From a09ca4caaf1c23467470742c12453f10e72d6afe Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Tue, 20 Aug 2024 19:43:00 -0400 Subject: [PATCH 01/15] Note that rulesets can also enforce review Signed-off-by: David A. Wheeler --- docs/Concise-Guide-for-Developing-More-Secure-Software.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Concise-Guide-for-Developing-More-Secure-Software.md b/docs/Concise-Guide-for-Developing-More-Secure-Software.md index 3ff6c553..f7932a9f 100644 --- a/docs/Concise-Guide-for-Developing-More-Secure-Software.md +++ b/docs/Concise-Guide-for-Developing-More-Secure-Software.md @@ -13,7 +13,7 @@ Here is a concise guide for all software developers for secure software developm 7. **Monitor known vulnerabilities in your software’s direct & indirect dependencies**. E.g., enable basic scanning via GitHub's [dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) or GitLab [dependency scanning](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/). Many other third party Software Composition Analysis (SCA) tools are also available. Quickly update vulnerable dependencies. 8. **Keep dependencies reasonably up-to-date**. Otherwise, it’s hard to update for vulnerabilities. 9. **Do not push secrets to a repository**. Use tools to detect pushing secrets to a repository. -10. **Review before accepting changes**. Enforce it, e.g., [GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) or [GitLab](https://docs.gitlab.com/ee/user/project/protected_branches.html) protected branches. +10. **Review before accepting changes**. Enforce this, e.g., using [GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) or [GitLab](https://docs.gitlab.com/ee/user/project/protected_branches.html) protected branches or an equivalent [GitHub ruleset](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). 11. **Prominently document how to report vulnerabilities & prepare for them**. - Use resources like the [Guide to coordinated vulnerability disclosure](https://github.com/ossf/oss-vulnerability-guide). - [Explicitly disclose security issues affecting vendored dependencies](Vendored-Dependencies-Guide.md). From 1f1903fae157ed47ba1af0890c76396ee6094ef3 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Tue, 22 Oct 2024 10:19:05 +0100 Subject: [PATCH 02/15] Changed wording to quote OpenSSF as main contributor Signed-off-by: Helge Wehder --- .../Intro_to_multiprocessing_and_multithreading/readme.md | 2 +- docs/Secure-Coding-Guide-for-Python/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/Intro_to_multiprocessing_and_multithreading/readme.md b/docs/Secure-Coding-Guide-for-Python/Intro_to_multiprocessing_and_multithreading/readme.md index a26ccb4e..72eeee4a 100644 --- a/docs/Secure-Coding-Guide-for-Python/Intro_to_multiprocessing_and_multithreading/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/Intro_to_multiprocessing_and_multithreading/readme.md @@ -3,7 +3,7 @@ This page aims to explain the concepts that could be found in the following rules: - [CWE-410: Insufficient Resource Pool](../CWE-664/CWE-410/README.md) -- [CWE-833: Deadlock - Development Environment - eTeamSpace (ericsson.com)](../CWE-664/CWE-833/README.md) +- [CWE-833: Deadlock](../CWE-664/CWE-833/README.md) - [CWE-400: Uncontrolled Resource Consumption](../CWE-664/CWE-400/README.md) - [CWE-392: Missing Report of Error Condition](../CWE-703/CWE-392/README.md) - [CWE-665: Improper Initialization](../CWE-664/CWE-665/README.md) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index ba069d80..bb0c16dc 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -5,7 +5,7 @@ and non-compliant code with `CPython >= 3.9` using modules listed on [Python Module Index](https://docs.python.org/3.9/py-modindex.html) [Python 2023]. -This page is in initiative by Ericsson to improve secure coding in Python by providing a location for study. Its structure is based on +This page is in initiative by OpenSSF to improve secure coding in Python by providing a location for study. Its structure is based on Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023]. It currently contains *only* the code examples, documentation will follow. From 62c5cf5349d38cf698a32918e232cade7fca7c72 Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Wed, 23 Oct 2024 11:33:21 -0400 Subject: [PATCH 03/15] Thank Seth for essentially kicking off the regex work Signed-off-by: David A. Wheeler --- docs/Correctly-Using-Regular-Expressions.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/Correctly-Using-Regular-Expressions.md b/docs/Correctly-Using-Regular-Expressions.md index cb36afe5..49c85725 100644 --- a/docs/Correctly-Using-Regular-Expressions.md +++ b/docs/Correctly-Using-Regular-Expressions.md @@ -129,4 +129,6 @@ In addition, ensure your regex is not vulnerable to a Regular Expression Denial For detailed rationale, along with other information such as contributor credits, see [Correctly Using Regular Expressions for Secure Input Validation - Rationale](./Correctly-Using-Regular-Expressions-Rationale). +Our thanks to Seth Larson, whose article [Seth Larson’s Regex character “$” doesn't mean “end-of-string”](https://sethmlarson.dev/regex-$-matches-end-of-string-or-newline) raised awareness of some of the problems dicussed here. + This document is released under the [Creative Commons CC-BY-4.0 license](https://creativecommons.org/licenses/by/4.0/). From 5b1e91e6123fdd7d1c991080127c4061949271d1 Mon Sep 17 00:00:00 2001 From: myteron Date: Fri, 25 Oct 2024 09:31:05 +0100 Subject: [PATCH 04/15] Update docs/Secure-Coding-Guide-for-Python/readme.md Co-authored-by: Georg Kunz Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index bb0c16dc..5b4ce8a9 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -5,7 +5,7 @@ and non-compliant code with `CPython >= 3.9` using modules listed on [Python Module Index](https://docs.python.org/3.9/py-modindex.html) [Python 2023]. -This page is in initiative by OpenSSF to improve secure coding in Python by providing a location for study. Its structure is based on +This page is in initiative by the OpenSSF to improve secure coding in Python by providing a location for study. Its structure is based on Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023]. It currently contains *only* the code examples, documentation will follow. From 25e500b47203d0da5b911e3a5c04dcb9dd7fc408 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Sun, 27 Oct 2024 22:46:56 +0100 Subject: [PATCH 05/15] Updating links to Slack channels in main Readme Signed-off-by: Georg Kunz --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 076374f1..6cfc6deb 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ Our work is organized into several discrete-yet-related projects that help us ac | Effort | Description | Git Repo | Slack Channel | Mailing List | | ------------------ | ------------------------ | ------------------- | ----------- | ---------- | -| Best Practices Guides | Longer reference documents on implementing specific secure techniques | - [Compiler Annotations for C and C++ (incubating)](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Annotations-for-C-and-C++.html),

- [Compiler Options Hardening Guide for C and C++](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++),

- [Existing Guidelines for Developing and Distributing Secure Software](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Existing%20Guidelines%20for%20Developing%20and%20Distributing%20Secure%20Software.md),

- [Package Manager Best Practices (incubating)](https://github.com/ossf/package-manager-best-practices),

- [npm Best Practices Guide](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md),

- [Source Code Management Platform Configuration Best Practices](docs/SCM-BestPractices/README.md),

- [Secure Coding Guide for Python](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python), | [SCM Slack](https://openssf.slack.com/archives/C058EC1EZ5Y) | | +| Best Practices Guides | Longer reference documents on implementing specific secure techniques | - [Compiler Annotations for C and C++ (incubating)](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Annotations-for-C-and-C++.html),

- [Compiler Options Hardening Guide for C and C++](https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++),

- [Existing Guidelines for Developing and Distributing Secure Software](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Existing%20Guidelines%20for%20Developing%20and%20Distributing%20Secure%20Software.md),

- [Package Manager Best Practices (incubating)](https://github.com/ossf/package-manager-best-practices),

- [npm Best Practices Guide](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md),

- [Source Code Management Platform Configuration Best Practices](docs/SCM-BestPractices/README.md),

- [Secure Coding Guide for Python](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python), | - [#wg-best-practices-compilers](https://openssf.slack.com/archives/C07LH7RH8MT),

- [#wg-best-practices-scm](https://openssf.slack.com/archives/C058EC1EZ5Y) | | | Concise Guides SIGs | Quick Guidance around Open Source Software Develpment Good Practices | - [Concise Guide for Developing More Secure Software](https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software),

- [Concise Guide for Evaluating Open Source Software](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software) | | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | | Education SIG - (incubating) | To provide industry standard secure software development training materials that will educate learners of all levels and backgrounds on how to create, compose, deploy, and maintain software securely using best practices in cyber and application security. | [EDU.SIG](https://github.com/ossf/education/) | [stream-01-security-education](https://openssf.slack.com/archives/C03FW3YGXH9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education) | |[OpenSSF Best Practices Badge - formerly CII Best Practices badge](https://www.bestpractices.dev/) | Identifies FLOSS best practices & implements a badging system for those practices, | | | | @@ -86,7 +86,7 @@ Our work is organized into several discrete-yet-related projects that help us ac | [Secure Software Development Fundamentals - online course](https://openssf.org/training/courses/) |Teach software developers fundamentals of developing secure software | [GitHub](https://github.com/ossf/secure-sw-dev-fundamentals) | | | | Memory Safety SIG | The Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4. |[Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) | | The Security Toolbelt | Assemble a “sterling” collection of capabilities (**software frameworks, specifications, and human and automated processes**) that work together to **automatically list, scan, remediate, and secure the components flowing through the software supply chain** that come together as software is written, built, deployed, consumed, and maintained. Each piece of the collection will represent an **interoperable** link in that supply chain, enabling adaptation and integration into the major upstream language toolchains, developer environments, and CI/CD systems. | [Security Toolbelt](https://github.com/ossf/toolbelt) | [security-toolbelt](https://openssf.slack.com/archives/C057BN7K19B) | [Mailing List](Openssf-sig-sterling-toolchain@lists.openssf.org) | -| Python Hardening Guide SIG | A group working to document a secure coding guide for python and associates code examples | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python) | Slack | Mailing List | +| Python Hardening Guide SIG | A group working to document a secure coding guide for python and associates code examples | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python) | [#secure-coding-guide-for-python](https://openssf.slack.com/archives/C07LH7RH8MT) | | ## Related resources @@ -139,12 +139,12 @@ Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the [public | Effort | Meeting Times | Meeting Notes/Agenda | Git Repo | Slack Channel | Mailing List | | :----------: | :------------------------------------------------------: | :------------------------: | :-------------------: | :-----------: | :----------: | | Full WG | Every two weeks, Tuesday 7:00a PT/10:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1UClGUnOSkOH_wab6Lx43KUdkaK37L8sbWJ_GPZvc1YY/edit?usp=sharing) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | -| C/C++ Compiler Hardening Options | Every two weeks, Thursday 6:00a PT/9:00a ET/1300 UTC | [Meeting Notes](https://docs.google.com/document/d/1JY8FREBPCUUFpuv7-4B9EjeS2MLDpel0dbG5DFWrTns) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler_Hardening_Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md) | [Slack](https://openssf.slack.com/archives/C01AHCRP8BT) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | +| C/C++ Compiler Hardening Options | Every two weeks, Thursday 6:00a PT/9:00a ET/1300 UTC | [Meeting Notes](https://docs.google.com/document/d/1JY8FREBPCUUFpuv7-4B9EjeS2MLDpel0dbG5DFWrTns) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler_Hardening_Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md) | [Slack](https://openssf.slack.com/archives/C058E884WN7) | [Mailing List](https://lists.openssf.org/g/openssf-wg-best-practices) | | EDU.SIG | Every 2 weeks, Wednesday 6:00a PT/9:00a ET/1400 UTC | [Meeting Notes](https://docs.google.com/document/d/1NPk5HZLfSMLpUsqaqVcbUSmSR66gS8WoJmEqfsCwrrE/edit#heading=h.yi1fmphbeqoj) | [Git Repo](https://github.com/ossf/education) | [Slack](https://openssf.slack.com/archives/C03FW3YGXH9) | [Mailing List](https://lists.openssf.org/g/openssf-sig-education) | | Memory Safety SIG | Every 2 weeks, Thursday 10:00a PT/1:00p ET/1500 UTC | [Meeting Notes](https://docs.google.com/document/d/1RnIzqeKyrOJvs6vQ8xGH6TjZDoEFaGUs1NkAx--v_3Y/edit?usp=sharing) | [Git Repo](https://github.com/ossf/Memory-Safety) | [Slack](https://openssf.slack.com/archives/C03G8NZH58R) | [Mailing List](https://lists.openssf.org/g/openssf-sig-memory-safety) | | Scorecard | Every 2 weeks, Thursday 1:00p PT/4:00p ET/1800 UTC | [Meeting Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing) | [Git Repo](https://github.com/ossf/scorecard) | [Slack](https://openssf.slack.com/archives/C0235AR8N2C ) | Mailing List | -| Security Baseline | Every other Tuesday @ 10:00am EST | [Meeting Minutes](https://docs.google.com/document/d/16tL1Ln7owIRXSoCKgyYHCs9-JP9iw-ouyk8koGAeHA0/) | [Git Repo](https://github.com/ossf/security-baseline) | [Slack Channel](https://app.slack.com/client/T019QHUBYQ3/C07DC6TT2QY) | [Mailing List](https://lists.openssf.org/g/openssf-sig-security-baseline) | -| Python Hardening Guide SIG | Every two weeks, Monday 11AM ET | [Meeting Notes](https://docs.google.com/document/d/1JY8FREBPCUUFpuv7-4B9EjeS2MLDpel0dbG5DFWrTns/edit) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python) | Slack | Mailing List | +| Security Baseline | Every other Tuesday @ 10:00am EST | [Meeting Minutes](https://docs.google.com/document/d/16tL1Ln7owIRXSoCKgyYHCs9-JP9iw-ouyk8koGAeHA0/) | [Git Repo](https://github.com/ossf/security-baseline) | [Slack](https://openssf.slack.com/archives/C07DC6TT2QY) | [Mailing List](https://lists.openssf.org/g/openssf-sig-security-baseline) | +| Python Hardening Guide SIG | Every two weeks, Monday 11AM ET | [Meeting Notes](https://docs.google.com/document/d/1JY8FREBPCUUFpuv7-4B9EjeS2MLDpel0dbG5DFWrTns/edit) | [Git Repo](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python) | [Slack](https://openssf.slack.com/archives/C07LH7RH8MT) | Mailing List | | EDU.SIG - Course Content Collab | Every week, Monday 1PM ET | [Meeting Notes](https://docs.google.com/document/d/1NPk5HZLfSMLpUsqaqVcbUSmSR66gS8WoJmEqfsCwrrE/edit#heading=h.y1wl36c7u5mn) | [Git Repo](https://github.com/ossf/education) | Slack | Mailing List | ## Meeting Notes From e67c643e19eeef2ed4711736cfb5966a0f111b3e Mon Sep 17 00:00:00 2001 From: myteron Date: Tue, 29 Oct 2024 10:30:02 +0000 Subject: [PATCH 06/15] Update readme.md Fixed another typo and changed statement on rules with only code examples as we have more documentation by now. Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/readme.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 5b4ce8a9..35aa14cc 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -5,9 +5,10 @@ and non-compliant code with `CPython >= 3.9` using modules listed on [Python Module Index](https://docs.python.org/3.9/py-modindex.html) [Python 2023]. -This page is in initiative by the OpenSSF to improve secure coding in Python by providing a location for study. Its structure is based on +This page is an initiative by the OpenSSF to improve secure coding in Python by providing a location for study. Its structure is based on Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023]. -It currently contains *only* the code examples, documentation will follow. + +Some rules only contain code examples, documentation will follow. ## Disclaimer From 852e82175254352bf1fe29e202b266ba7cb09a80 Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Thu, 31 Oct 2024 09:14:10 -0400 Subject: [PATCH 07/15] Add to background more on *why* C and C++ will keep existing (#675) * Add to background more on *why* C and C++ will keep existing This includes several citations. Signed-off-by: David A. Wheeler * Use dollar symbol for clarity Signed-off-by: David A. Wheeler * Some edits to improve readability - Put monetary estimate into context of in terms of scale - Fix linter warnings due to two adjacent references Signed-off-by: Thomas Nyman --------- Signed-off-by: David A. Wheeler Signed-off-by: Thomas Nyman Co-authored-by: Thomas Nyman --- ...mpiler-Options-Hardening-Guide-for-C-and-C++.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md index 97d3d880..30dce984 100644 --- a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md +++ b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md @@ -65,7 +65,19 @@ Applications written in the C and C++ programming languages are prone to exhibit [^Cimpanu2020]: Cimpanu, Catalin, [Chrome: 70% of all security bugs are memory safety issues](https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/), ZDNet, 2020-05-22 -Most programming languages prevent such defects by default. A few languages allow programs to temporarily suspend these protections in special circumstances, but they are intended for use in a few lines, not the whole program. There have been calls to rewrite C and C++ programs in other languages, but this is expensive and time-consuming, has its own risks, is sometimes impractical today (especially for less-common CPUs). Even with universal agreement, it would take decades to rewrite all such code. Consequently, it's important to take other steps to reduce the likelihood of defects becoming vulnerabilities. Aggressive use of compiler options can sometimes detect vulnerabilities or help counter their run-time effects. +Most high-level programming languages are *"memory safe"* and prevent such defects by default. Many of these languages allow programs to temporarily suspend memory-safety protections in special circumstances, such as when calling into operating system APIs written in C, but such suspensions are intended to be limited for a few lines of code, not for the whole program. There have been calls to rewrite C and C++ programs in memory-safe languages. This has happened in some cases[^Prossimo2024]; however, such rewriting is expensive and time-consuming, has its own risks, and is sometimes impractical today, especially for uncommon CPUs. Even if universally agreed upon, rewriting all C and C++ code would take decades and incur massive monetary costs. One rough estimate of such rewrites puts the cost at $2.4 trillion US dollars[^Wheeler2024], which would make rewriting C and C++ a problem of similar scale (in terms of monetary investment required) as keeping global climate change goals within reach[^Volcovici2024]. Consequently, not all C and C++ can be revised or discarded[^Claburn2024]. For example, Google anticipates *"a residual amount of mature and stable memory-unsafe code will remain for the foreseeable future"*[^Rebert2024]. + +[^Claburn2024]: Claburn, Thomas, [Google's memory safety plan includes rehab for unsafe languages: Large C and C++ codebases will be around for the 'foreseeable future'](https://www.theregister.com/2024/10/16/google_legacy_code/), The Register, 2024-10-16. + +[^Prossimo2024]: Internet Security Research Group, [Prossimo](https://www.memorysafety.org/), Prossimo project homepage. 2024-10-22. + +[^Rebert2024]: Rebert, Alex; Carruth, Chandler; Engel, Jen, and Qin, Andy, [Safer with Google: Advancing Memory Safety](https://security.googleblog.com/2024/10/safer-with-google-advancing-memory.html), Google Security Blog, 2024-10-15. + +[^Volcovici2024]: Volcovici, Valerie, [UN climate chief calls for $2.4 trillion in climate finance](https://www.reuters.com/sustainability/sustainable-finance-reporting/un-climate-chief-calls-24-trillion-climate-finance-2024-02-02/), Reuters, 2024-02-02. + +[^Wheeler2024]: Wheeler, David A., [Improving Memory Safety without a Trillion Dollars](https://docs.google.com/presentation/d/1EDQL-6MUKrqbILBtYjpiF96uW5LXcnIuE-HxzyCIr68/edit), 2024. + +Consequently, it's important to accept that C and C++ will continue to be used, and to take *other* steps to reduce risks. To reduce risk, we must reduce the likelihood of defects becoming vulnerabilities, or reduce the impact of such defects. Aggressive use of compiler options can sometimes detect vulnerabilities or help counter their run-time effects. Run-time attacks differ from conventional malware, which carries out its malicious program actions through a dedicated program executable, in that run-time attacks influence benign programs to behave maliciously. A run-time attack that exploits unmitigated memory vulnerabilities can be leveraged by threat actors as the initial attack vectors that allow them to gain a presence on a system, e.g., by injecting malicious code into running programs. From 59bb863796b827936be24a896a6aaba4168383f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20Backstr=C3=B6m=20=28FKA=20Larsson=29?= Date: Thu, 31 Oct 2024 10:45:19 +0100 Subject: [PATCH 08/15] Fix fallthrough example macro to work with very old gcc versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To deal with old gcc versions that do not have `__has_attribute`, the gcc manual suggest using this form. See https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005fattribute.html Signed-off-by: Lukas Backström (FKA Larsson) --- .../Compiler-Options-Hardening-Guide-for-C-and-C++.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md index 30dce984..916f3e65 100644 --- a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md +++ b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md @@ -342,9 +342,12 @@ This warning flag does not have a performance impact. However, sometimes a fallt The C17 standard[^C2017] does not provide a mechanism to mark intentional fallthroughs. Different tools support different mechanisms for marking one, including attributes and comments in various forms[^Shafik15]. A portable way to mark one is to define a function-like macro named `fallthrough()` to mark an intentional fallthrough that adjusts to the relevant tool (e.g., compiler) mechanism. We suggest using this construct below, inspired by the keyword-like construct used by the Linux kernel version 6.4 and later[^Howlett23]. We suggest using a function call syntax instead so more editors and other tools will deal with it correctly: ~~~c -#if __has_attribute(__fallthrough__) -# define fallthrough() __attribute__((__fallthrough__)) -#else +#ifdef __has_attribute +# if __has_attribute(__fallthrough__) +# define fallthrough() __attribute__((__fallthrough__)) +# endif +#endif +#ifndef fallthrough # define fallthrough() do {} while (0) /* fallthrough */ #endif ~~~ From 6b1a3b57fd08b0cb8eeb53f82fb3d68ad1e90b71 Mon Sep 17 00:00:00 2001 From: Thomas Nyman Date: Thu, 31 Oct 2024 12:36:32 +0100 Subject: [PATCH 09/15] Retire CLANG_DEFAULT_PIE_ON_LINUX in favor of Clang configuration files Signed-off-by: Thomas Nyman --- .../Compiler-Options-Hardening-Guide-for-C-and-C++.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md index 916f3e65..b1b4c95a 100644 --- a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md +++ b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md @@ -1392,7 +1392,8 @@ If you are compiling a C/C++ compiler, where practical make the generated compil | `--enable-default-ssp` | GCC 6.1.0 | Turn on [`-fstack-protector-strong`](#-fstack-protector-strong) by default for binaries produced by the compiler | | `--enable-host-pie` | GCC 14.0.0 | Build the compiler executables with [`-fPIE`](#-fPIE_-pie) and [`-pie`](#-fPIE_-pie) | | `--enable-host-bind-now` | GCC 14.0.0 | Build the compiler executables with [`-Wl,-z,now`](#-Wl,-z,now) | -| `CLANG_DEFAULT_PIE_ON_LINUX` | Clang 14.0.0 | Turn on [`-fPIE`](#-fPIE_-pie) and [`-pie`](#-fPIE_-pie) by default for binaries produced by the compiler | + +Note that LLVM recommends using Clang configuration files[^clang-config] to pass the relevant defaults to the compiler. Command-line options provided in a configuration file are prepended to the rest of the options on the command line. ## What should you do when compiling linkers? @@ -1413,6 +1414,8 @@ Some background on the introduction of these options to GNU Binutils is availabl Note that LLVM recommends using Clang configuration files to pass the relevant options to the linker via the compiler driver, so no such options exist here. +[^clang-config]: LLVM team, [Configuration files](https://clang.llvm.org/docs/UsersManual.html#configuration-files), Clang Compiler User’s Manual, 2024-09-17. + [^Clifton22]: Clifton, Nick, [The linker’s warnings about executable stacks and segments](https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments), Red Hat Blog, 2022-09-14. ## Contributors @@ -1464,6 +1467,7 @@ Many more security-relevant compiler options exist than are recommended in this | `-fasynchronous-unwind-tables` | GCC 3.1.1
Clang 7.0.0 | Generate stack unwind table in DWARF2 format, which improves precision of unwind information[^Song20] and can improve the performance of profilers at the cost of larger binary sizes[^Bastian19], but does not benefit security. | `-fvtable-verify` |GCC 4.9.4 | Enables run-time checks for C++ virtual function pointers corruption. This option has significant performance overhead[^Tice2014] and breaks ABI with all existing system libraries unless the entire userspace is built with `-fvtable-verify`[^gentoo-vtv]. Believed to be currently unmaintained in GCC. | `-mmitigate-rop` | GCC 6.1 | Avoids combination of particular opcodes which can be reinterpretted as a return opcode in an attempt to mitigate Return Oriented Programming (ROP) attacks[^gcc-mmitigate-rop]. Was considered to be ineffective and security-theatre-esque, so was deprecated in GCC 9.1[^Bizjak2018]. +| `CLANG_DEFAULT_PIE_ON_LINUX` | Clang 14.0.0 | When compiling Clang, turns on [`-fPIE`](#-fPIE_-pie) and [`-pie`](#-fPIE_-pie) by default for binaries produced by the compiler. Superceded by default provided via configuration files[^clang-config]. [^nodump]: The `-Wl,-z,nodump` option sets `DF_1_NODUMP` flag in the object’s `.dynamic` section tags. On Solaris this restricts calls to `dldump(3)` for the object. However, other operating systems ignore the `DF_1_NODUMP` flag. While Binutils implements `-Wl,-z,nodump` for Solaris compatibility a choice was made to not support it in `lld` ([D52096 lld: add -z nodump support](https://reviews.llvm.org/D52096)). From d293d0ced2cf100cb685d1ba4eee3f5327855e3f Mon Sep 17 00:00:00 2001 From: Thomas Nyman Date: Thu, 31 Oct 2024 12:20:06 +0100 Subject: [PATCH 10/15] Add Jekyll-generated site, metadata, and cache to gitignore This improves the experience when previewing the generated site using a local Jekyll instance Signed-off-by: Thomas Nyman --- .gitignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index a55bb336..7202a66a 100644 --- a/.gitignore +++ b/.gitignore @@ -103,3 +103,8 @@ jspm_packages/ # Optional npm cache directory .npm + +# Jekyll-generated site, metadata, and cache +_site +docs/.jekyll-metadata +docs/.sass-cache/ From 2a580dadf209097c925b6a471b7c3c070e107efc Mon Sep 17 00:00:00 2001 From: Thomas Nyman Date: Thu, 31 Oct 2024 15:35:48 +0100 Subject: [PATCH 11/15] Bump date for Compiler Options Hardening Guide for C and C++ Signed-off-by: Thomas Nyman --- .../Compiler-Options-Hardening-Guide-for-C-and-C++.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md index b1b4c95a..2e57236a 100644 --- a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md +++ b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md @@ -1,6 +1,6 @@ # Compiler Options Hardening Guide for C and C++ -*by the [Open Source Security Foundation (OpenSSF)](https://openssf.org) [Best Practices Working Group](https://best.openssf.org/), 2024-10-17* +*by the [Open Source Security Foundation (OpenSSF)](https://openssf.org) [Best Practices Working Group](https://best.openssf.org/), 2024-10-31* This document is a guide for compiler and linker options that contribute to delivering reliable and secure code using native (or cross) toolchains for C and C++. The objective of compiler options hardening is to produce application binaries (executables) with security mechanisms against potential attacks and/or misbehavior. From cd8fc0a675ac01be2cc0620df9f2b8c8c08d2ba1 Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Fri, 1 Nov 2024 17:53:50 +0000 Subject: [PATCH 12/15] pySCG adding missing CVEs for 755 and 532 Signed-off-by: Helge Wehder --- docs/Secure-Coding-Guide-for-Python/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index f216bcb3..ee778b86 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -49,7 +49,7 @@ It is **not production code** and requires code-style or python best practices t |[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),
CVSSv3.0: **8.8**,
EPSS: **00.20** (23.11.2023)| |[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|| |[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|| -|[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/.)|| +|[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),
CVSSv3.1: **9.8**,
EPSS: **0.04** (01.11.2024)| |[CWE-665: Improper Initialization](CWE-664/CWE-665/README.md)|| |[CWE-681: Incorrect Conversion between Numeric Types](CWE-664/CWE-681/README.md)|| |[CWE-833: Deadlock](CWE-664/CWE-833/README.md)|| @@ -82,7 +82,7 @@ It is **not production code** and requires code-style or python best practices t |[CWE-390: Detection of Error Condition without Action](CWE-703/CWE-390/)|| |[CWE-392: Missing Report of Error Condition](CWE-703/CWE-392/README.md)|| |[CWE-754: Improper Check for Unusual or Exceptional Conditions](CWE-703/CWE-754/.)|| -|[CWE-755: Improper Handling of Exceptional Conditions](CWE-703/CWE-755/.)|| +|[CWE-755: Improper Handling of Exceptional Conditions](CWE-703/CWE-755/README.md)|[CVE-2024-39560](https://www.cvedetails.com/cve/CVE-2024-39560),
CVSSv3.1: **6.5**,
EPSS: **0.04** (01.11.2024)| |[CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)|Prominent CVE| |:----------------------------------------------------------------|:----| From 95fd687ac154695b420a6eef7cdc34e805ebb4a1 Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Tue, 5 Nov 2024 10:36:15 -0500 Subject: [PATCH 13/15] Add secret scanning to SCM guide, fixes #488 (#489) * Add secret scanning to SCM guide, fixes #488 Signed-off-by: David A. Wheeler * Fix markdownlint issues Signed-off-by: David A. Wheeler * Update docs/SCM-BestPractices/github/repository/secret_scanning.md fixes typo Co-authored-by: Chris de Almeida Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update docs/SCM-BestPractices/github/repository/secret_scanning.md better word choice Co-authored-by: Chris de Almeida Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update docs/SCM-BestPractices/github/repository/secret_scanning.md "quotes" Co-authored-by: Chris de Almeida Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update docs/SCM-BestPractices/github/repository/secret_scanning.md "quotes" Co-authored-by: Chris de Almeida Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update docs/SCM-BestPractices/github/repository/secret_scanning.md "quotes" Co-authored-by: Chris de Almeida Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update docs/SCM-BestPractices/gitlab/project/secret_scanning.md better word choice Co-authored-by: Chris de Almeida Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> * Update docs/SCM-BestPractices/README.md Co-authored-by: Chris de Almeida Signed-off-by: David A. Wheeler --------- Signed-off-by: David A. Wheeler Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Co-authored-by: CRob <69357996+SecurityCRob@users.noreply.github.com> Co-authored-by: Chris de Almeida --- docs/SCM-BestPractices/README.md | 1 + .../github/repository/secret_scanning.md | 74 +++++++++++++++++++ .../gitlab/project/secret_scanning.md | 70 ++++++++++++++++++ 3 files changed, 145 insertions(+) create mode 100644 docs/SCM-BestPractices/github/repository/secret_scanning.md create mode 100644 docs/SCM-BestPractices/gitlab/project/secret_scanning.md diff --git a/docs/SCM-BestPractices/README.md b/docs/SCM-BestPractices/README.md index 1071cb80..2efe3381 100644 --- a/docs/SCM-BestPractices/README.md +++ b/docs/SCM-BestPractices/README.md @@ -126,6 +126,7 @@ For recommendations only applicable to GitHub or GitLab visit one of the followi * Repository Should Not Allow Committer Approvals [GitLab](gitlab/project/repository_allows_committer_approvals_policy.md) [GitLab](gitlab/project/repository_allows_committer_approvals_policy.md) * Webhook Configured Without SSL Verification [GitLab](gitlab/project/project_webhook_doesnt_require_ssl.md) [GitLab](gitlab/project/project_webhook_doesnt_require_ssl.md) * Project Should Have Fewer Than Three Owners [GitLab](gitlab/project/project_has_too_many_admins.md) [GitLab](gitlab/project/project_has_too_many_admins.md) +* Secret Scanning Should be Enabled [GitHub](github/repository/secret_scanning.md) [GitHub](github/repository/secret_scanning.md) ### Operations diff --git a/docs/SCM-BestPractices/github/repository/secret_scanning.md b/docs/SCM-BestPractices/github/repository/secret_scanning.md new file mode 100644 index 00000000..9bbbc66e --- /dev/null +++ b/docs/SCM-BestPractices/github/repository/secret_scanning.md @@ -0,0 +1,74 @@ +# Secret Scanning + +policy name: secret_scanning + +severity: HIGH + +## Description + +This security control checks for secrets being checked into a repository +and prevents it. +Turning on secret scanning detects many kinds of secrets being checked +into a repository and reports it. +Push protection builds on secret scanning and prevents attempts to add such +secrets (and creates an alert if that is overridden). + +## Threat Example(s) + +Inserting a secret into a source code repository is unfortunately an easy +mistake to make. Instructions for various services often +encourage putting secrets into a repository (as it's the "simple" way +to do it, though not the secure way). +Once secrets are in a repository, they become available for anyone who +can view the repository (directly or via a copy). +Inserting secrets into a source code repository is a mistake, since +it interferes with the whole point of a secret: keeping it secret. +This is such a common type of vulnerability that it is identified as +the Common Weakness Enumeration (CWE) +[CWE-540: Inclusion of Sensitive Information in Source Code](https://cwe.mitre.org/data/definitions/540.html). + +## Remediation + +Like practically all tools, secret scanning is subject to false positives +and false negatives. That said, secret scanning can prevent significant +vulnerabilities and should be enabled. + +There are two different steps, scanning and enforcement: + +* On a new project you should enable both scanning and enforcement. +* On an existing project you should enable scanning, ensure it works + well first, and *then* enable enforcement. + +### Enabling Secret Scanning + +[The GitHub documentation describes how to enable secret scanning](https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories). + +In short, to enable GitHub secret scanning on a repository: + +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter "Security" section of the sidebar, click "Code security and analysis". +4. Click "Enable for secret scanning" +5. Click "Save changes" + +You may also choose to enable other secret scanning tools. +For example, those with access to the Linux Foundation's LFX tools should +consider enabling its secret scanning tools as well. + +### Enforcing Secret Scanning + +In GitHub you can enable push protection on secret scanning +for repositories and organizations. +When this is enabled, secret scanning "blocks contributors +from pushing secrets to a repository and generates an alert +whenever a contributor bypasses the block." + +[The GitHub documentation describes how to enable push protection with secret scanning](https://docs.github.com/en/code-security/secret-scanning/push-protection-for-repositories-and-organizations). + +In short, to enforce GitHub secret scanning on a repository: + +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter "Security" section of the sidebar, click "Code security and analysis". +4. Under "Code security and analysis", find "GitHub Advanced Security." +5. Under "Secret scanning", under "Push protection", click "Enable". diff --git a/docs/SCM-BestPractices/gitlab/project/secret_scanning.md b/docs/SCM-BestPractices/gitlab/project/secret_scanning.md new file mode 100644 index 00000000..ad30d271 --- /dev/null +++ b/docs/SCM-BestPractices/gitlab/project/secret_scanning.md @@ -0,0 +1,70 @@ +# Secret Scanning + +policy name: secret_scanning + +severity: HIGH + +## Description + +This security control checks for secrets being checked into a repository. +Turning on secret detection (also called secret scanning) +detects many kinds of secrets being checked +into a repository and reports it. +At this time GitLab's mechanism for *preventing* this event is experimental. + +## Threat Example(s) + +Inserting a secret into a source code repository is unfortunately an easy +mistake to make. Instructions for various services often +encourage putting secrets into a repository (as it's the "simple" way +to do it, though not the secure way). +Once secrets are in a repository, they become available for anyone who +can view the repository (directly or via a copy). +Inserting secrets into a source code repository is a mistake, since +it interferes with the whole point of a secret: keeping it secret. +This is such a common type of vulnerability that it is identified as +the Common Weakness Enumeration (CWE) +[CWE-540: Inclusion of Sensitive Information in Source Code](https://cwe.mitre.org/data/definitions/540.html). + +## Remediation + +Like practically all tools, secret scanning is subject to false positives +and false negatives. That said, secret scanning can prevent significant +vulnerabilities and should be enabled. + +GitLab includes +[two different secret detection methods](https://docs.gitlab.com/ee/user/application_security/secret_detection/) +which can be used simultaneously: + +* The pipeline method "detects secrets during the project’s CI/CD pipeline. + This method cannot reject pushes". +* The pre-receive method "detects secrets when users push changes to + the remote Git branch. This method can reject pushes if a secret is detected." + +However, as of 2024-05-14, the pre-receive method is an +experiment with limited availability. Thus, we focus on the pipeline method. +The pipeline method is unfortunately unable to *prevent* this, but at least +it quickly warns you of the event. + +Note that secret scanning is automatically enabled if you enable +[Auto DevOps](https://docs.gitlab.com/ee/topics/autodevops/index.html#enable-or-disable-auto-devops). + +Those with more complex needs must +edit the `.gitlab-ci.yml` file manually. +To do this: + +1. Make sure you can manage project merge requests permissions +2. Go to the project's settings page +3. Select "Build > Pipeline editor" +4. Add the following to the end of the `.gitlab-ci.yml` file: + + ~~~~yml + include: + - template: Jobs/Secret-Detection.gitlab-ci.yml + ~~~~ + +5. Select the Validate tab, then select Validate pipeline. + The message "Simulation completed successfully" indicates the file is valid. +6. Select the Edit tab. +7. In the Branch text box, enter the name of the default branch. +8. Select Commit changes. From 904ef17189a136625fdfcd9a7a8421c5df97f35e Mon Sep 17 00:00:00 2001 From: myteron Date: Fri, 8 Nov 2024 09:38:54 +0000 Subject: [PATCH 14/15] pySCG: adding missing CVEs to CWE 180, 501, 502, 843 (#691) Signed-off-by: Helge Wehder Signed-off-by: myteron --- docs/Secure-Coding-Guide-for-Python/readme.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 2827be05..4dfe5967 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -48,13 +48,13 @@ It is **not production code** and requires code-style or python best practices t |[CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](CWE-664/CWE-409/.)|| |[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/README.md)|| |[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),
CVSSv3.0: **8.8**,
EPSS: **00.20** (23.11.2023)| -|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|| -|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|| +|[CWE-501: Trust Boundary Violation)](CWE-664/CWE-501/README.md)|[CVE-2023-28597](https://www.cvedetails.com/cve/CVE-2023-28597),
CVSSv3.0: **7.5**,
EPSS: **00.11** (05.11.2024)| +|[CWE-502: Deserialization of Untrusted Data)](CWE-664/CWE-502/.)|[CVE-2018-8021](https://www.cvedetails.com/cve/CVE-2018-8021),
CVSSv3.0: **9.8**,
EPSS: **93.54** (05.11.2024)| |[CWE-532: Insertion of Sensitive Information into Log File](CWE-664/CWE-532/README.md)|[CVE-2023-45585](https://www.cvedetails.com/cve/CVE-2023-45585),
CVSSv3.1: **9.8**,
EPSS: **0.04** (01.11.2024)| |[CWE-665: Improper Initialization](CWE-664/CWE-665/README.md)|| |[CWE-681: Incorrect Conversion between Numeric Types](CWE-664/CWE-681/README.md)|| |[CWE-833: Deadlock](CWE-664/CWE-833/README.md)|| -|[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)|| +|[CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')](CWE-664/CWE-843/.)|[CVE-2021-29513](https://www.cvedetails.com/cve/CVE-2021-29513),
CVSSv3.1: **7.8**,
EPSS: **00.05** (05.11.2024)| |[XXX-005: Consider hash-based integrity verification of byte code files against their source code files](CWE-664/XXX-005/.)|| |[CWE-682: Incorrect Calculation](https://cwe.mitre.org/data/definitions/682.html)|Prominent CVE| @@ -89,7 +89,7 @@ It is **not production code** and requires code-style or python best practices t |:----------------------------------------------------------------|:----| |[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/.)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),
CVSSv3.1: **9.8**,
EPSS: **01.43** (18.02.2024)| |[CWE-117: Improper Output Neutralization for Logs](CWE-707/CWE-117/.)|| -|[CWE-180: Incorrect behavior order: Validate before Canonicalize](CWE-707/CWE-180/.)|| +|[CWE-180: Incorrect behavior order: Validate before Canonicalize](CWE-707/CWE-180/.)|[CVE-2022-26136](https://www.cvedetails.com/cve/CVE-2022-26136/),
CVSSv3.1: **9.8**,
EPSS: **00.77** (05.11.2024)| |[CWE-710: Improper Adherence to Coding Standards](https://cwe.mitre.org/data/definitions/710.html)|Prominent CVE| |:----------------------------------------------------------------|:----| From 5abf31f3d75b911e3b4fac65c415d729454bbece Mon Sep 17 00:00:00 2001 From: myteron Date: Fri, 8 Nov 2024 13:50:54 +0000 Subject: [PATCH 15/15] pySCG adding CWE-78 code and doc (#689) Adding doc and code for CWE-78 as part of #531 Signed-off-by: Helge Wehder Co-authored-by: Georg Kunz and BartyBoi1128 --- .../CWE-707/CWE-78/README.md | 216 ++++++++++++++++++ .../CWE-707/CWE-78/compliant01.py | 41 ++++ .../CWE-707/CWE-78/noncompliant01.py | 25 ++ .../CWE-707/CWE-78/noncompliant02.py | 36 +++ docs/Secure-Coding-Guide-for-Python/readme.md | 1 + 5 files changed, 319 insertions(+) create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/README.md create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/compliant01.py create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant01.py create mode 100644 docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant02.py diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/README.md b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/README.md new file mode 100644 index 00000000..c034935e --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/README.md @@ -0,0 +1,216 @@ +# CWE-78: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection") + +Avoid input from untrusted sources to be used directly as part of an OS command and use specialized Python modules where possible instead. + +Python can run shell commands either with an active `shell=True` where an actual shell is invoked to run a line of commands such `/bin/bash -c "ls -la *.txt"` or via non-interactive `shell=False` expecting a Python list object. + +Using `shell=False` is recommended but is not going to prevent all attacks. + +Examples of reduced functionality with `shell=False`: + +* Asterisks `ls -1 *.txt` get surrounded by single quotes `ls -1 '*.txt'` so that some Unix commands to no longer work. +* Piping commands `ls -1 |grep *.txt` is prohibited. +* Escape sequences can be difficult to manage + +Specialized Python modules, such as `pathlib` or `shutil`, provide a platform-independent solution for most needs and should generally be preferred. + +Following table 00 provides a limited list of Unix shell commands to Python module mapping, see [Python Module index](https://docs.python.org/3/py-modindex.html) for more. + +|Action|Unix|Python| +|:---|:---|:---| +|Compress or decompress files|gzip, unzip|zlib, gzip, bz2, lzma| +|Filesystem operations|`find .`
`tree`
`ls -1 *.txt`
`test -d`
`test -f`
`cp`|`Path.rglob("*.txt")`
`Path.glob("*.txt")`
`Path.is_dir()`
`Path.is_file()`
`shutil.copy()`| +|Access control operations|`chown`
`chmod`|`shutil.chown()`
`shutil.chmod()`
`stat`| +|Environment variables|`export`
`set`|`os.getenv()`
`os.setenv()`| +|Get user/group id|id|`os.getuid()`
`os.setuid()`| +|Get OS and/or kernel type and name|uname -as|`os.uname()`| + +table 00, example list of Unix commands and their Python equivalents. + +Any variation of using input from a lesser trusted source as part of a command line program has a very high probability of resulting in a potential attack including the use of specialized modules. Consider: + +* *CWE-184: Incomplete List of Disallowed Input.* +* *CWE-209: Generation of Error Message Containing Sensitive Information.* +* *[CWE-501: Trust Boundary Violation](https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-501/README.md)* + +## Non-Compliant Code Example (Read Only) + +This scenario demonstrates a potential remote command execution. The `FileOperations.list_dir()` method allows an attacker to inject commands into the string dirname such as `head -1 /etc/passwd` under Linux or `net user` under Windows. Older versions of `Python < 3.9.12` allow to turn a non-interactive shell into an active shell in Windows by providing `cmd.exe /C` as an argument [[python.org 3.12.5 - Subprocess management]](https://docs.python.org/3/library/subprocess.html). + +*[noncompliant01.py](noncompliant01.py):* + +```python +""" Non-compliant Code Example """ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ +from subprocess import Popen +import os + + +class FileOperations: + """Helper class for file system operations""" + + def list_dir(self, dirname: str): + """List the contents of a directory""" + if "nt" in os.name: + Popen("dir " + dirname, shell=True).communicate() + if "posix" in os.name: + Popen("ls " + dirname, shell=True).communicate() + + +##################### +# Trying to exploit above code example +##################### +if "nt" in os.name: + FileOperations().list_dir("%HOMEPATH% & net user") +if "posix" in os.name: + FileOperations().list_dir("/etc/shadow; head -1 /etc/passwd") + +``` + +The code in `noncompliant01.py` prints the first line of `/etc/passwd` on Linux or starts `net user` under Windows. +The `FileOperations().list_dir()` method allows an attacker to add commands via `;` in Linux and `&` in Windows. + +## Non-Compliant Code Example (Read, Write) + +The attack surface increases if a user is also allowed to upload or create files or folders. + +The `noncompliant02.py` example demonstrates the injection via file or folder name that is created prior to using the `list_dir()` method. We assume here that an untrusted user is allowed to create files or folders named `& calc.exe or ;ps aux` as part of another service such as upload area, submit form, or as a result of a zip-bomb as per *CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)*. Encoding issues as described in *CWE-180: Incorrect Behavior Order: Validate Before Canonicalize* must also be considered. + +The issue occurs when mixing shell commands with data from a lesser trusted source. + +Some shell commands, such as `find` with `-exec`, allow running secondary commands via arguments [[CTFOBins]](https://gtfobins.github.io/) [[LOLBAS]](https://lolbas-project.github.io/) that can be misused for shell injections if no shell is provided `shell=False`. The `shlex.split()` method is frequently used to split a string into a list for `subprocess.run()` in order to run a non-interactive shell such as `ls -la` into `["ls", "-la"]` and plays a minor role in simplifying the attack. The `noncompliant02.py` code only works on Linux, in this example calling a rather harmless uptime. + +*[noncompliant02.py](noncompliant02.py):* + +```python +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ +import os +import shlex +from subprocess import run + + +def list_dir(dirname: str): + """Lists only 2 levels of folders in a default directory""" + os.chdir(dirname) + cmd = "find . -maxdepth 1 -type d" + result = run(shlex.split(cmd), check=True, capture_output=True) + + for subfolder in result.stdout.decode("utf-8").splitlines(): + cmd = "find " + subfolder + " -maxdepth 1 -type d" + subresult = run(shlex.split(cmd), check=True, capture_output=True) + for item in subresult.stdout.decode("utf-8").splitlines(): + print(item) + + +##################### +# Trying to exploit above code example +##################### +# just to keep it clean we create folder for this test +os.makedirs("temp", exist_ok=True) + +# simulating upload area (payload): +print("Testing Corrupted Directory") +if "posix" in os.name: + with open("temp/toast.sh", "w", encoding="utf-8") as file_handle: + file_handle.write("uptime\n") + os.makedirs("temp/. -exec bash toast.sh {} +", exist_ok=True) + +# running the query: +list_dir("temp") + +``` + +In `noncompliant02.py` the attacker creates a `toast.sh` file that contains the commands to run. The attacker also creates a folder named `. -exec bash toast.sh {} +` that will later become part of the shell `find` command forming `find . -exec bash toast.sh {} +`. + +The result is that `list_dir(dirname)` will run the `toast.sh` as a shell script. The `toast.sh` file does not require execute rights and can contain any quantity of shell command complexity. + +## Compliant Solution + +The `compliant01.py` code using the cross-platform compatible pathlib module and restricting filesystem area. The `pathlib` on its own will not prevent all attacks. + +*[compliant01.py](compliant01.py):* + +```python +""" Compliant Code Example """ + +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Compliant Code Example """ +import os +from pathlib import Path + + +def list_dir(dirname: str): + """List the contents of a directory recursively + + Parameters: + dirname (string): Directory name + """ + path = Path(dirname) + allowed_directory = Path.home() + # TODO: input sanitation + # TODO: Add secure logging + if Path( + allowed_directory.joinpath(dirname) + .resolve() + .relative_to(allowed_directory.resolve()) + ): + for item in path.glob("*"): + print(item) + + +##################### +# Trying to exploit above code example +##################### +# just to keep it clean we create folder for this test +os.makedirs("temp", exist_ok=True) + +# simulating upload area (payload): +print("Testing Corrupted Directory") +if "posix" in os.name: + with open("temp/toast.sh", "w", encoding="utf-8") as file_handle: + file_handle.write("uptime\n") + os.makedirs("temp/. -exec bash toast.sh {} +", exist_ok=True) + +# running the query: +list_dir("temp") + +``` + +The `compliant01.py` does not use data that origins from a lesser trusted source in order to form a shell command and would throw an error for an attempt to list content outside of the allowed area. The code is actually not "neutralizing" data itself from an untrusted source as such, the attack is "neutralized" by no longer using `subprocess` or `os` to run `find`. + +## Automated Detection + +|Tool|Version|Checker|Description| +|:---|:---|:---|:---| +|Pycharm|2022.3.3 Python 3.11.6|[PR100](https://pycharm-security.readthedocs.io/en/latest/checks/PR100.html)|Calling `subprocess.call`, `subprocess.run`, or `subprocess.Popen` with `shell=True` can leave the host shell open to local code execution or remote code execution attacks| +|bandit|1.7.9 on python 3.11.4|[B404](https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess)|Consider possible security implications associated with these modules| +|bandit|1.7.9 on python 3.11.4|[B602](https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html)|Bsubprocess call with `shell=True` identified, security issue.bandit| +|bandit|1.7.9 on python 3.11.4|[B603](https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html)|`subprocess` call - check for execution of untrusted input.| +|bandit|1.7.9 on python 3.11.4|[B604](https://bandit.readthedocs.io/en/latest/plugins/b604_any_other_function_with_shell_equals_true.html)|Consider possible security implications associated with the `subprocess` module| +|bandit|1.7.9 on python 3.11.4|[B605](https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html)|Bandit seems to detect any use of `os.system()` whether sanitized or not.| + +## Related Guidelines + +||| +|:---|:---| +|[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-707: Improper Neutralization](hhttps://cwe.mitre.org/data/definitions/707.html)| +|[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](https://cwe.mitre.org/data/definitions/000.html)| +|[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method)| +|[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[ENV03-C. Sanitize the environment when invoking external programs](https://wiki.sei.cmu.edu/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs)| +|[SEI CERT C Coding Standard](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard)|[ENV33-C. Do not call system()](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177)| +|[SEI CERT C++ Coding Standard](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682)|[ENV03-CPP. Sanitize the environment when invoking external programs VOID ENV02-CPP. Do not call system() if you do not need a command processor](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046815)| +|[ISO/IEC TR 24772:2013](https://wiki.sei.cmu.edu/confluence/display/java/Rule+AA.+References#RuleAA.References-ISO/IECTR24772-2013)|Injection [RST]| + +## Bibliography + +||| +|:---|:---| +|[[Python docs](https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations)]|subprocess — Subprocess management — Python 3.10.4 documentation [online]. Available from: [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html), [accessed 1 November 2024] | +|[[Python docs](https://docs.python.org/3/reference/expressions.html#binary-arithmetic-operations)]|os — Miscellaneous operating system interfaces — Python 3.10.4 documentation [online]. Available from: [https://docs.python.org/3/library/os.html#os.system](https://docs.python.org/3/library/os.html#os.system), [accessed 1 November 2024] | +|[CTFOBins]|GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. [online]. Available from: [https://gtfobins.github.io/](https://gtfobins.github.io/), [accessed 1 November 2024] | +|[LOLBAS]|LOLBAS Living Off The Land Binaries, Scripts and Libraries. [online]. Available from: [https://lolbas-project.github.io/](https://lolbas-project.github.io/), [accessed 1 November 2024] | diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/compliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/compliant01.py new file mode 100644 index 00000000..d5317000 --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/compliant01.py @@ -0,0 +1,41 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Compliant Code Example """ +import os +from pathlib import Path + + +def list_dir(dirname: str): + """List the contents of a directory recursively + + Parameters: + dirname (string): Directory name + """ + path = Path(dirname) + allowed_directory = Path.home() + # TODO: input sanitation + # TODO: Add secure logging + if Path( + allowed_directory.joinpath(dirname) + .resolve() + .relative_to(allowed_directory.resolve()) + ): + for item in path.glob("*"): + print(item) + + +##################### +# Trying to exploit above code example +##################### +# just to keep it clean we create folder for this test +os.makedirs("temp", exist_ok=True) + +# simulating upload area (payload): +print("Testing Corrupted Directory") +if "posix" in os.name: + with open("temp/toast.sh", "w", encoding="utf-8") as file_handle: + file_handle.write("uptime\n") + os.makedirs("temp/. -exec bash toast.sh {} +", exist_ok=True) + +# running the query: +list_dir("temp") diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant01.py b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant01.py new file mode 100644 index 00000000..2e0fa37f --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant01.py @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ +from subprocess import Popen +import os + + +class FileOperations: + """Helper class for file system operations""" + + def list_dir(self, dirname: str): + """List the contents of a directory""" + if "nt" in os.name: + Popen("dir " + dirname, shell=True).communicate() + if "posix" in os.name: + Popen("ls " + dirname, shell=True).communicate() + + +##################### +# Trying to exploit above code example +##################### +if "nt" in os.name: + FileOperations().list_dir("%HOMEPATH% & net user") +if "posix" in os.name: + FileOperations().list_dir("/etc/shadow; head -1 /etc/passwd") diff --git a/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant02.py b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant02.py new file mode 100644 index 00000000..6e365819 --- /dev/null +++ b/docs/Secure-Coding-Guide-for-Python/CWE-707/CWE-78/noncompliant02.py @@ -0,0 +1,36 @@ +# SPDX-FileCopyrightText: OpenSSF project contributors +# SPDX-License-Identifier: MIT +""" Non-compliant Code Example """ +import os +import shlex +from subprocess import run + + +def list_dir(dirname: str): + """Lists only 2 levels of folders in a default directory""" + os.chdir(dirname) + cmd = "find . -maxdepth 1 -type d" + result = run(shlex.split(cmd), check=True, capture_output=True) + + for subfolder in result.stdout.decode("utf-8").splitlines(): + cmd = "find " + subfolder + " -maxdepth 1 -type d" + subresult = run(shlex.split(cmd), check=True, capture_output=True) + for item in subresult.stdout.decode("utf-8").splitlines(): + print(item) + + +##################### +# Trying to exploit above code example +##################### +# just to keep it clean we create folder for this test +os.makedirs("temp", exist_ok=True) + +# simulating upload area (payload): +print("Testing Corrupted Directory") +if "posix" in os.name: + with open("temp/toast.sh", "w", encoding="utf-8") as file_handle: + file_handle.write("uptime\n") + os.makedirs("temp/. -exec bash toast.sh {} +", exist_ok=True) + +# running the query: +list_dir("temp") diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index 4dfe5967..30e8af6b 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -87,6 +87,7 @@ It is **not production code** and requires code-style or python best practices t |[CWE-707: Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)|Prominent CVE| |:----------------------------------------------------------------|:----| +|[CWE-78: Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")](CWE-707/CWE-78/README.md)|| |[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](CWE-707/CWE-89/.)|[CVE-2019-8600](https://www.cvedetails.com/cve/CVE-2019-8600/),
CVSSv3.1: **9.8**,
EPSS: **01.43** (18.02.2024)| |[CWE-117: Improper Output Neutralization for Logs](CWE-707/CWE-117/.)|| |[CWE-180: Incorrect behavior order: Validate before Canonicalize](CWE-707/CWE-180/.)|[CVE-2022-26136](https://www.cvedetails.com/cve/CVE-2022-26136/),
CVSSv3.1: **9.8**,
EPSS: **00.77** (05.11.2024)|