Merge pull request #3 from DevSecOps-AppSec/hcl-sast

HCL SAST Poc

Author: souro1212

.github/workflows/build.yml

@@ -0,0 +1,20 @@
+name: Build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  sonarcloud:
+    name: SonarCloud
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/dependency-review.yaml

@@ -0,0 +1,17 @@
+name: 'Dependency Review'
+on:
+  pull_request:
+    types: [opened,synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        

.github/workflows/hcl-codesweep.yaml

@@ -0,0 +1,22 @@
+name: "HCL AppScan CodeSweep"
+on:
+  pull_request:
+    types: [opened,synchronize]
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Run AppScan CodeSweep
+        uses: HCL-TECH-SOFTWARE/appscan-codesweep-action@v2
+        with:
+         status: failure
+    env: 
+      GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      

.github/workflows/snyk.yaml

@@ -0,0 +1,26 @@
+name: Snyk Workflow for SAST & SCA
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities in dependencies
+        uses: snyk/actions/python@master # See https://github.com/snyk/actions for other supported build tools/languages
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test --all-projects --json-file-output=snyk_dependencies.json
+      - name: Run Snyk to check for vulnerabilities in code
+        uses: snyk/actions/python@master # See https://github.com/snyk/actions for other supported build tools/languages
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: code test --all-projects --json-file-output=snyk_code.json
+      - name: Add Job Summary from Snyk reports
+        uses: medly/[email protected]
+        with:
+            dependencies-report-path: snyk_dependencies.json # The file name of json file which is generated on snyk test
+            code-report-path: snyk_code.json # The file name of json file which is generated on snyk code test

PAT

@@ -1,2 +1,2 @@
 [default]
-PAT = ***REMOVED***
+PAT = ***REMOVED***

XSS-test-1.py

@@ -0,0 +1,44 @@
+import http.server
+import urllib.parse
+
+comments = []
+
+class XSSHandler(http.server.BaseHTTPRequestHandler):
+    def do_GET(self):
+        if self.path == '/':
+            self.send_response(200)
+            self.send_header('Content-type', 'text/html')
+            self.end_headers()
+            self.wfile.write(b"""
+                <html>
+                    <body>
+                        <h1>Comments</h1>
+                        <form action="/comment" method="post">
+                            <input type="text" name="comment">
+                            <input type="submit" value="Add Comment">
+                        </form>
+                        <h2>All Comments</h2>
+                        <ul>
+            """)
+            for comment in comments:
+                self.wfile.write(f"<li>{comment}</li>".encode())
+            self.wfile.write(b"""
+                        </ul>
+                    </body>
+                </html>
+            """)
+
+    def do_POST(self):
+        if self.path == '/comment':
+            content_length = int(self.headers['Content-Length'])
+            post_data = self.rfile.read(content_length)
+            comment = urllib.parse.parse_qs(post_data.decode())['comment'][0]
+            comments.append(comment)
+            self.send_response(303)
+            self.send_header('Location', '/')
+            self.end_headers()
+
+if __name__ == '__main__':
+    server = http.server.HTTPServer(('localhost', 8080), XSSHandler)
+    print("Server running on http://localhost:8080")
+    server.serve_forever()

XSS-test.py

@@ -0,0 +1,33 @@
+from flask import Flask, request
+
+app = Flask(__name__)
+
+@app.route('/')
+def home():
+    return '''
+        <html>
+            <body>
+                <h1>Search</h1>
+                <form action="/search" method="get">
+                    <input type="text" name="query">
+                    <input type="submit" value="Search">
+                </form>
+            </body>
+        </html>
+    '''
+
+@app.route('/search')
+def search():
+    query = request.args.get('query')
+    # XSS vulnerability: directly reflecting user input in the response
+    return f'''
+        <html>
+            <body>
+                <h1>Search Results for: {query}</h1>
+                <p>No results found.</p>
+            </body>
+        </html>
+    '''
+
+if __name__ == '__main__':
+    app.run(debug=True)

XXE.py

@@ -0,0 +1,20 @@
+import xml.etree.ElementTree as ET
+
+def parse_xml(data):
+    try:
+        # XXE vulnerability
+        tree = ET.ElementTree(ET.fromstring(data))
+        root = tree.getroot()
+        return [elem.tag for elem in root]
+    except ET.ParseError as e:
+        return f"An error occurred during XML parsing: {e}"
+
+def main():
+    print("Welcome to the simple XML parser.")
+    user_input = input("Enter your XML data: ")
+
+    result = parse_xml(user_input)
+    print(f"Parsed XML tags:\n{result}")
+
+if __name__ == "__main__":
+    main()

addWorkflow.py

@@ -0,0 +1,32 @@
+import sqlite3
+
+def connect_to_db():
+    # Hard-coded credentials (vulnerability)
+    db_user = "admin"
+    db_password = "***REMOVED***"
+    database = "example.db"
+
+    conn = sqlite3.connect(database)
+    return conn
+
+def execute_query(conn, query):
+    try:
+        cursor = conn.cursor()
+        cursor.execute(query)
+        conn.commit()
+    except Exception as e:
+        # Improper error handling (vulnerability)
+        print(f"An error occurred: {e}")
+
+def main():
+    conn = connect_to_db()
+
+    # SQL Injection vulnerability
+    user_input = input("Enter your username: ")
+    query = f"SELECT * FROM users WHERE username = '{user_input}'"
+
+    execute_query(conn, query)
+    conn.close()
+
+if __name__ == "__main__":
+    main()

command-injection.py

@@ -0,0 +1,21 @@
+import subprocess
+import os
+
+def execute_command(command):
+    try:
+        # Command Injection vulnerability
+        output = subprocess.check_output(command, shell=True)
+        return output.decode('utf-8')
+    except subprocess.CalledProcessError as e:
+        return f"An error occurred: {e}"
+
+def main():
+    print("Welcome to the simple command executor.")
+    user_input = input("Enter the command you want to execute: ")
+
+    # Unsafe execution of user input
+    result = execute_command(user_input)
+    print(f"Command output:\n{result}")
+
+if __name__ == "__main__":
+    main()

deserialization.py

@@ -0,0 +1,24 @@
+import pickle
+import base64
+
+def deserialize_data(serialized_data):
+    try:
+        # Insecure deserialization vulnerability
+        data = pickle.loads(serialized_data)
+        return data
+    except Exception as e:
+        return f"An error occurred during deserialization: {e}"
+
+def main():
+    print("Welcome to the simple deserialization service.")
+    user_input = input("Enter base64-encoded serialized data: ")
+
+    try:
+        serialized_data = base64.b64decode(user_input)
+        result = deserialize_data(serialized_data)
+        print(f"Deserialized data:\n{result}")
+    except Exception as e:
+        print(f"An error occurred: {e}")
+
+if __name__ == "__main__":
+    main()

directory-traversal.py

@@ -0,0 +1,19 @@
+import os
+
+def read_file(file_path):
+    try:
+        with open(file_path, 'r') as file:
+            return file.read()
+    except Exception as e:
+        return f"An error occurred while reading the file: {e}"
+
+def main():
+    print("Welcome to the simple file reader.")
+    user_input = input("Enter the filename you want to read: ")
+
+    # Directory Traversal vulnerability
+    file_content = read_file(user_input)
+    print(f"File content:\n{file_content}")
+
+if __name__ == "__main__":
+    main()

requests-vuln.py

@@ -0,0 +1,11 @@
+# Importing the requests library
+import requests
+
+# URL to send a request to
+url = "http://example.com"
+
+# Sending a GET request
+response = requests.get(url)
+
+# Print the response text
+print(response.text)

requirements.txt

@@ -0,0 +1,2 @@
+requests==2.19.1
+

sonar-project.properties

@@ -0,0 +1,13 @@
+sonar.projectKey=DevSecOps-AppSec_test_keys
+sonar.organization=devsecops-appsec
+
+# This is the name and version displayed in the SonarCloud UI.
+#sonar.projectName=test_keys
+#sonar.projectVersion=1.0
+
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8

weak-encryption-algorithm-1.py

@@ -0,0 +1,39 @@
+from cryptography.fernet import Fernet
+
+# Hardcoded key (vulnerability)
+key = b'12B7pZk9bVt7i9Th9F6j6vLf-8Yk8xZmHVOS3q7eYmI='
+cipher_suite = Fernet(key)
+
+def encrypt_message(message):
+    try:
+        # Encrypting the message
+        encrypted_text = cipher_suite.encrypt(message.encode())
+        return encrypted_text
+    except Exception as e:
+        return f"An error occurred during encryption: {e}"
+
+def decrypt_message(encrypted_message):
+    try:
+        # Decrypting the message
+        decrypted_text = cipher_suite.decrypt(encrypted_message).decode()
+        return decrypted_text
+    except Exception as e:
+        return f"An error occurred during decryption: {e}"
+
+def main():
+    print("Welcome to the insecure encryption demo.")
+    choice = input("Do you want to (e)ncrypt or (d)ecrypt a message? ")
+
+    if choice.lower() == 'e':
+        message = input("Enter the message to encrypt: ")
+        encrypted_message = encrypt_message(message)
+        print(f"Encrypted message: {encrypted_message}")
+    elif choice.lower() == 'd':
+        encrypted_message = input("Enter the encrypted message: ").encode()
+        decrypted_message = decrypt_message(encrypted_message)
+        print(f"Decrypted message: {decrypted_message}")
+    else:
+        print("Invalid choice. Please choose 'e' to encrypt or 'd' to decrypt.")
+
+if __name__ == "__main__":
+    main()

weak-encryption-algorithm.py

@@ -0,0 +1,32 @@
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+import base64
+
+# Hardcoded encryption key (vulnerability)
+key = b'0123456789abcdef'  # 16-byte key for AES
+
+def encrypt(plaintext):
+    # Weak encryption using ECB mode (vulnerability)
+    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
+    encryptor = cipher.encryptor()
+    padded_plaintext = plaintext + (16 - len(plaintext) % 16) * ' '
+    ciphertext = encryptor.update(padded_plaintext.encode()) + encryptor.finalize()
+    return base64.b64encode(ciphertext).decode()
+
+def decrypt(ciphertext):
+    cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend())
+    decryptor = cipher.decryptor()
+    decrypted_data = decryptor.update(base64.b64decode(ciphertext)) + decryptor.finalize()
+    return decrypted_data.decode().strip()
+
+def main():
+    print("Welcome to the insecure encryption service.")
+    plaintext = input("Enter plaintext to encrypt: ")
+    encrypted_text = encrypt(plaintext)
+    print(f"Encrypted text: {encrypted_text}")
+
+    decrypted_text = decrypt(encrypted_text)
+    print(f"Decrypted text: {decrypted_text}")
+
+if __name__ == "__main__":
+    main()