diff --git a/rules/S6505/ask-yourself.adoc b/rules/S6505/ask-yourself.adoc new file mode 100644 index 0000000000..688dd83c73 --- /dev/null +++ b/rules/S6505/ask-yourself.adoc @@ -0,0 +1,5 @@ +== Ask Yourself Whether + +* The execution of dependency installation scripts is required for the application to function correctly. + +There is a risk if you answered no to the question. diff --git a/rules/S6505/description.adoc b/rules/S6505/description.adoc new file mode 100644 index 0000000000..9d189dea92 --- /dev/null +++ b/rules/S6505/description.adoc @@ -0,0 +1,4 @@ +When installing dependencies, package managers like ``++npm++`` will +automatically execute shell scripts distributed along with the source code. +Post-install scripts, for example, are a common way to execute malicious code +at install time whenever a package is compromised. diff --git a/rules/S6505/docker/implementation.adoc b/rules/S6505/docker/implementation.adoc new file mode 100644 index 0000000000..394f9326d5 --- /dev/null +++ b/rules/S6505/docker/implementation.adoc @@ -0,0 +1,17 @@ +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message + +* Omitting `--ignore-scripts` can lead to the execution of shell scripts. Make sure it is safe here. + +=== Highlighting + +Highlight the command and the subcommand, if the latter is present. + +''' + +endif::env-github,rspecator-view[] diff --git a/rules/S6505/docker/metadata.json b/rules/S6505/docker/metadata.json new file mode 100644 index 0000000000..31591d0140 --- /dev/null +++ b/rules/S6505/docker/metadata.json @@ -0,0 +1,24 @@ +{ + "title": "Allowing shell scripts execution during package installation is security-sensitive", + "type": "SECURITY_HOTSPOT", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe" + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6505", + "sqKey": "S6505", + "scope": "All", + "securityStandards": { + "CWE": [ + 506, + 829 + ] + }, + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown" +} diff --git a/rules/S6505/docker/rule.adoc b/rules/S6505/docker/rule.adoc new file mode 100644 index 0000000000..d76801e41d --- /dev/null +++ b/rules/S6505/docker/rule.adoc @@ -0,0 +1,35 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,docker] +---- +# Sensitive +RUN npm install +---- + +[source,docker] +---- +# Sensitive +RUN yarn install +---- + +== Compliant Solution + +[source,docker] +---- +RUN npm install --ignore-scripts +---- + +[source,docker] +---- +RUN yarn install --ignore-scripts +---- + +include::../see.adoc[] + +include::implementation.adoc[] \ No newline at end of file diff --git a/rules/S6505/metadata.json b/rules/S6505/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6505/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6505/recommended.adoc b/rules/S6505/recommended.adoc new file mode 100644 index 0000000000..43f315f194 --- /dev/null +++ b/rules/S6505/recommended.adoc @@ -0,0 +1,6 @@ +== Recommended Secure Coding Practices + +Execution of third-party scripts should be disabled if not strictly necessary +for dependencies to work correctly. +Doing this will reduce the attack surface and block a well-known supply chain +attack vector. diff --git a/rules/S6505/see.adoc b/rules/S6505/see.adoc new file mode 100644 index 0000000000..8209dcd7f4 --- /dev/null +++ b/rules/S6505/see.adoc @@ -0,0 +1,5 @@ +== See + +* https://cwe.mitre.org/data/definitions/506[MITRE, CWE-506] - Embedded Malicious Code +* https://cwe.mitre.org/data/definitions/829[MITRE, CWE-829] - Inclusion of Functionality from Untrusted Control Sphere +* https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/[ESLint blog] - Postmortem for Malicious Packages Published on July 12th, 2018