engine/java:feature - adding log4j remote code injection rule (#870)

Signed-off-by: Nathan Martins <nathan.martins@zup.com.br>
ZupIT · Dec 14, 2021 · ec070ac · ec070ac
1 parent b9d3304
commit ec070ac
Show file tree

Hide file tree

Showing 5 changed files with 433 additions and 2 deletions.
diff --git a/internal/services/engines/java/rule_manager.go b/internal/services/engines/java/rule_manager.go
@@ -26,7 +26,7 @@ func NewRules() *engines.RuleManager {
 }
 
 func extensions() []string {
-	return []string{".java"}
+	return []string{".java", ".xml", ".gradle"}
 }
 
 // Rules return all rules registred to Java engine.
@@ -186,6 +186,7 @@ func Rules() []engine.Rule {
 		NewRequestMappingMethodsNotPublic(),
 		NewLDAPDeserializationNotDisabled(),
 		NewDatabasesPasswordNotProtected(),
+		NewVulnerableRemoteCodeInjectionApacheLog4j(),
 	}
 	return append(java, jvm.Rules()...)
 }
diff --git a/internal/services/engines/java/rules.go b/internal/services/engines/java/rules.go
@@ -2594,3 +2594,23 @@ func NewDatabasesPasswordNotProtected() text.TextRule {
 		},
 	}
 }
+
+func NewVulnerableRemoteCodeInjectionApacheLog4j() text.TextRule {
+	return text.TextRule{
+		Metadata: engine.Metadata{
+			ID:          "HS-JAVA-150",
+			Name:        "Remote code injection Apache Log4j",
+			Description: "Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. For more information checkout the CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) advisory.",
+			Severity:    severities.Critical.ToString(),
+			Confidence:  confidence.Medium.ToString(),
+		},
+		Type: text.OrMatch,
+		Expressions: []*regexp.Regexp{
+			regexp.MustCompile(`compile.*group:.*org\.apache\.logging\.log4j.*name:.*log4j.*version:.*(('|")((2\.([0-9]\.|1[0-4]))|(1\.))).*('|")`),
+			regexp.MustCompile(`compile.*log4j.*(:((2\.([0-9]\.|1[0-4]))|(1\.))).*('|")`),
+			regexp.MustCompile(`<groupId>(.*|\n).*org\.apache\.logging\.log4j.*(.*|\n).*<artifactId>.*log4j.*</artifactId>(.*|\n)*(version>((2\.([0-9]\.|1[0-4]))|(1\.)))(.*|\n)*</version>`),
+			regexp.MustCompile(`<dependency.*org.*org\.apache\.logging\.log4j.*name.*log4j.*rev.*((2\.([0-9]\.|1[0-4]))|(1\.)).*/>`),
+			regexp.MustCompile(`<(log4j2|log4j)\.version>.*((2\.([0-9]\.|1[0-4]))|(1\.)).*</(log4j2|log4j)\.version>`),
+		},
+	}
+}
diff --git a/internal/services/engines/java/rules_test.go b/internal/services/engines/java/rules_test.go
@@ -472,6 +472,97 @@ func TestRulesVulnerableCode(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  SampleMavenVulnerableHSJAVA150,
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<groupId>org.apache.logging.log4j</groupId>",
+					SourceLocation: engine.Location{
+						Line:   11,
+						Column: 12,
+					},
+				},
+			},
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample2GradleVulnerableHSJAVA150,
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.11.0'",
+					SourceLocation: engine.Location{
+						Line:   16,
+						Column: 4,
+					},
+				},
+				{
+					CodeSample: "compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.11.0'",
+					SourceLocation: engine.Location{
+						Line:   17,
+						Column: 4,
+					},
+				},
+				{
+					CodeSample: "compile group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.11.0'",
+					SourceLocation: engine.Location{
+						Line:   18,
+						Column: 4,
+					},
+				},
+			},
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample3GradleVulnerableHSJAVA150,
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile 'org.slf4j:slf4j-log4j12:1.7.26'",
+					SourceLocation: engine.Location{
+						Line:   23,
+						Column: 4,
+					},
+				},
+			},
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample4IvyVulnerableHSJAVA150,
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<dependency org=\"org.apache.logging.log4j\" name=\"log4j-api\" rev=\"2.11.0\" />",
+					SourceLocation: engine.Location{
+						Line:   15,
+						Column: 4,
+					},
+				},
+				{
+					CodeSample: "<dependency org=\"org.apache.logging.log4j\" name=\"log4j-core\" rev=\"2.14.1\" />",
+					SourceLocation: engine.Location{
+						Line:   16,
+						Column: 4,
+					},
+				},
+			},
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample5MavenVulnerableHSJAVA150,
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<log4j2.version>2.8.2</log4j2.version>",
+					SourceLocation: engine.Location{
+						Line:   16,
+						Column: 8,
+					},
+				},
+			},
+		},
 	}
 
 	testutil.TestVulnerableCode(t, testcases)
@@ -659,6 +750,31 @@ func TestRulesSafeCode(t *testing.T) {
 			Rule: NewDatabasesPasswordNotProtected(),
 			Src:  SampleSafeHSJAVA149,
 		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  SampleMavenSafeHSJAVA150,
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample2GradleSafeHSJAVA150,
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample3GradleSafeHSJAVA150,
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample4IvySafeHSJAVA150,
+		},
+		{
+			Name: "HS-JAVA-150",
+			Rule: NewVulnerableRemoteCodeInjectionApacheLog4j(),
+			Src:  Sample5MavenSafeHSJAVA150,
+		},
 	}
 	testutil.TestSafeCode(t, testcases)
 }