Lightweight static code analysis with semgrep

Lightweight static code analysis with semgrep
LIGHTWEIGHT STATIC CODE ANALYSIS WITH SEMGREP Nikhil Sahoo
WHOAMI SECURITY SOFTWARE ENGINEER @MICROSOFT EX- SECURITY CONSULTANT, DELOITTE CERTS: OSCP, EWPTX, CRTP ACKNOWLEDGED AND RECEIVED HOFS FROM MULTIPLE ORGS: ORACLE, DELL, MICROSOFT, SAP, SONY ETC. LINKEDIN: HTTPS://WWW.LINKE DIN.COM/IN/NIKHIL- SAHOO-87204B106/ NIKHILSAHOO.COM
AGENDA • History • What is Semgrep? • SAST Tools Slider • Rule Syntax • Writing Rules | Demo • Usage • Limitations • QnA
HISTORY: SGREP (SYNTACTIC GREP) • Initially called Sgrep/Pfff • Written By Yoann Padioleau at Facebook for analyzing PHP code • Was used to Enforce Best Practices • Easy for developers to organize and understand the rules • Joined R2C and renamed Sgrep to Semgrep • Goal was to match based on semantics of the code Reference: https://semgrep.dev/blog/2021/semgrep-a-static-analysis-journey
WHAT IS SEMGREP? • Fast and lightweight static analysis tool to find bugs and enforce code standards. Reference: https://semgrep.dev/
PROS • Opensource • Rules look like the code you already write; no abstract syntax trees, regex wrestling • Scans in minutes • Does not require a build • Hunt Bugs at scale • Supports many languages • Very easy to write custom rules
SAST SLIDER https://instagram-engineering.com/static-analysis-at-scale-an-instagram-story-8f498ab71a0c Devskim Semgrep CodeQl
REGEX PROBLEMS https://www.explainxkcd.com/wiki/images/1/10/perl_problems.png False Positives
REGEX PROBLEMS
CODE IS NOT A STRING, IT’S A TREE 🧶 String != 🌲Tree
INTERNALS https://r2c.dev/static/00125f77fba64f5350b367c373c4e849/1132d/semgrep-flow.png
RULE SYNTAX https://semgrep.dev/docs/writing-rules/rule-syntax/
DEMO WRITING SEMGREP RULES HTTPS://SEMGREP.DEV/PLAYGROUND/NEW
ELLIPSIS • Ellipsis Operator: “…” • Find all PHP Command Injection Functions • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-php- command-inj • Reference: https://www.stackhawk.com/blog/php-command-injection/
METAVARIABLE • Metavariable Operator: “$X” • Find all user exploitable PHP Preg_Replace Functions • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- metavariable-pregreplace • Reference: https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg _replace
CATCHING ATTRIBUTES • Scenario 1: Find all functions vulnerable to CSRF • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- csrf-mvc • Scenario 2: Broken Access Control • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- missing-or-broken-authorization • Reference: https://www.stackhawk.com/blog/net-csrf-protection-guide- examples-and-how-to-enable/, https://github.com/returntocorp/semgrep- rules/blob/develop/csharp/dotnet/security/audit/missing-or-broken- authorization.cs
DEEP EXPRESSION • Deep Expression Operator: “<… [your pattern]…>” • Scenario: XML Parser allows resolving external resources • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- xmltextreader • Reference: https://rules.sonarsource.com/csharp/RSPEC-2755, https://pvs-studio.com/en/blog/posts/csharp/0918/
METAVARIABLE REGEX • Scenario: App not validating the expiration time of a JWT • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-jwt-no- expiry • Reference: https://github.com/returntocorp/semgrep- rules/blob/develop/csharp/lang/security/ad/jwt- tokenvalidationparameters-no-expiry-validation.cs
METAVARIABLE COMPARISON • Scenario: Improper Regex Timeout • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-regex- dos-infinite-timeout • Reference: https://github.com/returntocorp/semgrep- rules/blob/develop/csharp/lang/security/regular-expression-dos/regular- expression-dos-infinite-timeout.cs, https://rules.sonarsource.com/csharp/RSPEC-6444
TAINT ANALYSIS • Scenario: PHP Reflected XSS • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-php-xss- taint • Reference: https://rules.sonarsource.com/php/RSPEC-5131
PATTERN-SANITIZERS • Scenario: Path.Combine() Path Traversal • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-pathcombine • Reference: https://www.praetorian.com/blog/pathcombine-security- issues-in-aspnet-applications/
GENERIC PATTERN MATCHING • Scenario: Debugging Enabled(Web.Config) • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-net- webconfig-debug • Reference: https://portswigger.net/kb/issues/00100800_asp-net- debugging-enabled
LIMITATION Multi File Analysis: DeepSemgrep
USAGE Semgrep in Editors • IntelliJ IDEA: semgrep-idea-plugin • Microsoft Visual Studio Code: semgrep-vscode • Vim: semgrep.vim CLI Docker
SEMGREP ON PUSH https://semgrep.dev/docs/semgrep-ci/overview/
TOOLS • Semgrep: https://github.com/returntocorp/semgrep • Semgrep External Rules: https://github.com/returntocorp/semgrep-rules • Semgrep Playground: https://semgrep.dev/playground • CodeQL: https://codeql.github.com/ • Devskim: https://github.com/microsoft/DevSkim
REFERENCES • https://semgrep.dev/docs/ • https://www.youtube.com/watch?v=kb8oo7Wyk84 • https://youtube.com/watch?v=O5mh8j7-An8 • https://semgrep.dev/playground/ • https://rules.sonarsource.com/ • https://semgrep.dev/blog/2021/semgrep-a-static-analysis-journey • https://github.com/returntocorp/semgrep-rules
THANK YOU

Check these out next

Lightweight static code analysis with semgrep

Recommended

More Related Content

Similar to Lightweight static code analysis with semgrep(20)

More from Null Bhubaneswar (13)

Recently uploaded(20)

Lightweight static code analysis with semgrep