From e02e76345efd8fa3ed3349f809d8966af0a6762a Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Wed, 31 Jul 2024 15:51:46 +0200 Subject: [PATCH 1/3] tide patterns, adding domains --- tests/analyzer/sourcecode/shady-links.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/analyzer/sourcecode/shady-links.py b/tests/analyzer/sourcecode/shady-links.py index 9d3486d5..cedeba62 100644 --- a/tests/analyzer/sourcecode/shady-links.py +++ b/tests/analyzer/sourcecode/shady-links.py @@ -149,3 +149,19 @@ def f(): data=json.dumps(data).encode("utf-8", errors="ignore"), headers=headers, ) + + def f(): + auth_config = KubernetesUserPasswordConfig( + username=kube_config.username, + password=kube_config.password, + server=kube_config.host, + certificate_authority=base64.urlsafe_b64encode( + open(kube_config.ssl_ca_cert, "rb").read() + ).decode("utf-8") + if kube_config.ssl_ca_cert + else None, + # ok: shady-links + cluster_name=kube_config.host.strip("https://").split(":")[0], + insecure=kube_config.verify_ssl is False, + ) + From 2888c3a74481268d662e9b6f894c00cbea4efb18 Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Wed, 31 Jul 2024 15:53:19 +0200 Subject: [PATCH 2/3] adding domains and fixing patterns --- guarddog/analyzer/sourcecode/shady-links.yml | 20 +++++++++++--------- tests/analyzer/sourcecode/shady-links.py | 4 ++++ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 8bab71e2..06a3e61b 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -5,10 +5,9 @@ rules: metadata: description: Identify when a package contains an URL to a domain with a suspicious extension patterns: - # Semgrep not robust enough to ignore comments in lists - - pattern-not-regex: \# .* # ignore comments + - pattern-not-regex: ^\s*\# .* - pattern-not-regex: ^\s*\/\*(.|\n)*?\*\/\s*$ - pattern-not-regex: ^\s*\/\/.*$ @@ -16,19 +15,22 @@ rules: - pattern-not-regex: ^\s*"""(.|\n)*?"""\s*$ # Exclude local IPv4 sometimes used in tests - - pattern-not-regex: (http[s]?:\/\/[^/?#]*(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost) + - pattern-not-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost) # Exclude public IPv4 sometimes used in tests - - pattern-not-regex: (http[s]?:\/\/[^/?#]*(?:1\.1\.1\.1|8\.8\.8\.8)) + - pattern-not-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8)) - patterns: - pattern: ("...") - pattern-either: - - pattern-regex: (http[s]?:\/\/bit\.ly.*)$ - - pattern-regex: (http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$ - - pattern-regex: (http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) - - pattern-regex: (http[s]?:\/\/[^/?#]*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) - - pattern-regex: (http[s]?:\/\/[^\n\[/?#]*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\]) + # complete domains + - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run)\/) + # top-level domains + - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) + # IPv4 + - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})) + # IPv6 + - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\]) paths: exclude: - "*/test/*" diff --git a/tests/analyzer/sourcecode/shady-links.py b/tests/analyzer/sourcecode/shady-links.py index cedeba62..b13860b5 100644 --- a/tests/analyzer/sourcecode/shady-links.py +++ b/tests/analyzer/sourcecode/shady-links.py @@ -165,3 +165,7 @@ def f(): insecure=kube_config.verify_ssl is False, ) + def f(): + # ruleid: shady-links + trackingServiceUrl = 'https://b.alt-h7-eoj8gqk1.workers.dev/track' + From f529611b3e5e6f6b0bc122c632363a9750164e2a Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Wed, 31 Jul 2024 16:00:04 +0200 Subject: [PATCH 3/3] tide patterns, adding domains --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 06a3e61b..c2c667bc 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -24,7 +24,7 @@ rules: - pattern: ("...") - pattern-either: # complete domains - - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run)\/) + - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.me)\/) # top-level domains - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) # IPv4