From 4adbb845319bfee390e1896aee5e59b64efadafc Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:26:11 -0300 Subject: [PATCH] Added missing CWE links for several codemods --- .../report.json | 2 +- .../codemods/HardenJavaDeserializationCodemod/report.json | 2 +- .../codemods/HardenProcessCreationCodemod/report.json | 3 ++- .../io/codemodder/codemods/HardenXMLDecoderCodemod/report.json | 3 ++- .../codemods/HardenXMLInputFactoryCodemod/report.json | 2 +- .../io/codemodder/codemods/HardenXMLReaderCodemod/report.json | 2 +- .../io/codemodder/codemods/HardenXStreamCodemod/report.json | 3 ++- .../codemodder/codemods/HardenZipEntryPathsCodemod/report.json | 2 +- .../io/codemodder/codemods/JSPScriptletXSSCodemod/report.json | 2 +- .../codemods/OptimizeJacksonStringUsageCodemod/report.json | 2 +- .../resources/io/codemodder/codemods/SSRFCodemod/report.json | 1 + .../SanitizeApacheMultipartFilenameCodemod/report.json | 1 + .../codemodder/codemods/SanitizeHttpHeaderCodemod/report.json | 2 +- .../SanitizeSpringMultipartFilenameCodemod/report.json | 1 + .../codemods/UnsafeReflectionRemediationCodemod/report.json | 1 + .../codemods/UpgradeSSLContextTLSCodemod/report.json | 1 + .../codemodder/codemods/UpgradeSSLEngineTLSCodemod/report.json | 1 + .../codemods/UpgradeSSLParametersTLSCodemod/report.json | 1 + .../codemods/UpgradeSSLSocketProtocolsTLSCodemod/report.json | 1 + .../codemods/ValidateJakartaForwardPathCodemod/report.json | 1 + .../io/codemodder/codemods/VerbTamperingCodemod/report.json | 2 +- .../generic-remediation-reports/header-injection/report.json | 2 +- .../java-deserialization/report.json | 2 +- .../generic-remediation-reports/jndi-injection/report.json | 2 +- .../resources/generic-remediation-reports/ssrf/report.json | 3 ++- .../main/resources/generic-remediation-reports/xss/report.json | 2 +- .../main/resources/generic-remediation-reports/xxe/report.json | 2 +- .../resources/generic-remediation-reports/zip-slip/report.json | 2 +- 28 files changed, 32 insertions(+), 19 deletions(-) diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/DisableAutomaticDirContextDeserializationCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/DisableAutomaticDirContextDeserializationCodemod/report.json index 31ddc8f11..7ae5c5eb7 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/DisableAutomaticDirContextDeserializationCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/DisableAutomaticDirContextDeserializationCodemod/report.json @@ -2,5 +2,5 @@ "summary" : "Hardened LDAP call against deserialization attacks", "change" : "Made the `retobj` field true so LDAP API responses won't be deserialized", "reviewGuidanceIJustification" : "The protection works by denying deserialization during processing of an LDAP query which we're confident is intentional in a vanishingly small percentage of usage.", - "references" : ["https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"] + "references" : ["https://cwe.mitre.org/data/definitions/502","https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/HardenJavaDeserializationCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/HardenJavaDeserializationCodemod/report.json index c53e1657a..0ee0ddad1 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/HardenJavaDeserializationCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/HardenJavaDeserializationCodemod/report.json @@ -2,7 +2,7 @@ "summary" : "Introduced protections against deserialization attacks", "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ObjectInputFilters.java", "change" : "Hardened the deserialization call by introducing a filter that prevents known malicious gadgets from executing arbitrary code", - "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"], + "references" : ["https://cwe.mitre.org/data/definitions/502","https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"], "faqs" : [ { "question" : "Why does this codemod require a Pixee dependency?", diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/HardenProcessCreationCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/HardenProcessCreationCodemod/report.json index c1e4eab1a..942fcb5ba 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/HardenProcessCreationCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/HardenProcessCreationCodemod/report.json @@ -5,6 +5,7 @@ "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `Runtime#exec()` calls will only throw `SecurityException` if they see behavior involved in malicious code execution, which is extremely unlikely to happen in normal operation.", "references": [ "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", - "https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method" + "https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method", + "https://cwe.mitre.org/data/definitions/78.html" ] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLDecoderCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLDecoderCodemod/report.json index ecfcaccd9..039ae47e8 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLDecoderCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLDecoderCodemod/report.json @@ -4,6 +4,7 @@ "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `XMLDecoder` instances will only throw `SecurityException` if they see types being deserialized are involved in code execution, which is extremely unlikely to in normal operation.", "references": [ "https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/web/java-XMLDecoder-RCE.md", - "http://diniscruz.blogspot.com/2013/08/using-xmldecoder-to-execute-server-side.html" + "http://diniscruz.blogspot.com/2013/08/using-xmldecoder-to-execute-server-side.html", + "https://cwe.mitre.org/data/definitions/502" ] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLInputFactoryCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLInputFactoryCodemod/report.json index c282dcfa2..b5805b131 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLInputFactoryCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLInputFactoryCodemod/report.json @@ -3,5 +3,5 @@ "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/XMLDecoderSecurity.java", "change" : "Hardened the XML processor to prevent external entities from being resolved, which can prevent data exfiltration and arbitrary code execution", "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `XMLInputFactory` instances will only be different if the XML they process uses external entities, which is exceptionally rare (and, as demonstrated, quite unsafe anyway.)", - "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"] + "references" : ["https://cwe.mitre.org/data/definitions/611","https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLReaderCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLReaderCodemod/report.json index da4bd8ce6..251a2893e 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLReaderCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXMLReaderCodemod/report.json @@ -2,5 +2,5 @@ "summary" : "Introduced protections against XXE attacks in XMLReader", "change" : "Hardened the XMLReader to prevent external entities from being resolved, which can prevent data exfiltration and arbitrary code execution", "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `XMLReader` instances will only be different if the XML they process uses external entities, which is exceptionally rare (and, as demonstrated, quite unsafe anyway.)", - "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"] + "references" : ["https://cwe.mitre.org/data/definitions/611","https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXStreamCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXStreamCodemod/report.json index 1da42dc63..3944603eb 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/HardenXStreamCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/HardenXStreamCodemod/report.json @@ -6,6 +6,7 @@ "https://x-stream.github.io/security.html", "http://diniscruz.blogspot.com/2013/12/xstream-remote-code-execution-exploit.html", "https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream", - "https://x-stream.github.io/CVE-2013-7285.html" + "https://x-stream.github.io/CVE-2013-7285.html", + "https://cwe.mitre.org/data/definitions/502.html" ] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/HardenZipEntryPathsCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/HardenZipEntryPathsCodemod/report.json index 15913b6aa..9cee9637d 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/HardenZipEntryPathsCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/HardenZipEntryPathsCodemod/report.json @@ -3,5 +3,5 @@ "change" : "Created a hardened `java.io.ZipInputStream` wrapper type that prevents files from being written that escape the target directory", "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `ZipInputStream` instances will only be different if malicious zip entries are encountered.", "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ZipSecurity.java", - "references": ["https://snyk.io/research/zip-slip-vulnerability", "https://github.com/snyk/zip-slip-vulnerability", "https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream", "https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.path_manipulation_zip_entry_overwrite"] + "references": ["https://cwe.mitre.org/data/definitions/23","https://snyk.io/research/zip-slip-vulnerability", "https://github.com/snyk/zip-slip-vulnerability", "https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream", "https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.path_manipulation_zip_entry_overwrite"] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/JSPScriptletXSSCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/JSPScriptletXSSCodemod/report.json index b1689985f..5b51c465e 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/JSPScriptletXSSCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/JSPScriptletXSSCodemod/report.json @@ -3,5 +3,5 @@ "change" : "Inserted an HTML encoding call around the user input that will render HTML control characters insert and prevent code execution -- other protections may offer better functionality, depending on where in the HTTP response and HTML document the input occurs", "reviewGuidanceJustification" : "This change is safe and effective in almost all situations. However, depending on the context in which the scriptlet is rendered (e.g., inside an HTML tag, in JavaScript, unquoted contexts, etc.), you may need to use another encoding method. Check out the [OWASP XSS Prevention CheatSheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to learn more about these cases and other controls you may need in exceptional cases. The security control introduced from OWASP used has `forHtml()` variants for all situations (e.g., `forJavaScript()`, `forCssString()`).", "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/HtmlEncoder.java", - "references" : ["https://portswigger.net/web-security/cross-site-scripting", "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html"] + "references" : ["https://cwe.mitre.org/data/definitions/79","https://portswigger.net/web-security/cross-site-scripting", "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html"] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/OptimizeJacksonStringUsageCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/OptimizeJacksonStringUsageCodemod/report.json index ece953b78..0ab7d041a 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/OptimizeJacksonStringUsageCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/OptimizeJacksonStringUsageCodemod/report.json @@ -1,5 +1,5 @@ { "summary" : "Optimized out unnecessary JSON deserialization step", "change" : "Removed the stream-to-string deserialization step", - "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"] + "references" : ["https://cwe.mitre.org/data/definitions/502.html","https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/SSRFCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/SSRFCodemod/report.json index 4f759a7ed..1d7b91421 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/SSRFCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/SSRFCodemod/report.json @@ -6,6 +6,7 @@ "reviewGuidanceJustification" : "By default, the protection only weaves in 2 checks, which we believe will not cause any issues with the vast majority of code:\n* The given URL must be HTTP/HTTPS.\n* The given URL must not point to a \"well-known infrastructure target\", which includes things like AWS Metadata Service endpoints, and internal routers (e.g., 192.168.1.1) which are common targets of attacks.\n\nHowever, on rare occasions an application may use a URL protocol like \"file://\" or \"classpath://\" in backend or middleware code.\n\nIf you want to allow those protocols, change the incoming PR to look more like this and get the best security possible:\n\n```\n-URL u = new URL(url);\n+Set fileProtocols = Set.of(UrlProtocol.FILE, UrlProtocol.CLASSPATH);\n+URL u = Urls.create(url, fileProtocols);\n```", "references": [ + "https://cwe.mitre.org/data/definitions/918.html", "https://www.hacksplaining.com/prevention/ssrf", "https://portswigger.net/web-security/ssrf", "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeApacheMultipartFilenameCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeApacheMultipartFilenameCodemod/report.json index 649f9fde8..0b24e1758 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeApacheMultipartFilenameCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeApacheMultipartFilenameCodemod/report.json @@ -4,6 +4,7 @@ "change": "Wrapped the file name with a sanitizer call that takes out path escaping characters", "reviewGuidanceJustification" : "This change presents effectively no risk. However, we believe a human should review the change.", "references" : [ + "https://cwe.mitre.org/data/definitions/434.html", "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload", "https://portswigger.net/web-security/file-upload" ] diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeHttpHeaderCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeHttpHeaderCodemod/report.json index e1c611404..0abb2efc7 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeHttpHeaderCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeHttpHeaderCodemod/report.json @@ -3,5 +3,5 @@ "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/Newlines.java", "change" : "Added a call to replace any newlines that are present in the variable", "reviewGuidanceJustification" : "This codemod cleanly enforces the boundaries in the HTTP protocol, and we believe it presents no risk.", - "references" : ["https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"] + "references" : ["https://cwe.mitre.org/data/definitions/113","https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeSpringMultipartFilenameCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeSpringMultipartFilenameCodemod/report.json index 6e6f3c261..5c04dea02 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeSpringMultipartFilenameCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/SanitizeSpringMultipartFilenameCodemod/report.json @@ -4,6 +4,7 @@ "change": "Wrapped the file name with a sanitizer call that takes out path escaping characters", "reviewGuidanceJustification" : "This change presents effectively no risk. However, we believe a human should review the change.", "references" : [ + "https://cwe.mitre.org/data/definitions/434.html", "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload", "https://portswigger.net/web-security/file-upload", "https://github.com/spring-projects/spring-framework/blob/c989470f94926ee5c7474bead278b00e9aaac787/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java#L68" diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/UnsafeReflectionRemediationCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/UnsafeReflectionRemediationCodemod/report.json index 6484df0f0..fee5fe570 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/UnsafeReflectionRemediationCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/UnsafeReflectionRemediationCodemod/report.json @@ -3,6 +3,7 @@ "change": "Replaced unsafe usages of `Class.forName` with hardened alternative `Reflection.loadAndVerify`", "reviewGuidanceJustification": "Reflection.loadAndVerify disallows the loading of classes that are well-known to be dangerous paths to remote code execution. Pathological cases aside, the use of Reflection.loadAndVerify will not disrupt the typical operations of an application.", "references": [ + "https://cwe.mitre.org/data/definitions/470", "https://rules.sonarsource.com/java/RSPEC-2658/" ] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLContextTLSCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLContextTLSCodemod/report.json index 1336a8cc6..b9c7ef9f0 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLContextTLSCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLContextTLSCodemod/report.json @@ -3,6 +3,7 @@ "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe", "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.", "references" : [ + "https://cwe.mitre.org/data/definitions/326", "https://datatracker.ietf.org/doc/rfc8996/", "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1" ] diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLEngineTLSCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLEngineTLSCodemod/report.json index 6a0ebd7fd..ec30c9a9f 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLEngineTLSCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLEngineTLSCodemod/report.json @@ -3,6 +3,7 @@ "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe", "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.", "references" : [ + "https://cwe.mitre.org/data/definitions/326", "https://datatracker.ietf.org/doc/rfc8996/", "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1" ] diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLParametersTLSCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLParametersTLSCodemod/report.json index bef997055..d7f755f03 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLParametersTLSCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLParametersTLSCodemod/report.json @@ -3,6 +3,7 @@ "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe", "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.", "references" : [ + "https://cwe.mitre.org/data/definitions/326", "https://datatracker.ietf.org/doc/rfc8996/", "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1" ] diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLSocketProtocolsTLSCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLSocketProtocolsTLSCodemod/report.json index bb2d8d0f2..443bb7e62 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLSocketProtocolsTLSCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/UpgradeSSLSocketProtocolsTLSCodemod/report.json @@ -3,6 +3,7 @@ "change": "Removed the ability to communicate over anything except TLS 1.2 as no others are safe", "reviewGuidanceJustification" : "There is only a risk of this codemod introducing issues if the other party in the communication doesn't support modern versions of TLS. This should be extremely rare as those older versions are no longer honored by browsers or supported by most server software.", "references" : [ + "https://cwe.mitre.org/data/definitions/326", "https://datatracker.ietf.org/doc/rfc8996/", "https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1" ] diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/ValidateJakartaForwardPathCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/ValidateJakartaForwardPathCodemod/report.json index 3400e7fc0..214e7fdfd 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/ValidateJakartaForwardPathCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/ValidateJakartaForwardPathCodemod/report.json @@ -4,6 +4,7 @@ "control" : "https://github.com/pixee/java-code-security-toolkit/blob/main/src/main/java/io/github/pixee/security/Jakarta.java", "reviewGuidanceJustification" : "There is no reason an application should be forwarding to inner resources like `/WEB-INF/web.xml`.", "references" : [ + "https://cwe.mitre.org/data/definitions/201", "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-forward-example" ] } diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/VerbTamperingCodemod/report.json b/core-codemods/src/main/resources/io/codemodder/codemods/VerbTamperingCodemod/report.json index 988753bf0..545a58240 100644 --- a/core-codemods/src/main/resources/io/codemodder/codemods/VerbTamperingCodemod/report.json +++ b/core-codemods/src/main/resources/io/codemodder/codemods/VerbTamperingCodemod/report.json @@ -2,5 +2,5 @@ "summary" : "Introduced protections against verb tampering attacks (authN/authZ bypass)", "change" : "Removed from the definition which paradoxically remove the authentication from endpoints with any methods not listed", "reviewGuidanceJustification" : "This is an incredibly unintuitive situation and in our professional experience have never seen any time developers intended to grant access to \"all other\" HTTP methods by specifically listing others.", - "references": ["https://dl.packetstormsecurity.net/papers/web/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf","https://vulncat.fortify.com/en/detail?id=desc.config.java.http_verb_tampering", "https://capec.mitre.org/data/definitions/274.html"] + "references": ["https://cwe.mitre.org/data/definitions/302","https://dl.packetstormsecurity.net/papers/web/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf","https://vulncat.fortify.com/en/detail?id=desc.config.java.http_verb_tampering", "https://capec.mitre.org/data/definitions/274.html"] } diff --git a/framework/codemodder-base/src/main/resources/generic-remediation-reports/header-injection/report.json b/framework/codemodder-base/src/main/resources/generic-remediation-reports/header-injection/report.json index a3dbc0da8..aa8064122 100644 --- a/framework/codemodder-base/src/main/resources/generic-remediation-reports/header-injection/report.json +++ b/framework/codemodder-base/src/main/resources/generic-remediation-reports/header-injection/report.json @@ -2,5 +2,5 @@ "summary" : "Introduced protections against HTTP header injection / smuggling attacks", "change" : "Added a call to replace any newlines that are present in the variable", "reviewGuidanceJustification" : "This codemod cleanly enforces the boundaries in the HTTP protocol, and we believe it presents no risk.", - "references" : ["https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"] + "references" : ["https://cwe.mitre.org/data/definitions/113","https://www.netsparker.com/blog/web-security/crlf-http-header/", "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/"] } diff --git a/framework/codemodder-base/src/main/resources/generic-remediation-reports/java-deserialization/report.json b/framework/codemodder-base/src/main/resources/generic-remediation-reports/java-deserialization/report.json index c53e1657a..0ee0ddad1 100644 --- a/framework/codemodder-base/src/main/resources/generic-remediation-reports/java-deserialization/report.json +++ b/framework/codemodder-base/src/main/resources/generic-remediation-reports/java-deserialization/report.json @@ -2,7 +2,7 @@ "summary" : "Introduced protections against deserialization attacks", "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ObjectInputFilters.java", "change" : "Hardened the deserialization call by introducing a filter that prevents known malicious gadgets from executing arbitrary code", - "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"], + "references" : ["https://cwe.mitre.org/data/definitions/502","https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"], "faqs" : [ { "question" : "Why does this codemod require a Pixee dependency?", diff --git a/framework/codemodder-base/src/main/resources/generic-remediation-reports/jndi-injection/report.json b/framework/codemodder-base/src/main/resources/generic-remediation-reports/jndi-injection/report.json index 5fbdeae53..df39cc5e9 100644 --- a/framework/codemodder-base/src/main/resources/generic-remediation-reports/jndi-injection/report.json +++ b/framework/codemodder-base/src/main/resources/generic-remediation-reports/jndi-injection/report.json @@ -2,5 +2,5 @@ "summary" : "Introduced validation to prevent JNDI Injection", "change" : "Added validation to JNDI lookup calls", "reviewGuidanceIJustification" : "We believe this change is effective, and it will not break applications unless they are currently allowing users to specify arbitrary URLs that get passed to the lookup API.", - "references" : ["https://www.veracode.com/blog/research/exploiting-jndi-injections-java", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf"] + "references" : ["https://cwe.mitre.org/data/definitions/74.html","https://cwe.mitre.org/data/definitions/426","https://www.veracode.com/blog/research/exploiting-jndi-injections-java", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf"] } diff --git a/framework/codemodder-base/src/main/resources/generic-remediation-reports/ssrf/report.json b/framework/codemodder-base/src/main/resources/generic-remediation-reports/ssrf/report.json index 415cf2e8a..d96466214 100644 --- a/framework/codemodder-base/src/main/resources/generic-remediation-reports/ssrf/report.json +++ b/framework/codemodder-base/src/main/resources/generic-remediation-reports/ssrf/report.json @@ -10,6 +10,7 @@ "https://portswigger.net/web-security/ssrf", "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "https://www.rapid7.com/blog/post/2021/11/23/owasp-top-10-deep-dive-defending-against-server-side-request-forgery/", - "https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/" + "https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/", + "https://cwe.mitre.org/data/definitions/918" ] } diff --git a/framework/codemodder-base/src/main/resources/generic-remediation-reports/xss/report.json b/framework/codemodder-base/src/main/resources/generic-remediation-reports/xss/report.json index cc7ab0ab6..1ea372c06 100644 --- a/framework/codemodder-base/src/main/resources/generic-remediation-reports/xss/report.json +++ b/framework/codemodder-base/src/main/resources/generic-remediation-reports/xss/report.json @@ -3,5 +3,5 @@ "change" : "Inserted an HTML encoding call around the user input that will render HTML control characters insert and prevent code execution -- other protections may offer better functionality, depending on where in the HTTP response and HTML document the input occurs", "reviewGuidanceJustification" : "This change is safe and effective in almost all situations. However, depending on the context in which the input is rendered (e.g., inside an HTML tag, in JavaScript, unquoted contexts, etc.), you may need to use another encoding method. Check out the [OWASP XSS Prevention CheatSheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to learn more about these cases and other controls you may need in exceptional cases. The security control introduced from OWASP used has `forHtml()` variants for all situations (e.g., `forJavaScript()`, `forCssString()`).", "control" : "https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encode.java", - "references" : ["https://portswigger.net/web-security/cross-site-scripting", "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html"] + "references" : ["https://cwe.mitre.org/data/definitions/79","https://portswigger.net/web-security/cross-site-scripting", "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html"] } diff --git a/framework/codemodder-base/src/main/resources/generic-remediation-reports/xxe/report.json b/framework/codemodder-base/src/main/resources/generic-remediation-reports/xxe/report.json index b43150d3e..ada4e1a4d 100644 --- a/framework/codemodder-base/src/main/resources/generic-remediation-reports/xxe/report.json +++ b/framework/codemodder-base/src/main/resources/generic-remediation-reports/xxe/report.json @@ -2,5 +2,5 @@ "summary" : "Introduced protections against XXE attacks", "change" : "Hardened the XML processor to prevent external entities from being resolved, which can prevent data exfiltration and arbitrary code execution", "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened XML readers will only be different if the XML they process uses external entities, which is exceptionally rare (and, as demonstrated, quite unsafe anyway.)", - "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"] + "references" : ["https://cwe.mitre.org/data/definitions/611","https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md"] } diff --git a/framework/codemodder-base/src/main/resources/generic-remediation-reports/zip-slip/report.json b/framework/codemodder-base/src/main/resources/generic-remediation-reports/zip-slip/report.json index 15913b6aa..9cee9637d 100644 --- a/framework/codemodder-base/src/main/resources/generic-remediation-reports/zip-slip/report.json +++ b/framework/codemodder-base/src/main/resources/generic-remediation-reports/zip-slip/report.json @@ -3,5 +3,5 @@ "change" : "Created a hardened `java.io.ZipInputStream` wrapper type that prevents files from being written that escape the target directory", "reviewGuidanceIJustification" : "We believe this change is safe and effective. The behavior of hardened `ZipInputStream` instances will only be different if malicious zip entries are encountered.", "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ZipSecurity.java", - "references": ["https://snyk.io/research/zip-slip-vulnerability", "https://github.com/snyk/zip-slip-vulnerability", "https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream", "https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.path_manipulation_zip_entry_overwrite"] + "references": ["https://cwe.mitre.org/data/definitions/23","https://snyk.io/research/zip-slip-vulnerability", "https://github.com/snyk/zip-slip-vulnerability", "https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream", "https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.path_manipulation_zip_entry_overwrite"] }