Create rule S6505: Allowing shell scripts execution during package installation is security-sensitive (APPSEC-483) (#1584)

rules/S6505/ask-yourself.adoc

@@ -0,0 +1,5 @@
+== Ask Yourself Whether
+
+* The execution of dependency installation scripts is required for the application to function correctly.
+
+There is a risk if you answered no to the question.

rules/S6505/description.adoc

@@ -0,0 +1,4 @@
+When installing dependencies, package managers like ``++npm++`` will
+automatically execute shell scripts distributed along with the source code.
+Post-install scripts, for example, are a common way to execute malicious code
+at install time whenever a package is compromised.

rules/S6505/docker/implementation.adoc

@@ -0,0 +1,17 @@
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+* Omitting `--ignore-scripts` can lead to the execution of shell scripts. Make sure it is safe here.
+
+=== Highlighting
+
+Highlight the command and the subcommand, if the latter is present.
+
+'''
+
+endif::env-github,rspecator-view[]

rules/S6505/docker/metadata.json

@@ -0,0 +1,24 @@
+{
+  "title": "Allowing shell scripts execution during package installation is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6505",
+  "sqKey": "S6505",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      506,
+      829 
+    ]
+  },
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown"
+}

rules/S6505/docker/rule.adoc

@@ -0,0 +1,35 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Sensitive Code Example
+
+[source,docker]
+----
+# Sensitive
+RUN npm install
+----
+
+[source,docker]
+----
+# Sensitive
+RUN yarn install
+----
+
+== Compliant Solution
+
+[source,docker]
+----
+RUN npm install --ignore-scripts
+----
+
+[source,docker]
+----
+RUN yarn install --ignore-scripts
+----
+
+include::../see.adoc[]
+
+include::implementation.adoc[]

rules/S6505/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6505/recommended.adoc

@@ -0,0 +1,6 @@
+== Recommended Secure Coding Practices
+
+Execution of third-party scripts should be disabled if not strictly necessary
+for dependencies to work correctly.
+Doing this will reduce the attack surface and block a well-known supply chain
+attack vector.

rules/S6505/see.adoc

@@ -0,0 +1,5 @@
+== See
+
+* https://cwe.mitre.org/data/definitions/506[MITRE, CWE-506] - Embedded Malicious Code
+* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere
+* https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/[ESLint blog] - Postmortem for Malicious Packages Published on July 12th, 2018