Skip to content

Commit

Permalink
nginx:chore - Adding improvements on nginx rules (#1041)
Browse files Browse the repository at this point in the history 
In this commit I changed to add Safe and Unsafe code
in all rules of the nginx. Reference from issue #630 and #1020.

Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
(cherry picked from commit 08734c1)
Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
  • Loading branch information
@wiliansilvazup
wiliansilvazup committed Apr 6, 2022
1 parent 229df8b commit c6f20fe
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 33 deletions.
48 changes: 28 additions & 20 deletions internal/services/engines/nginx/rules.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ import (
func NewIncludeXFrameOptionsHeader() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-1",
Name: "Improper Restriction of Rendered UI Layers or Frames",
Description: "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-1",
Name: "Improper Restriction of Rendered UI Layers or Frames",
Description: "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX1,
UnsafeExample: SampleVulnerableHSNGINX1,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand All @@ -43,11 +45,13 @@ func NewIncludeXFrameOptionsHeader() *text.Rule {
func NewIncludeXContentTypeOptionsHeader() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-2",
Name: "Missing X-Content-Type-Options header",
Description: "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-2",
Name: "Missing X-Content-Type-Options header",
Description: "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX2,
UnsafeExample: SampleVulnerableHSNGINX2,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand All @@ -59,11 +63,13 @@ func NewIncludeXContentTypeOptionsHeader() *text.Rule {
func NewIncludeContentSecurityPolicyHeader() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-3",
Name: "Missing Content-Security-Policy header",
Description: "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-3",
Name: "Missing Content-Security-Policy header",
Description: "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX3,
UnsafeExample: SampleVulnerableHSNGINX3,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand All @@ -75,11 +81,13 @@ func NewIncludeContentSecurityPolicyHeader() *text.Rule {
func NewIncludeServerTokensOff() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-NGINX-4",
Name: "Exposure of Sensitive Information",
Description: "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
ID: "HS-NGINX-4",
Name: "Exposure of Sensitive Information",
Description: "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.",
Severity: severities.Medium.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSNGINX4,
UnsafeExample: SampleVulnerableHSNGINX4,
},
Type: text.NotMatch,
Expressions: []*regexp.Regexp{
Expand Down
25 changes: 12 additions & 13 deletions internal/services/engines/nginx/rules_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
package nginx

import (
"fmt"
"path/filepath"
"testing"

Expand All @@ -31,12 +30,12 @@ func TestRulesVulnerableCode(t *testing.T) {
Name: "HS-NGINX-1",
Rule: NewIncludeXFrameOptionsHeader(),
Src: SampleVulnerableHSNGINX1,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-1.test"),
Findings: []engine.Finding{
{
CodeSample: "",
SourceLocation: engine.Location{
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-1.test"),
Line: 0,
Column: 0,
},
Expand All @@ -47,12 +46,12 @@ func TestRulesVulnerableCode(t *testing.T) {
Name: "HS-NGINX-2",
Rule: NewIncludeXContentTypeOptionsHeader(),
Src: SampleVulnerableHSNGINX2,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-2.test"),
Findings: []engine.Finding{
{
CodeSample: "",
SourceLocation: engine.Location{
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-2.test"),
Line: 0,
Column: 0,
},
Expand All @@ -63,12 +62,12 @@ func TestRulesVulnerableCode(t *testing.T) {
Name: "HS-NGINX-3",
Rule: NewIncludeContentSecurityPolicyHeader(),
Src: SampleVulnerableHSNGINX3,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-3.test"),
Findings: []engine.Finding{
{
CodeSample: "",
SourceLocation: engine.Location{
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-3.test"),
Line: 0,
Column: 0,
},
Expand All @@ -79,12 +78,12 @@ func TestRulesVulnerableCode(t *testing.T) {
Name: "HS-NGINX-4",
Rule: NewIncludeServerTokensOff(),
Src: SampleVulnerableHSNGINX4,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-4.test"),
Findings: []engine.Finding{
{
CodeSample: "",
SourceLocation: engine.Location{
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-4.test"),
Line: 0,
Column: 0,
},
Expand All @@ -103,25 +102,25 @@ func TestRulesSafeCode(t *testing.T) {
Name: "HS-NGINX-1",
Rule: NewIncludeXFrameOptionsHeader(),
Src: SampleSafeHSNGINX1,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-1.test"),
},
{
Name: "HS-NGINX-2",
Rule: NewIncludeXContentTypeOptionsHeader(),
Src: SampleSafeHSNGINX2,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-2.test"),
},
{
Name: "HS-NGINX-3",
Rule: NewIncludeContentSecurityPolicyHeader(),
Src: SampleSafeHSNGINX3,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-3.test"),
},
{
Name: "HS-NGINX-4",
Rule: NewIncludeServerTokensOff(),
Src: SampleSafeHSNGINX4,
Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")),
Filename: filepath.Join(tempDir, "HS-NGINX-4.test"),
},
}

Expand Down
0 ...al/services/engines/nginx/samples_test.go → internal/services/engines/nginx/samples.go
View file
File renamed without changes.

0 comments on commit c6f20fe

Please sign in to comment.