From 99a0520260e0af368537ad9a144fae3b50c36a02 Mon Sep 17 00:00:00 2001 From: Pavel Bansky Date: Mon, 26 Aug 2019 12:07:11 -0700 Subject: [PATCH] TLS rules detecting hardcoded TLS --- .../default/security/TLS/tests/DS112835.test | 21 +++ .../default/security/TLS/tests/DS112836.test | 25 +++ .../default/security/TLS/tests/DS112837.test | 8 + .../default/security/TLS/tests/DS112838.test | 12 ++ .../default/security/TLS/tests/DS112839.test | 15 ++ rules/default/security/TLS/tls_appconfig.json | 51 ++++++ .../default/security/TLS/tls_appcontext.json | 37 ++++ .../security/TLS/tls_functioncall.json | 69 ++++++++ rules/default/security/TLS/tls_generic.json | 99 +++++++++++ rules/default/security/TLS/tls_python.json | 37 ++++ .../security/TLS/tls_secuirtyprotocol.json | 142 +++++++++++++++ .../default/security/TLS/tls_sslprotocol.json | 165 ++++++++++++++++++ rules/default/security/TLS/tls_win32.json | 33 ++++ 13 files changed, 714 insertions(+) create mode 100644 rules/default/security/TLS/tests/DS112835.test create mode 100644 rules/default/security/TLS/tests/DS112836.test create mode 100644 rules/default/security/TLS/tests/DS112837.test create mode 100644 rules/default/security/TLS/tests/DS112838.test create mode 100644 rules/default/security/TLS/tests/DS112839.test create mode 100644 rules/default/security/TLS/tls_appconfig.json create mode 100644 rules/default/security/TLS/tls_appcontext.json create mode 100644 rules/default/security/TLS/tls_functioncall.json create mode 100644 rules/default/security/TLS/tls_generic.json create mode 100644 rules/default/security/TLS/tls_python.json create mode 100644 rules/default/security/TLS/tls_secuirtyprotocol.json create mode 100644 rules/default/security/TLS/tls_sslprotocol.json create mode 100644 rules/default/security/TLS/tls_win32.json diff --git a/rules/default/security/TLS/tests/DS112835.test b/rules/default/security/TLS/tests/DS112835.test new file mode 100644 index 00000000..3ed6af86 --- /dev/null +++ b/rules/default/security/TLS/tests/DS112835.test @@ -0,0 +1,21 @@ +line: 1 expect DS112835,DS144436,DS440000 +line: 2 +line: 3 expect DS112835,DS144436,DS440000 +line: 4 expect DS112835,DS112835,DS144436,DS440000 +line: 5 expect DS112835,DS112835,DS440000 +line: 6 expect DS112835,DS112835,DS440000 +line: 8 expect DS112835,DS440000 +line: 9 expect DS112835,DS440000 +line: 10 +==== +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3; +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault; +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11; +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13; + +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls11; +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls12; +System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.SystemDefault; + diff --git a/rules/default/security/TLS/tests/DS112836.test b/rules/default/security/TLS/tests/DS112836.test new file mode 100644 index 00000000..b9bcc233 --- /dev/null +++ b/rules/default/security/TLS/tests/DS112836.test @@ -0,0 +1,25 @@ +line: 3 expect DS112836,DS440000,DS440000,DS440000 +line: 4 expect DS112836,DS440000,DS440000,DS440000 +line: 5 expect DS112836,DS440000,DS440000 +line: 6 expect DS112836,DS440000,DS440000 +line: 7 expect DS112836,DS440000,DS440000,DS440000 +line: 8 expect DS112836,DS440000,DS440000,DS440000 +line: 9 expect DS112836,DS440000,DS440000,DS440000 +line: 10 expect DS112836,DS112836,DS440000,DS440000,DS440000 +line: 11 expect DS112836,DS112836,DS440000,DS440000,DS440000 +line: 12 expect DS112836,DS112836,DS440000,DS440000,DS440000 +==== +NetTcpBinding b = new NetTcpBinding(); +b.Security.Mode = SecurityMode.Transport; +b.Security.Transport.SslProtocols = SslProtocolsExtensions.Tls11; +b.Security.Transport.SslProtocols = SslProtocolsExtensions.Tls12; +b.Security.Transport.SslProtocols = SslProtocols.Default ; +b.Security.Transport.SslProtocols = SslProtocols.None; +b.Security.Transport.SslProtocols = SslProtocols.Ssl2 ; +b.Security.Transport.SslProtocols = SslProtocols.Ssl3; +b.Security.Transport.SslProtocols = SslProtocols.Tls; +b.Security.Transport.SslProtocols = SslProtocols.Tls11; +b.Security.Transport.SslProtocols = SslProtocols.Tls12; +b.Security.Transport.SslProtocols = SslProtocols.Tls13; + + diff --git a/rules/default/security/TLS/tests/DS112837.test b/rules/default/security/TLS/tests/DS112837.test new file mode 100644 index 00000000..d914ab0f --- /dev/null +++ b/rules/default/security/TLS/tests/DS112837.test @@ -0,0 +1,8 @@ +line: 1 expect DS112837 +line: 2 expect DS112837 +==== +private const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching"; +private const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto"; +AppContext.SetSwitch(DisableCachingName, true); +AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true) + diff --git a/rules/default/security/TLS/tests/DS112838.test b/rules/default/security/TLS/tests/DS112838.test new file mode 100644 index 00000000..6e6e595c --- /dev/null +++ b/rules/default/security/TLS/tests/DS112838.test @@ -0,0 +1,12 @@ +line: 2 +line: 3 +line: 4 expect DS112838,DS440000 +line: 5 expect DS112838,DS440000 +==== + + + + + + + diff --git a/rules/default/security/TLS/tests/DS112839.test b/rules/default/security/TLS/tests/DS112839.test new file mode 100644 index 00000000..3a1f09a3 --- /dev/null +++ b/rules/default/security/TLS/tests/DS112839.test @@ -0,0 +1,15 @@ +line: 1 expect DS112839,DS440000 +line: 2 expect DS112839,DS112839,DS440000 +line: 3 +line: 4 expect DS112839,DS440000 +line: 5 expect DS112839,DS112839,DS440000 +line: 6 +==== +SslStream.AuthenticateAsClient() +SslStream.AuthenticateAsClientAsync() +BeginAuthenticateAsClient() +SslStream.AuthenticateAsServer() +SslStream.AuthenticateAsServerAsync() +BeginAuthenticateAsServer() + + diff --git a/rules/default/security/TLS/tls_appconfig.json b/rules/default/security/TLS/tls_appconfig.json new file mode 100644 index 00000000..0294411d --- /dev/null +++ b/rules/default/security/TLS/tls_appconfig.json @@ -0,0 +1,51 @@ +[ + { + "name": "Possibly hardcoded TLS protocol", + "id": "DS112838", + "description": "Possibly hardcoded TLS protocol", + "recommendation": "Review for security purposes", + "applies_to": [ + ".config" + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "manual-review", + "_comment": "", + "rule_info": "DS112838.md", + "patterns": [ + { + "pattern": "Switch.System.Net.DontEnableSchUseStrongCrypto", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocol", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "Switch.System.Net.DontEnableSystemDefaultTlsVersions", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/rules/default/security/TLS/tls_appcontext.json b/rules/default/security/TLS/tls_appcontext.json new file mode 100644 index 00000000..45682aa6 --- /dev/null +++ b/rules/default/security/TLS/tls_appcontext.json @@ -0,0 +1,37 @@ +[ + { + "name": "Possibly hardcoded TLS protocol", + "id": "DS112837", + "description": "Possibly hardcoded TLS protocol", + "recommendation": "Review for security purposes", + "applies_to": [ + "csharp", + "powershell", + "vb" + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "manual-review", + "_comment": "", + "rule_info": "DS112837.md", + "patterns": [ + { + "pattern": "TestSwitch.LocalAppContext.DisableCaching", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "Switch.System.Net.DontEnableSchUseStrongCrypto", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/rules/default/security/TLS/tls_functioncall.json b/rules/default/security/TLS/tls_functioncall.json new file mode 100644 index 00000000..360bb61f --- /dev/null +++ b/rules/default/security/TLS/tls_functioncall.json @@ -0,0 +1,69 @@ +[ + { + "name": "Possibly hardcoded TLS protocol", + "id": "DS112839", + "description": "Possibly hardcoded TLS protocol", + "recommendation": "Review for security purposes", + "applies_to": [ + "csharp", + "powershell", + "vb" + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "manual-review", + "_comment": "", + "rule_info": "DS112839.md", + "patterns": [ + { + "pattern": "SslStream.AuthenticateAsClient", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslStream.AuthenticateAsClientAsync", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "BeginAuthenticateAsClient", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslStream.AuthenticateAsServer", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslStream.AuthenticateAsServerAsync", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "BeginAuthenticateAsServer", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/rules/default/security/TLS/tls_generic.json b/rules/default/security/TLS/tls_generic.json new file mode 100644 index 00000000..0988eeaa --- /dev/null +++ b/rules/default/security/TLS/tls_generic.json @@ -0,0 +1,99 @@ +[ + { + "name": "Generic: Do not hardcode SSL/TLS versions within an application.", + "id": "DS440000", + "description": "SSL/TLS version usage should be based on an OS or external configuration.", + "recommendation": "", + "applies_to": [ + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS440000.md", + "patterns": [ + { + "pattern": "(SSL|D?TLS)v?[123_\\.]*", + "type": "regex", + "scopes": [ + "code" + ], + "modifiers" : ["i"], + "_comment": "Generic reference to a SSL/TLS version" + } + ] + }, + { + "name": "OpenSSL: Do not hardcode SSL/TLS versions within an application.", + "id": "DS440010", + "description": "SSL/TLS version usage should be based on an OS or external configuration.", + "recommendation": "", + "applies_to": [ + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "important", + "_comment": "Applies to all languages since many just wrap OpenSSL constructs.", + "rule_info": "DS440000.md", + "patterns": [ + { + "pattern": "SSLv2?3_method|D?TLSv1_([123]_)?(client_|server_)?method", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "OpenSSL functions that implement specific protocol versions" + }, + { + "pattern": "DTLSv1_listen|SSL_stateless", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "OpenSSL functions that implicitly call specific protocol versions" + }, + { + "pattern": "SSL_(CTX_)?set_(min|max)_proto_version", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SSL_EXT_TLS_ONLY|SSL_EXT_DTLS_ONLY|SSL_EXT_TLS_IMPLEMENTATION_ONLY|SSL_EXT_SSL3_ALLOWED|SSL_EXT_TLS1_2_AND_BELOW_ONLY|SSL_EXT|TLS1_3_ONLY|SSL_EXT_TLS1_2_SERVER_HELLO|SSL_EXT_TLS1_3_SERVER_HELLO", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "OpenSSL extension / options" + }, + { + "pattern": "SSL_OP_(NO_(SSLv3|TLSv1|TLSv1_1|TLSv1_2|TLSv1_3|DTLSv1|DTLSv1_2))", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "OpenSSL extension / options" + }, + { + "pattern": "SSL_OP_[A-Z0-9_]+", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "OpenSSL extension / options" + }, + { + "pattern": "(AES|DH|DHE|ADH|CAMELLIA|EDH|EXP|DES|IDEA|RC4|NULL|GOST|EXP|ECDH|ECDHE|AECDH|PSK)[A-Z0-9\\-]+-?(SHA|MD|GOST)[A-Z0-9\\-]*", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "OpenSSL cipher suite" + } + ] + } +] \ No newline at end of file diff --git a/rules/default/security/TLS/tls_python.json b/rules/default/security/TLS/tls_python.json new file mode 100644 index 00000000..ffbad48d --- /dev/null +++ b/rules/default/security/TLS/tls_python.json @@ -0,0 +1,37 @@ +[ + { + "name": "Python- Do not hardcode TLS protocol versions.", + "id": "DS440070", + "description": "Python- Do not hardcode TLS protocol versions.", + "recommendation": "", + "applies_to": [ + "python" + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS440000.md", + "patterns": [ + { + "pattern": "PROTOCOL_(SSL|TLS)v[123_]+(_CLIENT|SERVER)?", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "ssl_version", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + ] + } +] \ No newline at end of file diff --git a/rules/default/security/TLS/tls_secuirtyprotocol.json b/rules/default/security/TLS/tls_secuirtyprotocol.json new file mode 100644 index 00000000..c6670407 --- /dev/null +++ b/rules/default/security/TLS/tls_secuirtyprotocol.json @@ -0,0 +1,142 @@ +[ + { + "name": "Possibly hardcoded TLS protocol", + "id": "DS112835", + "description": "Possibly hardcoded TLS protocol", + "recommendation": "Review for security purposes", + "applies_to": [ + "csharp", + "powershell", + "vb" + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "manual-review", + "_comment": "", + "rule_info": "DS112835.md", + "patterns": [ + { + "pattern": "SecurityProtocolType.Ssl3", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SecurityProtocolType)48", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolType.SystemDefault", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SecurityProtocolType)0", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolType.Tls", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SecurityProtocolType)192", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolType.Tls11", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SecurityProtocolType)768", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolType.Tls12", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SecurityProtocolType)3072", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolType.Tls13", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SecurityProtocolType)12288", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolTypeExtensions.Tls11", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolTypeExtensions.Tls12", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SecurityProtocolTypeExtensions.SystemDefault", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + + ] + } +] \ No newline at end of file diff --git a/rules/default/security/TLS/tls_sslprotocol.json b/rules/default/security/TLS/tls_sslprotocol.json new file mode 100644 index 00000000..ebfcdebe --- /dev/null +++ b/rules/default/security/TLS/tls_sslprotocol.json @@ -0,0 +1,165 @@ +[ + { + "name": "Possibly hardcoded TLS protocol", + "id": "DS112836", + "description": "Possibly hardcoded TLS protocol", + "recommendation": "Review for security purposes", + "applies_to": [ + "csharp", + "powershell", + "vb" + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "manual-review", + "_comment": "", + "rule_info": "DS112836.md", + "patterns": [ + { + "pattern": "SslProtocolsExtensions.Tls11", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocolsExtensions.Tls12", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.Default", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)240", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.None", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)0", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.Ssl2", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)12", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.Ssl3", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)48", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.Tls", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)192", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.Tls11", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)768", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.Tls12", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)3072", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SslProtocols.Tls13", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(SslProtocols)12288", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/rules/default/security/TLS/tls_win32.json b/rules/default/security/TLS/tls_win32.json new file mode 100644 index 00000000..7ab916f5 --- /dev/null +++ b/rules/default/security/TLS/tls_win32.json @@ -0,0 +1,33 @@ +[ + { + + "name": "Win32- Do not hardcode TLS protocol versions.", + "id": "DS440071", + "description": "Win32- Do not hardcode TLS protocol versions.", + "recommendation": "", + "overrides": ["DS440000"], + "applies_to": [ + "c", + "cpp", + "csharp" + ], + "tags": [ + "Cryptography.Protocol.TLS.Hardcoded" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS440000.md", + "patterns": [ + { + "pattern": "SP_PROT_[A-Z0-9_]+_(SERVER|CLIENT)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + ] + } +] \ No newline at end of file