Merge pull request #27 from git-pkgs/seed-framework-orm-sinks

Seed sinks for web frameworks and ORMs

Author: andrew

detect/threat_test.go

@@ -292,26 +292,38 @@ func TestSinksRubyProject(t *testing.T) {
 	sr := engine.Sinks(r)
 
 	if len(sr.Sinks) == 0 {
-		t.Fatal("expected sinks from Ruby language def")
+		t.Fatal("expected sinks from detected tools")
 	}
 
-	// All sinks in this fixture come from Ruby (only ruby/language.toml has sinks).
-	bySymbol := make(map[string]brief.SinkEntry)
+	// Index by tool+symbol since multiple tools can have a sink with the same name.
+	type key struct{ tool, symbol string }
+	idx := make(map[key]brief.SinkEntry)
 	for _, s := range sr.Sinks {
-		if s.Tool != "Ruby" {
-			t.Errorf("unexpected sink from %q: %v", s.Tool, s)
-		}
-		bySymbol[s.Symbol] = s
+		idx[key{s.Tool, s.Symbol}] = s
 	}
 
-	if e, ok := bySymbol["eval"]; !ok {
-		t.Error("expected eval sink")
+	// Ruby stdlib sinks
+	if e, ok := idx[key{"Ruby", "eval"}]; !ok {
+		t.Error("expected Ruby eval sink")
 	} else if e.Threat != "code_injection" || e.CWE != "CWE-95" {
-		t.Errorf("eval sink = %+v", e)
+		t.Errorf("Ruby eval sink = %+v", e)
+	}
+	if _, ok := idx[key{"Ruby", "Marshal.load"}]; !ok {
+		t.Error("expected Ruby Marshal.load sink")
+	}
+
+	// Rails framework sinks
+	if e, ok := idx[key{"Rails", "html_safe"}]; !ok {
+		t.Error("expected Rails html_safe sink")
+	} else if e.Threat != "xss" {
+		t.Errorf("Rails html_safe threat = %q, want xss", e.Threat)
 	}
 
-	if _, ok := bySymbol["Marshal.load"]; !ok {
-		t.Error("expected Marshal.load sink")
+	// ActiveRecord ORM sinks
+	if e, ok := idx[key{"ActiveRecord", "find_by_sql"}]; !ok {
+		t.Error("expected ActiveRecord find_by_sql sink")
+	} else if e.Threat != "sql_injection" {
+		t.Errorf("ActiveRecord find_by_sql threat = %q, want sql_injection", e.Threat)
 	}
 }
 

knowledge/elixir/ecto.toml

@@ -20,3 +20,31 @@ run = "mix ecto.migrate"
 role = ["library"]
 function = ["data-mapping", "validation"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Repo.query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With interpolation; $1 placeholders are safe"
+
+[[security.sinks]]
+symbol = "Repo.query!"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "fragment"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With ^ pinned interpolation outside the fragment"
+
+[[security.sinks]]
+symbol = "Ecto.Adapters.SQL.query"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "cast"
+threat = "mass_assignment"
+cwe = "CWE-915"
+note = "Without explicit field allowlist as second arg"

knowledge/elixir/phoenix.toml

@@ -23,3 +23,31 @@ role = ["framework"]
 function = ["api-development", "templating"]
 layer = ["backend", "full-stack"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "raw"
+threat = "xss"
+cwe = "CWE-79"
+note = "Phoenix.HTML.raw bypasses escaping"
+
+[[security.sinks]]
+symbol = "safe_to_string"
+threat = "xss"
+cwe = "CWE-79"
+
+[[security.sinks]]
+symbol = "redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+note = "With external: target"
+
+[[security.sinks]]
+symbol = "send_file"
+threat = "path_traversal"
+cwe = "CWE-22"
+note = "Plug.Conn.send_file"
+
+[[security.sinks]]
+symbol = "send_download"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/echo.toml

@@ -18,3 +18,29 @@ role = ["framework"]
 function = ["api-development"]
 layer = ["backend"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "c.HTML"
+threat = "xss"
+cwe = "CWE-79"
+note = "Renders raw HTML string"
+
+[[security.sinks]]
+symbol = "c.HTMLBlob"
+threat = "xss"
+cwe = "CWE-79"
+
+[[security.sinks]]
+symbol = "c.Redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "c.File"
+threat = "path_traversal"
+cwe = "CWE-22"
+
+[[security.sinks]]
+symbol = "c.Attachment"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/ent.toml

@@ -21,3 +21,15 @@ files = ["ent/schema/"]
 
 [taxonomy]
 function = ["code-generation"]
+
+[[security.sinks]]
+symbol = "sql.Raw"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "Generated code is safe; raw escape hatch is not"
+
+[[security.sinks]]
+symbol = "ExecContext"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "Direct driver access"

knowledge/go/fiber.toml

@@ -18,3 +18,24 @@ role = ["framework"]
 function = ["api-development"]
 layer = ["backend"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "c.SendString"
+threat = "xss"
+cwe = "CWE-79"
+note = "When Content-Type is text/html"
+
+[[security.sinks]]
+symbol = "c.Redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "c.SendFile"
+threat = "path_traversal"
+cwe = "CWE-22"
+
+[[security.sinks]]
+symbol = "c.Download"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/gin.toml

@@ -17,3 +17,30 @@ role = ["framework"]
 function = ["api-development"]
 layer = ["backend"]
 domain = ["web-development"]
+
+[[security.sinks]]
+symbol = "c.String"
+threat = "xss"
+cwe = "CWE-79"
+note = "No HTML escaping; use c.HTML for templated output"
+
+[[security.sinks]]
+symbol = "c.Data"
+threat = "xss"
+cwe = "CWE-79"
+note = "When Content-Type is text/html"
+
+[[security.sinks]]
+symbol = "c.Redirect"
+threat = "open_redirect"
+cwe = "CWE-601"
+
+[[security.sinks]]
+symbol = "c.File"
+threat = "path_traversal"
+cwe = "CWE-22"
+
+[[security.sinks]]
+symbol = "c.FileAttachment"
+threat = "path_traversal"
+cwe = "CWE-22"

knowledge/go/gorm.toml

@@ -16,3 +16,42 @@ ecosystems = ["go"]
 role = ["library"]
 function = ["data-mapping"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Raw"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "db.Raw with Sprintf; placeholders are safe"
+
+[[security.sinks]]
+symbol = "Exec"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Where"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With Sprintf string; struct/map forms are safe"
+
+[[security.sinks]]
+symbol = "Order"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "Column name not parameterizable"
+
+[[security.sinks]]
+symbol = "Select"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "With string from user input"
+
+[[security.sinks]]
+symbol = "Group"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Having"
+threat = "sql_injection"
+cwe = "CWE-89"

knowledge/go/pgx.toml

@@ -14,3 +14,19 @@ ecosystems = ["go"]
 role = ["library"]
 function = ["data-mapping"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "When query built via Sprintf; use $1 placeholders"
+
+[[security.sinks]]
+symbol = "QueryRow"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Exec"
+threat = "sql_injection"
+cwe = "CWE-89"

knowledge/go/sqlx.toml

@@ -14,3 +14,29 @@ ecosystems = ["go"]
 role = ["library"]
 function = ["data-mapping"]
 layer = ["data-layer"]
+
+[[security.sinks]]
+symbol = "Query"
+threat = "sql_injection"
+cwe = "CWE-89"
+note = "When query built via Sprintf; use bindvars"
+
+[[security.sinks]]
+symbol = "Queryx"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Exec"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Get"
+threat = "sql_injection"
+cwe = "CWE-89"
+
+[[security.sinks]]
+symbol = "Select"
+threat = "sql_injection"
+cwe = "CWE-89"