semgrep rules: July 2024 Update

[thypon]

No description provided.

[github-actions]

[puLL-Merge] - brave/security-action@651

Description

This PR updates and adds several security-related rules to the Semgrep ruleset. It includes new rules for detecting potential vulnerabilities in Ethereum smart contracts, updates to existing rules for better detection of security issues, and improvements to the accuracy of some rules.

Changes

Changes

1. assets/semgrep_rules/generated/nonfree/audit.yaml:

   • Added a new rule for detecting missing SSL MinVersion in TLS configurations (go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion)
   • Added a rule for detecting Intercom Messenger initialization without user hash (javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)
   • Added rules for Django CSRF token and form validation (python.django.security.django-no-csrf-token.django-no-csrf-token and python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)

2. assets/semgrep_rules/generated/nonfree/vulns.yaml:

   • Updated regex pattern for Facebook access token detection
   • Added new rules for detecting Harness API keys and New Relic insert keys
   • Updated regex pattern for Telegram bot API token detection
   • Improved the math/rand detection rule in Go to include versioned imports
   • Updated messages for SSRF-related rules to improve clarity

3. assets/semgrep_rules/generated/oss/audit.yaml:

   • Added new rules for detecting potential issues with Ethereum transaction tracing and receipt status checking (trailofbits.go.eth-rpc-tracetransaction.eth-rpc-tracetransaction and trailofbits.go.eth-txreceipt-status.eth-txreceipt-status)

4. assets/semgrep_rules/generated/oss/others.yaml:

   • Updated the message for the android_hidden_ui rule to provide more context on potential risks and best practices

5. assets/semgrep_rules/generated/oss/vulns.yaml:

   • Refined the hanging goroutine detection rule to reduce false positives

Security Hotspots

1. The new Ethereum-related rules (eth-rpc-tracetransaction and eth-txreceipt-status) address potential vulnerabilities in blockchain applications, particularly for bridges and exchanges. These rules help identify areas where transaction data might be mishandled or misinterpreted.

2. The updated SSRF-related rules provide more accurate detection of potential server-side request forgery vulnerabilities across multiple languages.

3. The new Django-related rules help identify missing CSRF tokens and improper form validation, which could lead to cross-site request forgery vulnerabilities.

Possible Issues

The changes to the hanging goroutine detection rule in Go might potentially miss some valid cases of hanging goroutines. However, this change was likely made to reduce false positives, so it's a trade-off between detection accuracy and reducing noise.