Merge pull request #431 from DataDog/s.obregoso/improve_shady_links

Improve shady-links rule
DataDog · Jul 31, 2024 · 12ee30d · 12ee30d
2 parents 2de0f93 + f529611
commit 12ee30d
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 9 deletions.
diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml
@@ -5,30 +5,32 @@ rules:
     metadata:
       description: Identify when a package contains an URL to a domain with a suspicious extension
     patterns:
-      # Semgrep not robust enough to ignore comments in lists
-      - pattern-not-regex: \# .*
 
       # ignore comments
+      - pattern-not-regex: ^\s*\# .*
       - pattern-not-regex: ^\s*\/\*(.|\n)*?\*\/\s*$
       - pattern-not-regex: ^\s*\/\/.*$
 
       # ignore docstring
       - pattern-not-regex: ^\s*"""(.|\n)*?"""\s*$
 
       # Exclude local IPv4 sometimes used in tests
-      - pattern-not-regex: (http[s]?:\/\/[^/?#]*(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost)
+      - pattern-not-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3}|0\.0\.0\.0|localhost)
 
       # Exclude public IPv4 sometimes used in tests
-      - pattern-not-regex: (http[s]?:\/\/[^/?#]*(?:1\.1\.1\.1|8\.8\.8\.8))
+      - pattern-not-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:1\.1\.1\.1|8\.8\.8\.8))
 
       - patterns:
         - pattern: ("...")
         - pattern-either:
-            - pattern-regex: (http[s]?:\/\/bit\.ly.*)$
-            - pattern-regex: (http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$
-            - pattern-regex: (http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/)
-            - pattern-regex: (http[s]?:\/\/[^/?#]*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))
-            - pattern-regex: (http[s]?:\/\/[^\n\[/?#]*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\])
+            # complete domains
+            - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.me)\/)
+            # top-level domains
+            - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/)
+            # IPv4
+            - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))
+            # IPv6
+            - pattern-regex: (http[s]?:\/\/[^\n\[\/\?#"']*?(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\])
     paths:
       exclude:
         - "*/test/*"

diff --git a/tests/analyzer/sourcecode/shady-links.py b/tests/analyzer/sourcecode/shady-links.py
@@ -149,3 +149,23 @@ def f():
       data=json.dumps(data).encode("utf-8", errors="ignore"),
       headers=headers,
   )
+
+  def f():
+    auth_config = KubernetesUserPasswordConfig(
+                username=kube_config.username,
+                password=kube_config.password,
+                server=kube_config.host,
+                certificate_authority=base64.urlsafe_b64encode(
+                    open(kube_config.ssl_ca_cert, "rb").read()
+                ).decode("utf-8")
+                if kube_config.ssl_ca_cert
+                else None,
+                # ok: shady-links
+                cluster_name=kube_config.host.strip("https://").split(":")[0],
+                insecure=kube_config.verify_ssl is False,
+            )
+
+  def f():
+    # ruleid: shady-links
+    trackingServiceUrl = 'https://b.alt-h7-eoj8gqk1.workers.dev/track'
+