From 29fd576d3a3806a7d4b939f4c4f698602732ae2c Mon Sep 17 00:00:00 2001 From: syed zabeer Date: Wed, 29 May 2024 13:37:22 +0530 Subject: [PATCH] rust programing detecterlib added --- .../arithmetic-overflow/compliant.rs | 16 ++++++++ .../arithmetic-overflow/non-compliant.rs | 14 +++++++ .../classic-buffer-overflow/compliant.rs | 13 +++++++ .../classic-buffer-overflow/non-compliant.rs | 13 +++++++ .../compliant.rs | 38 +++++++++++++++++++ .../non-compliant.rs | 33 ++++++++++++++++ rust/src/detectors/file-race-bad/compliant.rs | 20 ++++++++++ .../detectors/file-race-bad/non-compliant.rs | 15 ++++++++ .../compliant.rs | 11 ++++++ .../non-compliant.rs | 11 ++++++ .../improper-error-handling/compliant.rs | 10 +++++ .../improper-error-handling/non-compliant.rs | 10 +++++ .../improper-input-validation/compliant.rs | 15 ++++++++ .../non-compliant.rs | 17 +++++++++ .../compliant.rs | 16 ++++++++ .../non-compliant.rs | 17 +++++++++ .../detectors/incomplete-cleanup/compliant.rs | 20 ++++++++++ .../incomplete-cleanup/non-compliant.rs | 14 +++++++ .../compliant.rs | 17 +++++++++ .../non-compliant.rs | 13 +++++++ .../compliant.rs | 14 +++++++ .../non-compliant.rs | 12 ++++++ .../insecure-connection/compliant.rs | 12 ++++++ .../insecure-connection/non-compliant.rs | 13 +++++++ .../insecure-file-permissions/compliant.rs | 24 ++++++++++++ .../non-compliant.rs | 22 +++++++++++ .../detectors/insecure-hashing/compliant.rs | 10 +++++ .../insecure-hashing/non-compliant.rs | 10 +++++ .../os-command-injection/compliant.rs | 14 +++++++ .../os-command-injection/non-compliant.rs | 18 +++++++++ rust/src/detectors/set-sensitive/compliant.rs | 15 ++++++++ .../detectors/set-sensitive/non-compliant.rs | 13 +++++++ .../thread-safety-violation/compliant.rs | 21 ++++++++++ .../thread-safety-violation/non-compliant.rs | 15 ++++++++ .../throw-exception-with-trace/compliant.rs | 19 ++++++++++ .../non-compliant.rs | 13 +++++++ .../untrusted-data-in-decision/compliant.rs | 10 +++++ .../non-compliant.rs | 10 +++++ .../compliant.rs | 18 +++++++++ .../non-compliant.rs | 9 +++++ .../compliant.rs | 10 +++++ .../non-compliant.rs | 12 ++++++ 42 files changed, 647 insertions(+) create mode 100644 rust/src/detectors/arithmetic-overflow/compliant.rs create mode 100644 rust/src/detectors/arithmetic-overflow/non-compliant.rs create mode 100644 rust/src/detectors/classic-buffer-overflow/compliant.rs create mode 100644 rust/src/detectors/classic-buffer-overflow/non-compliant.rs create mode 100644 rust/src/detectors/deadlock-and-lock-inconsistency/compliant.rs create mode 100644 rust/src/detectors/deadlock-and-lock-inconsistency/non-compliant.rs create mode 100644 rust/src/detectors/file-race-bad/compliant.rs create mode 100644 rust/src/detectors/file-race-bad/non-compliant.rs create mode 100644 rust/src/detectors/improper-certificate-validation/compliant.rs create mode 100644 rust/src/detectors/improper-certificate-validation/non-compliant.rs create mode 100644 rust/src/detectors/improper-error-handling/compliant.rs create mode 100644 rust/src/detectors/improper-error-handling/non-compliant.rs create mode 100644 rust/src/detectors/improper-input-validation/compliant.rs create mode 100644 rust/src/detectors/improper-input-validation/non-compliant.rs create mode 100644 rust/src/detectors/improper-size-of-a-memory-buffer/compliant.rs create mode 100644 rust/src/detectors/improper-size-of-a-memory-buffer/non-compliant.rs create mode 100644 rust/src/detectors/incomplete-cleanup/compliant.rs create mode 100644 rust/src/detectors/incomplete-cleanup/non-compliant.rs create mode 100644 rust/src/detectors/incorrect-conversion-of-numeric-types/compliant.rs create mode 100644 rust/src/detectors/incorrect-conversion-of-numeric-types/non-compliant.rs create mode 100644 rust/src/detectors/inherently-dangerous-function/compliant.rs create mode 100644 rust/src/detectors/inherently-dangerous-function/non-compliant.rs create mode 100644 rust/src/detectors/insecure-connection/compliant.rs create mode 100644 rust/src/detectors/insecure-connection/non-compliant.rs create mode 100644 rust/src/detectors/insecure-file-permissions/compliant.rs create mode 100644 rust/src/detectors/insecure-file-permissions/non-compliant.rs create mode 100644 rust/src/detectors/insecure-hashing/compliant.rs create mode 100644 rust/src/detectors/insecure-hashing/non-compliant.rs create mode 100644 rust/src/detectors/os-command-injection/compliant.rs create mode 100644 rust/src/detectors/os-command-injection/non-compliant.rs create mode 100644 rust/src/detectors/set-sensitive/compliant.rs create mode 100644 rust/src/detectors/set-sensitive/non-compliant.rs create mode 100644 rust/src/detectors/thread-safety-violation/compliant.rs create mode 100644 rust/src/detectors/thread-safety-violation/non-compliant.rs create mode 100644 rust/src/detectors/throw-exception-with-trace/compliant.rs create mode 100644 rust/src/detectors/throw-exception-with-trace/non-compliant.rs create mode 100644 rust/src/detectors/untrusted-data-in-decision/compliant.rs create mode 100644 rust/src/detectors/untrusted-data-in-decision/non-compliant.rs create mode 100644 rust/src/detectors/use-of-uninitialized-variable/compliant.rs create mode 100644 rust/src/detectors/use-of-uninitialized-variable/non-compliant.rs create mode 100644 rust/src/detectors/weak-random-number-generation/compliant.rs create mode 100644 rust/src/detectors/weak-random-number-generation/non-compliant.rs diff --git a/rust/src/detectors/arithmetic-overflow/compliant.rs b/rust/src/detectors/arithmetic-overflow/compliant.rs new file mode 100644 index 0000000..6347916 --- /dev/null +++ b/rust/src/detectors/arithmetic-overflow/compliant.rs @@ -0,0 +1,16 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=arithmetic-overflow@v1.0 defects=0} +// Compliant: Used `checked_add` for adding the numbers + fn compliant() { + let a: u32 = std::u32::MAX; + let b: u32 = 1; + let result = a.checked_add(b); + match result { + Some(val) => println!("Result: {}", val), + None => println!("Addition overflowed"), + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/arithmetic-overflow/non-compliant.rs b/rust/src/detectors/arithmetic-overflow/non-compliant.rs new file mode 100644 index 0000000..a9151f8 --- /dev/null +++ b/rust/src/detectors/arithmetic-overflow/non-compliant.rs @@ -0,0 +1,14 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=arithmetic-overflow@v1.0 defects=1} +// Noncompliant: Operator used to airthmatic operation + fn noncompliant() { + let a: u32 = std::u32::MAX; + let b: u32 = 1; + let result = a + b; + println!("Result: {}", result); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/classic-buffer-overflow/compliant.rs b/rust/src/detectors/classic-buffer-overflow/compliant.rs new file mode 100644 index 0000000..842f4ba --- /dev/null +++ b/rust/src/detectors/classic-buffer-overflow/compliant.rs @@ -0,0 +1,13 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=classic-buffer-overflow@v1.0 defects=0} +// Compliant: The `to_le_bytes` method to convert a `u32` integer to a byte array + fn compliant2() { + let num: u32 = 12345; + let bytes: [u8; 4] = num.to_le_bytes(); + println!("{:?}", bytes); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/classic-buffer-overflow/non-compliant.rs b/rust/src/detectors/classic-buffer-overflow/non-compliant.rs new file mode 100644 index 0000000..b588ad1 --- /dev/null +++ b/rust/src/detectors/classic-buffer-overflow/non-compliant.rs @@ -0,0 +1,13 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=classic-buffer-overflow@v1.0 defects=1} +// Noncompliant: Use of `mem::transmute(num)` + fn noncompliant() { + let num: u32 = 12345; + let bytes: [u8; 4] = unsafe { mem::transmute(num) }; + println!("{:?}", bytes); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/deadlock-and-lock-inconsistency/compliant.rs b/rust/src/detectors/deadlock-and-lock-inconsistency/compliant.rs new file mode 100644 index 0000000..3708c15 --- /dev/null +++ b/rust/src/detectors/deadlock-and-lock-inconsistency/compliant.rs @@ -0,0 +1,38 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=deadlock-and-lock-inconsistency@v1.0 defects=0} + use std::sync::{Arc, Mutex,RwLock}; + use std::sync::atomic::{AtomicUsize, Ordering}; + use std::thread; + + fn compliant() { + // Compliant: using `std::sync` module types `Mutex `, `RwLock` + let data = Arc::new(Mutex::new(0)); + let t1 = { + let data = Arc::clone(&data); + thread::spawn(move || { + let mut data = data.lock().unwrap(); + for _ in 0..1_000_000 { + *data += 1; + } + }) + }; + + let t2 = { + let data = Arc::clone(&data); + thread::spawn(move || { + let mut data = data.lock().unwrap(); + for _ in 0..1_000_000 { + *data -= 1; + } + }) + }; + t1.join().unwrap(); + t2.join().unwrap(); + + println!("Final data value: {:?}", data.lock().unwrap()); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/deadlock-and-lock-inconsistency/non-compliant.rs b/rust/src/detectors/deadlock-and-lock-inconsistency/non-compliant.rs new file mode 100644 index 0000000..e4b43f9 --- /dev/null +++ b/rust/src/detectors/deadlock-and-lock-inconsistency/non-compliant.rs @@ -0,0 +1,33 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=deadlock-and-lock-inconsistency@v1.0 defects=1} + +use std::sync::atomic::{AtomicUsize, Ordering}; +use std::sync::{Arc, Mutex,RwLock}; +use std::thread; + +static COUNTER: AtomicUsize = AtomicUsize::new(0); + fn noncompliant() { + let mut data = 0; + // Noncompliant: Not using sync module types `Mutex `, `RwLock` + let t1 = thread::spawn(move || { + for _ in 0..1_000_000 { + data += 1; + } + }); + + let t2 = thread::spawn(move || { + for _ in 0..1_000_000 { + data -= 1; + } + }); + + t1.join().unwrap(); + t2.join().unwrap(); + + println!("Final data value: {}", data); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/file-race-bad/compliant.rs b/rust/src/detectors/file-race-bad/compliant.rs new file mode 100644 index 0000000..64b5ae9 --- /dev/null +++ b/rust/src/detectors/file-race-bad/compliant.rs @@ -0,0 +1,20 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=file-race-bad@v1.0 defects=0} +// Compliant: Validated symbolic links before removing +fn safe_remove_dir_all(dir_path: &str) { + if let Ok(metadata) = fs::symlink_metadata(dir_path) { + if metadata.file_type().is_dir() { + unix_fs::symlink_metadata(dir_path).map(|metadata| { + if metadata.file_type().is_symlink() { + fs::remove_file(dir_path).unwrap(); + } + }).unwrap(); + fs::remove_dir_all(dir_path).unwrap(); + } + } + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/file-race-bad/non-compliant.rs b/rust/src/detectors/file-race-bad/non-compliant.rs new file mode 100644 index 0000000..b5d23a6 --- /dev/null +++ b/rust/src/detectors/file-race-bad/non-compliant.rs @@ -0,0 +1,15 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=file-race-bad@v1.0 defects=1} +// Noncompliant: Use of `remove_dir_all` without validating symbolic links + +fn vulnerable_remove_dir_all(dir_path: &str) { + if fs::metadata(dir_path).unwrap().is_dir() { + // ruleid: rust-race-condition-remove-dir-all + fs::remove_dir_all(dir_path).unwrap(); + } + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-certificate-validation/compliant.rs b/rust/src/detectors/improper-certificate-validation/compliant.rs new file mode 100644 index 0000000..9be7789 --- /dev/null +++ b/rust/src/detectors/improper-certificate-validation/compliant.rs @@ -0,0 +1,11 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-certificate-validation@v1.0 defects=0} +// Compliant: ssl verification is enabled +use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; +let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); +connector.builder_mut().set_verify(SSL_VERIFY_PEER); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-certificate-validation/non-compliant.rs b/rust/src/detectors/improper-certificate-validation/non-compliant.rs new file mode 100644 index 0000000..6a1ec16 --- /dev/null +++ b/rust/src/detectors/improper-certificate-validation/non-compliant.rs @@ -0,0 +1,11 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-certificate-validation@v1.0 defects=1} +// Noncompliant: ssl verification is disabled +use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; +let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); +connector.builder_mut().set_verify(SSL_VERIFY_NONE); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-error-handling/compliant.rs b/rust/src/detectors/improper-error-handling/compliant.rs new file mode 100644 index 0000000..1ae5b1c --- /dev/null +++ b/rust/src/detectors/improper-error-handling/compliant.rs @@ -0,0 +1,10 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-error-handling@v1.0 defects=0} +// Compliant: `?` operator enables more structured and graceful error handling + let mut f = std::fs::File::open(filename)?; + let mut buf = Vec::new(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-error-handling/non-compliant.rs b/rust/src/detectors/improper-error-handling/non-compliant.rs new file mode 100644 index 0000000..43389b2 --- /dev/null +++ b/rust/src/detectors/improper-error-handling/non-compliant.rs @@ -0,0 +1,10 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-error-handling@v1.0 defects=1} +// Noncompliant: Usage of `unwrap()` to handle the result of `File::open()` + let mut f = std::fs::File::open("../monsterdata_test.mon").unwrap(); + let mut buf = Vec::new(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-input-validation/compliant.rs b/rust/src/detectors/improper-input-validation/compliant.rs new file mode 100644 index 0000000..385c95f --- /dev/null +++ b/rust/src/detectors/improper-input-validation/compliant.rs @@ -0,0 +1,15 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-input-validation@v1.0 defects=0} +// Compliant: Used `from_utf8` to get valid UTF-8 data + + let input_bytes: &[u8] = b"Hello, world!"; + + fn process_input(input_bytes: &[u8]) -> Result<&str, str::Utf8Error> { + let input_str = str::from_utf8(input_bytes)?; + Ok(input_str) + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-input-validation/non-compliant.rs b/rust/src/detectors/improper-input-validation/non-compliant.rs new file mode 100644 index 0000000..573f1ea --- /dev/null +++ b/rust/src/detectors/improper-input-validation/non-compliant.rs @@ -0,0 +1,17 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-input-validation@v1.0 defects=1} +// Noncompliant: from_utf8_unchecked can cause invalid UTF-8 data + +use std::str; + + let input_bytes: &[u8] = b"Hello, world! \xF0"; + fn process_input_unchecked(input_bytes: &[u8]) -> &str { + unsafe { + str::from_utf8_unchecked(input_bytes); + } + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-size-of-a-memory-buffer/compliant.rs b/rust/src/detectors/improper-size-of-a-memory-buffer/compliant.rs new file mode 100644 index 0000000..1fcdd94 --- /dev/null +++ b/rust/src/detectors/improper-size-of-a-memory-buffer/compliant.rs @@ -0,0 +1,16 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-size-of-a-memory-buffer@v1.0 defects=0} +// Compliant: Buffer initialized with size + +fn compliant(file_path: &str, buffer: &mut Vec) -> io::Result<()>{ + let mut file = File::open(file_path)?; + let file_size = file.metadata()?.len() as usize; + buffer.reserve(file_size); + file.read_to_end(buffer)?; + Ok(()) + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/improper-size-of-a-memory-buffer/non-compliant.rs b/rust/src/detectors/improper-size-of-a-memory-buffer/non-compliant.rs new file mode 100644 index 0000000..4d9ebcd --- /dev/null +++ b/rust/src/detectors/improper-size-of-a-memory-buffer/non-compliant.rs @@ -0,0 +1,17 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=improper-size-of-a-memory-buffer@v1.0 defects=1} +// Noncompliant: Buffer is not initialized with size + +use std::fs::File; +use std::io::{self,Read}; + + fn nonCompliant(file_path: &str, buffer: &mut Vec) -> io::Result<()>{ + let mut file = File::open(file_path)?; + file.read_to_end(buffer)?; + Ok(()) + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/incomplete-cleanup/compliant.rs b/rust/src/detectors/incomplete-cleanup/compliant.rs new file mode 100644 index 0000000..a469051 --- /dev/null +++ b/rust/src/detectors/incomplete-cleanup/compliant.rs @@ -0,0 +1,20 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=incomplete-cleanup@v1.0 defects=0} +// Compliant: `match` statement to handle the result of the `TcpListener::bind("127.0.0.1:8080")` operation + +use std::net::{TcpListener, TcpStream}; + + fn compliant() { + let listener = match TcpListener::bind("127.0.0.1:8080") { + Ok(listener) => listener, + Err(e) => { + eprintln!("Failed to bind: {}", e); + return; + } + }; + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/incomplete-cleanup/non-compliant.rs b/rust/src/detectors/incomplete-cleanup/non-compliant.rs new file mode 100644 index 0000000..fec5bde --- /dev/null +++ b/rust/src/detectors/incomplete-cleanup/non-compliant.rs @@ -0,0 +1,14 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=incomplete-cleanup@v1.0 defects=1} +// Noncompliant: Calling `unwrap()` will cause the program to panic immediately + +use std::net::{TcpListener, TcpStream}; + + fn noncompliant() { + let listener = TcpListener::bind("127.0.0.1:8080").unwrap(); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/incorrect-conversion-of-numeric-types/compliant.rs b/rust/src/detectors/incorrect-conversion-of-numeric-types/compliant.rs new file mode 100644 index 0000000..c74fe32 --- /dev/null +++ b/rust/src/detectors/incorrect-conversion-of-numeric-types/compliant.rs @@ -0,0 +1,17 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + // {fact rule=incorrect-conversion-of-numeric-types@v1.0 defects=0} + // Compliant: verify that the resulting rounded value + fn try_floor_u64(value: f64) -> Option { + let mut rug_float = rug::Float::with_val(53, value); + rug_float = rug_float.floor(); + if rug_float >= 0.0 && rug_float <= u64::MAX as f64 { + Some(rug_float.to_u64().unwrap()) + } else { + None + } +} + // {/fact} \ No newline at end of file diff --git a/rust/src/detectors/incorrect-conversion-of-numeric-types/non-compliant.rs b/rust/src/detectors/incorrect-conversion-of-numeric-types/non-compliant.rs new file mode 100644 index 0000000..df444d2 --- /dev/null +++ b/rust/src/detectors/incorrect-conversion-of-numeric-types/non-compliant.rs @@ -0,0 +1,13 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + // {fact rule=incorrect-conversion-of-numeric-types@v1.0 defects=1} + // Noncompliant: not verify that the resulting rounded value + + fn try_round_u64(value: f64) -> Option { + Some(value.round() as u64) +} + + // {/fact} \ No newline at end of file diff --git a/rust/src/detectors/inherently-dangerous-function/compliant.rs b/rust/src/detectors/inherently-dangerous-function/compliant.rs new file mode 100644 index 0000000..322e115 --- /dev/null +++ b/rust/src/detectors/inherently-dangerous-function/compliant.rs @@ -0,0 +1,14 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=inherently-dangerous-function@v1.0 defects=0} +// Compliant: attempts to prevent dereferencing a null pointer +unsafe fn compliant2() { + let ptr: *const i32 = std::ptr::null(); + if !ptr.is_null() { + let val = unsafe { *ptr }; + } +} +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/inherently-dangerous-function/non-compliant.rs b/rust/src/detectors/inherently-dangerous-function/non-compliant.rs new file mode 100644 index 0000000..5e5270f --- /dev/null +++ b/rust/src/detectors/inherently-dangerous-function/non-compliant.rs @@ -0,0 +1,12 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=inherently-dangerous-function@v1.0 defects=1} +// Noncompliant: A raw null pointer without pointing to any valid memory location. +unsafe fn noncompliant() { + let ptr: *const i32 = std::ptr::null(); + let val = unsafe { *ptr }; +} +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/insecure-connection/compliant.rs b/rust/src/detectors/insecure-connection/compliant.rs new file mode 100644 index 0000000..367ee92 --- /dev/null +++ b/rust/src/detectors/insecure-connection/compliant.rs @@ -0,0 +1,12 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=insecure-connection@v1.0 defects=0} +// Compliant: Used suppaftp for connection +use suppaftp::FtpStream; + + let mut ftp_stream = FtpStream::connect("example.com").unwrap(); + ftp_stream.login("anonymous", "me@example.com").unwrap(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/insecure-connection/non-compliant.rs b/rust/src/detectors/insecure-connection/non-compliant.rs new file mode 100644 index 0000000..67b8e70 --- /dev/null +++ b/rust/src/detectors/insecure-connection/non-compliant.rs @@ -0,0 +1,13 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=insecure-connection@v1.0 defects=1} + +use ftp::{FtpError, FtpStream}; +use std::{io::Cursor, str}; +// Noncompliant: ftp crate is not maintained any more + let mut ftp_stream = FtpStream::connect((addr, 21)).unwrap(); + let _ = ftp_stream.login("Doe", "mumble").unwrap(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/insecure-file-permissions/compliant.rs b/rust/src/detectors/insecure-file-permissions/compliant.rs new file mode 100644 index 0000000..e5026e0 --- /dev/null +++ b/rust/src/detectors/insecure-file-permissions/compliant.rs @@ -0,0 +1,24 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=insecure-file-permissions@v1.0 defects=0} +// Compliant: Permission check added before file operations + + fn compliant() -> io::Result<()> { + let file_path = PathBuf::from("example.txt"); + if !file_path.exists() || file_path.metadata()?.permissions().mode() & 0o222 != 0 { + //ok: rust-account-writable-check + let file = OpenOptions::new().write(true).create(true).open(&file_path)?; + if let Err(e) = writeln!(file, "This is some data.") { + eprintln!("Error writing to file: {}", e); + } else { + println!("Data written successfully!"); + } + } else { + eprintln!("Error: You do not have permission to write to the file at {:?}", file_path); + } + Ok(()) + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/insecure-file-permissions/non-compliant.rs b/rust/src/detectors/insecure-file-permissions/non-compliant.rs new file mode 100644 index 0000000..71d8990 --- /dev/null +++ b/rust/src/detectors/insecure-file-permissions/non-compliant.rs @@ -0,0 +1,22 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=insecure-file-permissions@v1.0 defects=1} +// Noncompliant: No permission check before file operation + + fn noncompliant() -> io::Result<()> { + let dir_path = "/etc/"; + let file_name = "new_file.txt"; + let file_path = format!("{}{}", dir_path, file_name); + let file = OpenOptions::new().write(true).create(true).open(file_path)?; + if let Err(e) = writeln!(file, "Sensitive data!") { + eprintln!("Error writing to file: {}", e); + } else { + println!("Data written successfully!"); + } + Ok(()) + } + +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/insecure-hashing/compliant.rs b/rust/src/detectors/insecure-hashing/compliant.rs new file mode 100644 index 0000000..9c54182 --- /dev/null +++ b/rust/src/detectors/insecure-hashing/compliant.rs @@ -0,0 +1,10 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=insecure-hashing@v1.0 defects=0} +// Compliant: secured hasing algorithm `Sha256` used + use sha256::{Sha256}; + let mut hasher = Sha256::new(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/insecure-hashing/non-compliant.rs b/rust/src/detectors/insecure-hashing/non-compliant.rs new file mode 100644 index 0000000..24ee202 --- /dev/null +++ b/rust/src/detectors/insecure-hashing/non-compliant.rs @@ -0,0 +1,10 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=insecure-hashing@v1.0 defects=1} +// Noncompliant: Insecure hashing algorithm `Md2` used + use md2::{Md2}; + let mut hasher = Md2::new(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/os-command-injection/compliant.rs b/rust/src/detectors/os-command-injection/compliant.rs new file mode 100644 index 0000000..61e0bea --- /dev/null +++ b/rust/src/detectors/os-command-injection/compliant.rs @@ -0,0 +1,14 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=os-command-injection@v1.0 defects=0} +// Compliant: string arguments instead of user input + fn compliant2() { + let output = Command::new("ls") + .arg("-l") + .output() + .expect("failed to execute process"); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/os-command-injection/non-compliant.rs b/rust/src/detectors/os-command-injection/non-compliant.rs new file mode 100644 index 0000000..4e6d86c --- /dev/null +++ b/rust/src/detectors/os-command-injection/non-compliant.rs @@ -0,0 +1,18 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=os-command-injection@v1.0 defects=1} +// Noncompliant: User input without proper validation + fn noncompliant() { + println!("Enter a command:"); + let mut input = String::new(); + io::stdin().read_line(&mut input).expect("Failed to read input"); + let output = Command::new("sh") + .arg("-c") + .arg(input.trim()) + .output() + .expect("failed to execute process"); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/set-sensitive/compliant.rs b/rust/src/detectors/set-sensitive/compliant.rs new file mode 100644 index 0000000..bf73027 --- /dev/null +++ b/rust/src/detectors/set-sensitive/compliant.rs @@ -0,0 +1,15 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + + +use reqwest::header; +use reqwest::{blocking::Client, header::HeaderMap, header::HeaderValue, Url}; +// {fact rule=set-sensitive@v1.0 defects=0} +// Compliant: set sensitive set to true + let mut headers = header::HeaderMap::new(); + let header = header::HeaderValue::from_static("secret"); + header.set_sensitive(true); + headers.insert(header::AUTHORIZATION, header); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/set-sensitive/non-compliant.rs b/rust/src/detectors/set-sensitive/non-compliant.rs new file mode 100644 index 0000000..8e0e694 --- /dev/null +++ b/rust/src/detectors/set-sensitive/non-compliant.rs @@ -0,0 +1,13 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=set-sensitive@v1.0 defects=1} +use reqwest::header; +use reqwest::{blocking::Client, header::HeaderMap, header::HeaderValue, Url}; +// Noncompliant: set sensitive not been set to true + let mut headers = header::HeaderMap::new(); + let header = header::HeaderValue::from_static("secret"); + headers.insert(header::AUTHORIZATION, header); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/thread-safety-violation/compliant.rs b/rust/src/detectors/thread-safety-violation/compliant.rs new file mode 100644 index 0000000..2ce0316 --- /dev/null +++ b/rust/src/detectors/thread-safety-violation/compliant.rs @@ -0,0 +1,21 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=thread-safety-violation@v1.0 defects=0} +// Compliant: Using synchronous contexts `tokio::fs` and `tokio::net` + +use tokio::fs; +use tokio::task; + +async fn write_file_blocking(file_path: &str, content: &str) -> Result<(), std::io::Error> { + task::spawn_blocking(move || { + fs::write(file_path, content) + }) + .await + .unwrap()?; + + Ok(()) +} +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/thread-safety-violation/non-compliant.rs b/rust/src/detectors/thread-safety-violation/non-compliant.rs new file mode 100644 index 0000000..bcfebd4 --- /dev/null +++ b/rust/src/detectors/thread-safety-violation/non-compliant.rs @@ -0,0 +1,15 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=thread-safety-violation@v1.0 defects=1} +// Noncompliant: Using asynchronous contexts `std::fs` and `std::net` +use std::fs; + +async fn write_to_file_blocking(file_path: &str, content: &str) { + task::spawn_blocking(move || { + fs::write(file_path, content).unwrap(); + }).await.unwrap(); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/throw-exception-with-trace/compliant.rs b/rust/src/detectors/throw-exception-with-trace/compliant.rs new file mode 100644 index 0000000..7885041 --- /dev/null +++ b/rust/src/detectors/throw-exception-with-trace/compliant.rs @@ -0,0 +1,19 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=throw-exception-with-trace@v1.0 defects=0} +// Compliant: `match` expression to handle `Result` values + + fn compliant() { + let result: Result = Ok(42); + match result { + Ok(value) => { + println!("Value: {}", value); + } + Err(error_message) => { + eprintln!("Error occurred: {}", error_message); + } + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/throw-exception-with-trace/non-compliant.rs b/rust/src/detectors/throw-exception-with-trace/non-compliant.rs new file mode 100644 index 0000000..3f3863c --- /dev/null +++ b/rust/src/detectors/throw-exception-with-trace/non-compliant.rs @@ -0,0 +1,13 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=throw-exception-with-trace@v1.0 defects=1} +// Noncompliant: The `expect` method on a `Result` type to extract the value from an `Ok + fn noncompliant() { + let result: Result = Ok(42); + let value = result.expect("Error occurred"); + println!("Value: {}", value); + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/untrusted-data-in-decision/compliant.rs b/rust/src/detectors/untrusted-data-in-decision/compliant.rs new file mode 100644 index 0000000..8dd2dd9 --- /dev/null +++ b/rust/src/detectors/untrusted-data-in-decision/compliant.rs @@ -0,0 +1,10 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=untrusted-data-in-decision@v1.0 defects=0} +// Compliant: secured hasing algorithm `Sha256` used + use clap::App; + let matches = App::new("MyApp"); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/untrusted-data-in-decision/non-compliant.rs b/rust/src/detectors/untrusted-data-in-decision/non-compliant.rs new file mode 100644 index 0000000..b321d03 --- /dev/null +++ b/rust/src/detectors/untrusted-data-in-decision/non-compliant.rs @@ -0,0 +1,10 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=untrusted-data-in-decision@v1.0 defects=1} +// Noncompliant: Insecure hashing algorithm `Md2` used + use std::env; + let args = env::args(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/use-of-uninitialized-variable/compliant.rs b/rust/src/detectors/use-of-uninitialized-variable/compliant.rs new file mode 100644 index 0000000..b7fc633 --- /dev/null +++ b/rust/src/detectors/use-of-uninitialized-variable/compliant.rs @@ -0,0 +1,18 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=use-of-uninitialized-variable@v1.0 defects=0} +// Compliant: `MaybeUninit` and following proper initialization procedures within an `unsafe` block +use std::mem::MaybeUninit; + + fn compliant() { + let mut value = MaybeUninit::::uninit(); + unsafe { + value.as_mut_ptr().write(0); + let value = value.assume_init(); + println!("Value: {}", value); + } + } +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/use-of-uninitialized-variable/non-compliant.rs b/rust/src/detectors/use-of-uninitialized-variable/non-compliant.rs new file mode 100644 index 0000000..8fdef77 --- /dev/null +++ b/rust/src/detectors/use-of-uninitialized-variable/non-compliant.rs @@ -0,0 +1,9 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=use-of-uninitialized-variable@v1.0 defects=1} +// Noncompliant: The `std::mem::uninitialized()` function was deprecated in Rust + let value: i32 = std::mem::uninitialized(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/weak-random-number-generation/compliant.rs b/rust/src/detectors/weak-random-number-generation/compliant.rs new file mode 100644 index 0000000..de2485a --- /dev/null +++ b/rust/src/detectors/weak-random-number-generation/compliant.rs @@ -0,0 +1,10 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=weak-random-number-generation@v1.0 defects=0} +// Compliant: Secure random number generators + let key = ring::aead::LessSafeKey::new(unbound_key); + let rng = ring::rand::SystemRandom::new(); +// {/fact} \ No newline at end of file diff --git a/rust/src/detectors/weak-random-number-generation/non-compliant.rs b/rust/src/detectors/weak-random-number-generation/non-compliant.rs new file mode 100644 index 0000000..8b7fb80 --- /dev/null +++ b/rust/src/detectors/weak-random-number-generation/non-compliant.rs @@ -0,0 +1,12 @@ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ + +// {fact rule=weak-random-number-generation@v1.0 defects=1} +// Noncompliant: Weak random number generators `seed_from_u64` + let mut rng = StdRng::seed_from_u64(42); + for _ in 0..10 { + let random_number: u32 = rng.gen(); + } +// {/fact} \ No newline at end of file