./plugin/python/python_danger_functions.rule"
+
+class MyPlugin:
+
+    rules = ""
+    def init(self):
+        print("python plugin init")
+        self.rules = yara.compile(filepath=DEFAULT_YARA_RULE)
+
+
+    def audit(self,audititem):
+
+        '''
+        audititem (class AuditItem) parametered to your audit()     
+            .line <= (string) target string 
+            .i <= (int) target line number 
+            .filename <= (string) target filename  
+            .lines <= (string) use this reference lines when you find out something  
+            .output <= (Class Output) for your result, use output.list.append("your string") 
+            
+        '''
+        match = self.rules.match(data=audititem.line)
+        if match :
+            length, variable, m_string = match[0].strings[0]
+            vulnerability  = "==============================================\n"
+            vulnerability += "dangerous python function : " + match[0].rule + "\n"
+            vulnerability += "dangerous matches : "  + str(m_string,'utf-8') + "\n"
+            vulnerability += "filename : " + audititem.filename + "\n"
+
+            vulnerability += "==============================================\n"
+            vulnerability += audititem.lines 
+
+            audititem.output.list.append(vulnerability)
+
+    def finish(self):
+        print("python plugin finish")
+

plugin/python/python_danger_functions.rule

@@ -0,0 +1,163 @@
+rule cmd_excute_python3_shellspawn
+{
+    strings:
+        $cmd1 = "run("
+        $cmd2 = "Popen("
+        $cmd3 = "call("
+        $cmd4 = "check_call("
+        $cmd5 = "check_output(" 
+
+        $opt1 = "shell=True"
+        $sys1 = "system("
+
+    condition:
+        ((1 of ($cmd*)) and $opt1 ) or 
+        $sys1 
+
+}
+
+rule cmd_excute_python3_nospawn 
+{
+    strings:
+        // subprocess 
+        $cmd1 = "run("
+        $cmd2 = "Popen("
+        $cmd3 = "call("
+        $cmd4 = "check_call("
+        $cmd5 = "check_output("
+
+        // spawn 
+        $cmd6 = "spawnl("
+        $cmd7 = "spawnle("
+        $cmd8 = "spawnlp("
+        $cmd9 = "spawnlpe("
+        $cmd10 = "spawnv("
+        $cmd11 = "spawnve("
+        $cmd12 = "spawnvp("
+        $cmd13 = "spawnvpe("
+
+        // exec 
+        $cmd14 = "popen("
+        $cmd15 = "getstatusoutput("
+        $cmd16 = "getoutput("
+        $cmd17 = "startfile("
+        $cmd18 = "execl("
+        $cmd19 = "execle("
+        $cmd20 = "execlp("
+        $cmd21 = "execlpe("
+        $cmd22 = "execv("
+        $cmd23 = "execve("
+        $cmd24 = "execvp("
+        $cmd25 = "execvpe("
+    condition: 
+        all of them 
+
+}
+
+
+rule cmd_excute_python2
+{
+    strings:
+        $cmd1 = "popen2("
+        $cmd2 = "popen3("
+        $cmd3 = "popen4("      
+
+    condition:
+        any of them 
+}
+
+rule file_temper
+{
+    strings: 
+        $file1 = ".NamedTemporaryFile("
+        $file2 = "tempfile.mktemp()"
+        $file3 = "umask(0)"
+        $file4 = "chmod("
+        $file5 = "lchmod("
+        $file6 = "fchmod("
+        $file7 = "chown("
+        $file8 = "rename("
+        $file9 = "remove("
+        $file10 = "extractall("
+        $file11 = "link("
+        $file12 = "unlink("
+    condition : 
+        any of them 
+}
+
+rule py_excute 
+{
+    strings : 
+        $eval1 = "eval(" 
+
+    condition : 
+        any of them 
+
+}
+
+rule django1 
+{
+    strings:
+        $dj = "redirect("
+    condition:
+        all of them 
+
+}
+
+rule django2
+{
+    strings:
+        $dj1 = "__setitem__(" 
+    condition:
+        $dj1 and "Content-Type" 
+}
+
+rule flask1 
+{
+    strings:
+        $fl1 = "exec("
+        $fl2 = "HttpResponseRedirect("
+        $fl3 = "pickle.load(" 
+        $fl4 = "send_file(" 
+        $fl5 = "root.findall(" 
+    condition:
+        any of them 
+}
+rule flask2 
+{
+    strings: 
+        $fl1 = "yml.load(" 
+        $opt1 = "yaml.Loader"
+        $fl2 = ".add(" 
+        $opt2 = "Content-Type"
+    condition:
+        ($fl1 and $opt1 ) or  
+        ($fl2 and $opt2 ) 
+
+}
+
+rule sql_injection1
+{
+    strings : 
+        $sql1 = "query("
+        $sql2 = "execute("
+
+    condition : 
+        any of them 
+}
+
+rule sql_injection2 
+{
+    strings : 
+        $sql1 = /raw*=*%s/ nocase 
+        $sql2 = /query*=*%s/ nocase 
+        $sql3 = /sql*=*%s/ nocase
+        $sql4 = /fmt*=*%s/ nocase 
+        $sql5 = /stmt*=*%s/ nocase 
+        $sql6 = /statement*=*%s/ nocase 
+
+    condition : 
+       any of ($sql*) 
+}
+
+