Improve code execution and shady links rules (#463)

Author: ikretz

guarddog/analyzer/sourcecode/code-execution.yml

@@ -41,6 +41,11 @@ rules:
           - pattern: subprocess.run([..., "... $ARG1 ...", ...], ...)
           - pattern: run([..., "$ARG1", ...], ...)
 
+          - pattern: subprocess.check_call($ARG1, ...)
+          - pattern: check_call($ARG1, ...)
+          - pattern: subprocess.check_call([..., "... $ARG1 ...", ...], ...)
+          - pattern: check_call([..., "$ARG1", ...], ...)
+
           # eval, allow checking for version
           - patterns:
               - pattern-either:
@@ -74,6 +79,10 @@ rules:
           - pattern: popen($ARG1, ...)
           - pattern: popen([..., $ARG1, ...], ...)
 
+          # distutils spawn
+          - pattern: spawn($ARG1, ...)
+          - pattern: $OBJ.spawn($ARG1, ...)
+
           # miscellaneous
           - pattern: os.system($ARG1, ...)
           - pattern: system($ARG1, ...)

guarddog/analyzer/sourcecode/shady-links.yml

@@ -15,20 +15,24 @@ rules:
       - pattern-not-regex: ^\s*"""(.|\n)*?"""\s*$
 
       # Exclude local IPv4 sometimes used in tests
-      - pattern-not-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost)
+      - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost)
 
       # Exclude public IPv4 sometimes used in tests
-      - pattern-not-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8))
+      - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8))
+
+      # Exclude cloud provider metadata service IPs
+      # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
+      - pattern-not-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(?:169\.254\.\d{1,3}\.\d{1,3}|\[fd00:ec2::254\]))
 
       # ignore discord allowed 
-      - pattern-not-regex: https?:\/\/discord.com\/(invite|oauth2\/authorize)
+      - pattern-not-regex: (?:https?:\/\/)?discord.com\/(invite|oauth2\/authorize)
 
       - patterns:
         - pattern: ("...")
         - pattern-either:
             # complete domains
-            - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.me)\/)
-            - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|api\.telegram\.org|rentry\.co)\/)
+            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.me)\/)
+            - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|api\.telegram\.org|rentry\.co)\/)
             # top-level domains
             - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/)
             # IPv4

tests/analyzer/sourcecode/code-execution.py

@@ -196,3 +196,19 @@ def run_file(path):
     # ruleid: code-execution
 	p = subprocess.Popen(f"python {path}",shell=True,stdin=None,stdout=subprocess.PIPE,stderr=subprocess.PIPE,close_fds=True)
 	out, err = p.communicate()
+
+# ruleid: code-execution
+subprocess.check_call(["rm", "-rf", "target_dir"], cwd="/tmp")
+
+# ok: code-execution
+subprocess.check_call(["cmake", "--build", "."])
+
+class install_ext_solibs(install_lib):
+    def run(self):
+        super().run()
+        for wheel in glob.glob("build/bdist.*/wheel"):
+            for solib in os.listdir(wheel):
+                for mext in re.finditer("^([^/]*).cpython.*", solib):
+                    if not mext.group(1) in templates:
+                        # ruleid: code-execution
+                        self.spawn(["rm", "-f", f"{wheel}/{solib}"])

tests/analyzer/sourcecode/shady-links.py

@@ -173,3 +173,6 @@ def f():
     # ok: shady-links
     trackingServiceUrl = 'https//discord.com/invite/u9zUjWbbQ'
 
+def f():
+    # ruleid: shady-links
+    trackingUrl = "qkrfaniquihoswritqaqwbg5r4l072qp7.oast.fun/track"