├── Puma.Security.Rules.Vsix
    ├── logo-200x200.png
    ├── packages.config
    └── Publish
    │   └── Production
    │       ├── publishManifest.json
    │       └── overview.md
├── Puma.Security.Rules.Vsix.VS2017
    ├── logo-200x200.png
    ├── packages.config
    └── Publish
    │   └── Production
    │       ├── publishManifest.json
    │       └── overview.md
├── Puma.Security.Rules.Vsix.VS2022
    ├── packages.config
    ├── Publish
    │   └── Production
    │   │   ├── publishManifest.json
    │   │   └── overview.md
    └── Properties
    │   └── AssemblyInfo.cs
├── Puma.Security.Rules.Shared
    ├── PumaAppBuilder.cs
    ├── Analyzer
    │   ├── Core
    │   │   ├── BaseMarkupFileAnalyzer.cs
    │   │   ├── Factories
    │   │   │   ├── IBinaryFormatterExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IAttributeVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IInvocationExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IAssignmentExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IObjectCreationExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IArgumentVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IIdentifierNameVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── ILocalDeclarationStatementVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── ArgumentVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── AttributeVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── IdentifierNameVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── LocalDeclarationStatementVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── BinaryFormatterExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── InvocationExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   ├── AssignmentExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   └── ObjectCreationExpressionVulnerableSyntaxNodeFactory.cs
    │   │   ├── ISafeSyntaxTypeAnalyzer.cs
    │   │   ├── ISanitizedSourceAnalyzer.cs
    │   │   ├── ISanitizedFieldSymbolAnalyzer.cs
    │   │   ├── ISanitizedLocalSymbolAnalyzer.cs
    │   │   ├── ISanitizedMethodSymbolAnalyzer.cs
    │   │   ├── ISanitizedPropertySymbolAnalyzer.cs
    │   │   ├── ISanitizedParameterSymbolAnalyzer.cs
    │   │   ├── QueryExpressionSyntaxAnalyzer.cs
    │   │   ├── ICleansedMethodsProvider.cs
    │   │   ├── ISyntaxNodeAnalyzer.cs
    │   │   ├── BaseConfigurationFileAnalyzer.cs
    │   │   ├── BaseSyntaxNodeAnalyzer.cs
    │   │   ├── LiteralExpressionSyntaxAnalyzer.cs
    │   │   ├── BaseSemanticAnalyzer.cs
    │   │   ├── SyntaxNodeAnalyzer.cs
    │   │   ├── BinaryExpressionSyntaxAnalyzer.cs
    │   │   ├── ConditionalExpressionSyntaxAnalyzer.cs
    │   │   └── Specialized
    │   │   │   └── IsArgumentOnlyExpression.cs
    │   ├── ICompilationAnalyzer.cs
    │   ├── IAdditionalTextAnalyzer.cs
    │   ├── Validation
    │   │   ├── Csrf
    │   │   │   └── Core
    │   │   │   │   └── IAntiForgeryTokenExpressionAnalyzer.cs
    │   │   ├── RequestValidation
    │   │   │   └── Core
    │   │   │   │   ├── IAllowHtmlExpressionAnalyzer.cs
    │   │   │   │   ├── IValidateInputExpressionAnalyzer.cs
    │   │   │   │   └── AllowHtmlExpressionAnalyzer.cs
    │   │   ├── Path
    │   │   │   └── Core
    │   │   │   │   ├── IFileOpenExpressionAnalyzer.cs
    │   │   │   │   ├── IFileReadExpressionAnalyzer.cs
    │   │   │   │   ├── IFileWriteExpressionAnalyzer.cs
    │   │   │   │   ├── IFileDeleteExpressionAnalyzer.cs
    │   │   │   │   ├── IFileStreamExpressionAnalyzer.cs
    │   │   │   │   ├── IMvcFileResultExpressionAnalyzer.cs
    │   │   │   │   └── FileStreamExpressionAnalyzer.cs
    │   │   ├── Redirect
    │   │   │   └── Core
    │   │   │   │   ├── IMvcRedirectExpressionAnalyzer.cs
    │   │   │   │   ├── IResponseRedirectExpressionAnalyzer.cs
    │   │   │   │   ├── MvcRedirectExpressionAnalyzer.cs
    │   │   │   │   └── ResponseRedirectExpressionAnalyzer.cs
    │   │   └── Certificate
    │   │   │   └── Core
    │   │   │       ├── IHttpWebRequestCertificateValidationExpressionAnalyzer.cs
    │   │   │       ├── IWebRequestHandlerCertificateValidationExpressionAnalyzer.cs
    │   │   │       └── IServicePointManagerCertificateValidationExpressionAnalyzer.cs
    │   ├── Crypto
    │   │   └── Core
    │   │   │   ├── IDesExpressionAnalzyer.cs
    │   │   │   ├── IMd5ExpressionAnalzyer.cs
    │   │   │   ├── ISha1ExpressionAnalzyer.cs
    │   │   │   ├── IEcbAssignmentExpressionAnalyzer.cs
    │   │   │   ├── ISystemRandomExpressionAnalyzer.cs
    │   │   │   ├── DesExpressionAnalyzer.cs
    │   │   │   ├── SystemRandomExpressionAnalyzer.cs
    │   │   │   ├── Md5ExpressionAnalyzer.cs
    │   │   │   └── Sha1ExpressionAnalyzer.cs
    │   ├── Configuration
    │   │   ├── Identity
    │   │   │   └── Core
    │   │   │   │   ├── IPasswordValidatorExpressionAnalyzer.cs
    │   │   │   │   └── IPasswordLockoutExpressionAnalyzer.cs
    │   │   └── Cors
    │   │   │   └── Core
    │   │   │       ├── ICorsExpressionAnalyzer.cs
    │   │   │       └── CorsExpressionAnalyzer.cs
    │   ├── AccessControl
    │   │   ├── Authorize
    │   │   │   └── Core
    │   │   │   │   └── IAuthorizeExpressionAnalyzer.cs
    │   │   └── Jwt
    │   │   │   └── Core
    │   │   │       └── IJwtSignatureExpressionAnalyzer.cs
    │   ├── Injection
    │   │   ├── Sql
    │   │   │   └── Core
    │   │   │   │   ├── ISqlCommandObjectCreationExpressionVulnerableSyntaxNodeFactory.cs
    │   │   │   │   ├── ISqlCommandInjectionAssignmentExpressionAnalyzer.cs
    │   │   │   │   ├── ISqlCommandInjectionObjectCreationExpressionAnalyzer.cs
    │   │   │   │   ├── ILinqSqlInjectionExpressionAnalyzer.cs
    │   │   │   │   ├── IEfQueryCommandInjectionExpressionAnalyzer.cs
    │   │   │   │   └── SqlCommandInjectionAssignmentExpressionAnalyzer.cs
    │   │   ├── Xss
    │   │   │   └── Core
    │   │   │   │   ├── ILabelTextAssignmentExpressionAnalyzer.cs
    │   │   │   │   ├── ILiteralTextAssignmentExpressionAnalyzer.cs
    │   │   │   │   ├── IResponseWriteAssignmentExpressionAnalyzer.cs
    │   │   │   │   ├── LabelTextAssignmentExpressionAnalyzer.cs
    │   │   │   │   └── LiteralTextAssignmentExpressionAnalyzer.cs
    │   │   ├── Deserialization
    │   │   │   └── Core
    │   │   │   │   ├── IBinaryFormatterExpressionAnalyzer.cs
    │   │   │   │   └── INewtonsoftJsonTypeNameHandlingExpressionAnalyzer.cs
    │   │   ├── Ldap
    │   │   │   └── Core
    │   │   │   │   ├── ILdapDirectoryEntryPathInjectionExpressionAnalyzer.cs
    │   │   │   │   ├── ILdapDirectoryEntryPathAssignmentInjectionExpressionAnalyzer.cs
    │   │   │   │   ├── ILdapDirectorySearcherFilterAssignmentExpressionAnalyzer.cs
    │   │   │   │   └── ILdapDirectorySearcherCreationExpressionAnalyzer.cs
    │   │   └── Cmd
    │   │   │   └── Core
    │   │   │       ├── IProcessStartInvocationExpressionAnalyzer.cs
    │   │   │       └── IProcessStartInfoCreationExpressionAnalyzer.cs
    │   ├── IConfigurationFileAnalyzer.cs
    │   ├── ISyntaxAnalyzer.cs
    │   └── CompilationAnalyzerExtensions.cs
    ├── Regex
    │   ├── IRegexHelper.cs
    │   ├── WebForms
    │   │   ├── DataBindingExpressionRegexHelper.cs
    │   │   └── ResponseWriteShortHandRegexHelper.cs
    │   ├── Mvc
    │   │   ├── WriteLiteralRegexHelper.cs
    │   │   └── HtmlRawRegexHelper.cs
    │   └── BaseRegexHelper.cs
    ├── Suites
    │   └── Core
    │   │   ├── IAnalyzerSuiteFactory.cs
    │   │   ├── CsrfAnalyzerSuiteFactory.cs
    │   │   ├── CertificateValidationAnalyzerSuiteFactory.cs
    │   │   ├── MvcMarkupAnalyzerSuiteFactory.cs
    │   │   ├── IdentityAnalyzerSuiteFactory.cs
    │   │   ├── CookiesConfigurationAnalyzerSuiteFactory.cs
    │   │   ├── RequestValidationAnalyzerSuiteFactory.cs
    │   │   ├── UnvalidatedRedirectAnalyzerSuiteFactory.cs
    │   │   ├── WebFormsMarkupAnalyzerSuiteFactory.cs
    │   │   ├── SessionStateConfigurationAnalyzerSuiteFactory.cs
    │   │   ├── DeserializationAnalyzerSuiteFactory.cs
    │   │   ├── HttpRuntimeConfigurationAnalyzerSuiteFactory.cs
    │   │   ├── PathTamperingAnalyzerSuiteFactory.cs
    │   │   ├── WebFormsXssAnalyzerSuiteFactory.cs
    │   │   ├── AccessControlAnalyzerSuiteFactory.cs
    │   │   ├── PagesConfigurationAnalyzerSuiteFactory.cs
    │   │   ├── CryptoAnalyzerSuiteFactory.cs
    │   │   ├── SqlInjectionAnalyzerSuiteFactory.cs
    │   │   ├── FormsConfigurationAnalyzerSuiteFactory.cs
    │   │   ├── CommandInjectionAnalyzerSuiteFactory.cs
    │   │   ├── LdapInjectionAnalyzerSuiteFactory.cs
    │   │   └── ConfigurationAnalyzerSuiteFactory.cs
    ├── Core
    │   ├── IPumaCompilationAnalysisReporterService.cs
    │   ├── IPumaSyntaxNodeAnalysisContextReporterService.cs
    │   ├── IAdditionalTextAnalyzerRegisterService.cs
    │   ├── ISyntaxNodeAnalyzerRegisterService.cs
    │   ├── IConfigurationFileAnalyzerRegisterService.cs
    │   ├── PumaSyntaxNodeAnalysisContextReporterService.cs
    │   ├── PumaSyntaxNodeAnalysisContext.cs
    │   ├── PumaCompilationAnalysisContext.cs
    │   ├── PumaAnalysisContext.cs
    │   ├── ConfigurationFiles
    │   │   └── ShouldUpdateConfigurationFile.cs
    │   └── PumaCompilationStartAnalysisContext.cs
    ├── Filters
    │   ├── IFileExtensionFilter.cs
    │   ├── ConfigurationFileFilter.cs
    │   ├── WebFormMarkupFileFilter.cs
    │   └── MvcMarkupFileFilter.cs
    ├── Model
    │   ├── MarkupFile.cs
    │   ├── ConfigurationFile.cs
    │   └── DiagnosticInfo.cs
    ├── Configuration
    │   └── Core
    │   │   └── TaintFlags.cs
    ├── PumaApp.cs
    ├── Common
    │   ├── Extensions
    │   │   ├── ExpressionSyntaxExtensions.cs
    │   │   ├── AssemblyExtensions.cs
    │   │   ├── MethodDeclarationSyntaxExtensions.cs
    │   │   ├── DiagnosticIdExtensions.cs
    │   │   ├── ConfigurationFileExtensions.cs
    │   │   └── SyntaxNodeExtensions.cs
    │   └── Enum.cs
    ├── Diagnostics
    │   ├── DiagnosticFactory.cs
    │   └── SupportedDiagnosticAttribute.cs
    └── Puma.Security.Rules.Shared.shproj
├── Puma.Security.Parser
    ├── Models
    │   ├── ErrorCode.cs
    │   └── Options.cs
    ├── Rules
    │   ├── Models
    │   │   ├── ReportSeverity.cs
    │   │   ├── CommonWeaknessEnumeration.cs
    │   │   ├── Snippet.cs
    │   │   └── DiagnosticSeverity.cs
    │   └── IRuleProvider.cs
    ├── Log
    │   ├── PumaLog.cs
    │   └── PumaLogEntry.cs
    ├── Puma.Security.Parser.csproj
    └── RegexConstants.cs
├── CONTRIBUTING.md
├── docker
    ├── Dockerfile
    └── pumascan.sh
├── Puma.Security.Rules
    └── tools
    │   ├── parser
    │       └── README.md
    │   ├── install.ps1
    │   └── uninstall.ps1
├── Puma.Security.Rules.2017
    └── tools
    │   ├── parser
    │       └── README.md
    │   ├── install.ps1
    │   └── uninstall.ps1
├── Puma.Security.Rules.2022
    └── tools
    │   ├── parser
    │       └── README.md
    │   ├── install.ps1
    │   └── uninstall.ps1
└── Puma.Security.Rules.Test
    └── Puma.Security.Rules.Test.csproj


/Puma.Security.Rules.Vsix/logo-200x200.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pumasecurity/puma-scan/HEAD/Puma.Security.Rules.Vsix/logo-200x200.png


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2017/logo-200x200.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pumasecurity/puma-scan/HEAD/Puma.Security.Rules.Vsix.VS2017/logo-200x200.png


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix/packages.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <packages>
3 |   <package id="Microsoft.VSSDK.VsixSignTool" version="16.2.29116.78" targetFramework="net471" />
4 |   <package id="Microsoft.Web.Xdt" version="3.1.0" targetFramework="net471" />
5 | </packages>


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2022/packages.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <packages>
3 | 	<package id="Microsoft.VSSDK.VsixSignTool" version="16.2.29116.78" targetFramework="net472" />
4 | 	<package id="Microsoft.Web.Xdt" version="3.1.0" targetFramework="net472" />
5 | </packages>


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2017/packages.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <packages>
3 |   <package id="Microsoft.VSSDK.VsixSignTool" version="16.2.29116.78" targetFramework="net471" />
4 |   <package id="Microsoft.Web.Xdt" version="3.1.0" targetFramework="net471" />
5 | </packages>


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/PumaAppBuilder.cs:
--------------------------------------------------------------------------------
 1 | namespace Puma.Security.Rules
 2 | {
 3 |     public class PumaAppBuilder
 4 |     {
 5 |         public PumaAppBuilder()
 6 |         {
 7 | 
 8 |         }
 9 | 
10 |         public PumaApp Build()
11 |         {
12 |             var app = new PumaApp();
13 | 
14 |             return app;
15 |         }
16 |     }
17 | }


--------------------------------------------------------------------------------
/Puma.Security.Parser/Models/ErrorCode.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Text;
 4 | 
 5 | namespace Puma.Security.Parser.Models
 6 | {
 7 |     internal enum ErrorCode : int
 8 |     {
 9 |         Success = 0,
10 |         ErrorThreshold = 1,
11 | 
12 |         InvalidArguments = 1000,
13 |         Exception = 1001,
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributor License Agreement
 2 | 
 3 | To get started, [sign the Contributor License Agreement](https://www.clahub.com/agreements/pumasecurity/puma-scan). Then, we'll add you as a contributor.
 4 | 
 5 | # Rules Guide
 6 | 
 7 | Read the Wiki for guidance on building new rules
 8 | 
 9 | # Clone
10 | 
11 | Clone the repo
12 | 
13 | # Pull Request
14 | 
15 | Submit a pull request and we'll take care of the rest.
16 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix/Publish/Production/publishManifest.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "http://json.schemastore.org/vsix-publish",
 3 |   "categories": [ "Coding", "Security" ],
 4 |   "identity": {
 5 |     "internalName": "PumaScan",
 6 |     "displayName": "Puma Scan Community 2019"
 7 |   },
 8 |   "overview": "overview.md",
 9 |   "priceCategory": "free",
10 |   "publisher": "PumaSecurity",
11 |   "private": false,
12 |   "qna": false
13 | }
14 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2017/Publish/Production/publishManifest.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "http://json.schemastore.org/vsix-publish",
 3 |   "categories": [ "Coding", "Security" ],
 4 |   "identity": {
 5 |     "internalName": "PumaScan2017",
 6 |     "displayName": "Puma Scan Community 2017"
 7 |   },
 8 |   "overview": "overview.md",
 9 |   "priceCategory": "free",
10 |   "publisher": "PumaSecurity",
11 |   "private": false,
12 |   "qna": false
13 | }
14 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2022/Publish/Production/publishManifest.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "http://json.schemastore.org/vsix-publish",
 3 |   "categories": [ "Coding", "Security" ],
 4 |   "identity": {
 5 |     "internalName": "PumaScan2022",
 6 |     "displayName": "Puma Scan Community 2022"
 7 |   },
 8 |   "overview": "overview.md",
 9 |   "priceCategory": "free",
10 |   "publisher": "PumaSecurity",
11 |   "private": false,
12 |   "qna": false
13 | }
14 | 


--------------------------------------------------------------------------------
/docker/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM microsoft/dotnet:2.2.2-sdk
 2 | 
 3 | # Create directory for the source code
 4 | RUN mkdir /source
 5 | 
 6 | # Directory for the results
 7 | RUN mkdir /results
 8 | 
 9 | # Directory for the puma tools
10 | RUN mkdir /tools
11 | 
12 | # Install puma into the image
13 | COPY ./Puma.Security.Rules/bin/Release/Puma.Security.Rules.2.3.0.nupkg /tools
14 | COPY ./pumascan.sh /tools
15 | 
16 | WORKDIR /tools
17 | 
18 | # TODO: PASS ARGES FROM DOCKER RUN INTO THIS SCRIPT AS ARGS
19 | ENTRYPOINT ["pumascan.sh", "$ARGS"]


--------------------------------------------------------------------------------
/Puma.Security.Rules/tools/parser/README.md:
--------------------------------------------------------------------------------
 1 | # Puma Scan CLI Parsing Tool
 2 | 
 3 | The Puma.Security.Parser utility to parse MSBuild results and export the Puma Scan findings to alternative data formats. 
 4 | 
 5 | ## Prerequisites
 6 | 
 7 | .NET Core 2.1 must be installed on the machine running the parser.
 8 | 
 9 | ## Command
10 | 
11 | Run the following command to parse MSBuild results and filter down to Puma Scan warnings
12 | 
13 | ```
14 | dotnet "C:\Tools\Puma.Security.Parser\Puma.Security.Parser.dll" --file "%WORKSPACE%\build_warnings.log" --workspace "%WORKSPACE%" --output puma_warnings.log
15 | ```


--------------------------------------------------------------------------------
/Puma.Security.Rules.2017/tools/parser/README.md:
--------------------------------------------------------------------------------
 1 | # Puma Scan CLI Parsing Tool
 2 | 
 3 | The Puma.Security.Parser utility to parse MSBuild results and export the Puma Scan findings to alternative data formats. 
 4 | 
 5 | ## Prerequisites
 6 | 
 7 | .NET Core 2.1 must be installed on the machine running the parser.
 8 | 
 9 | ## Command
10 | 
11 | Run the following command to parse MSBuild results and filter down to Puma Scan warnings
12 | 
13 | ```
14 | dotnet "C:\Tools\Puma.Security.Parser\Puma.Security.Parser.dll" --file "%WORKSPACE%\build_warnings.log" --workspace "%WORKSPACE%" --output puma_warnings.log
15 | ```


--------------------------------------------------------------------------------
/Puma.Security.Rules.2022/tools/parser/README.md:
--------------------------------------------------------------------------------
 1 | # Puma Scan CLI Parsing Tool
 2 | 
 3 | The Puma.Security.Parser utility to parse MSBuild results and export the Puma Scan findings to alternative data formats. 
 4 | 
 5 | ## Prerequisites
 6 | 
 7 | .NET Core 2.1 must be installed on the machine running the parser.
 8 | 
 9 | ## Command
10 | 
11 | Run the following command to parse MSBuild results and filter down to Puma Scan warnings
12 | 
13 | ```
14 | dotnet "C:\Tools\Puma.Security.Parser\Puma.Security.Parser.dll" --file "%WORKSPACE%\build_warnings.log" --workspace "%WORKSPACE%" --output puma_warnings.log
15 | ```


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/BaseMarkupFileAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | namespace Puma.Security.Rules.Analyzer.Core
14 | {
15 |     internal abstract class BaseMarkupFileAnalyzer
16 |     {
17 | 
18 |     }
19 | }


--------------------------------------------------------------------------------
/Puma.Security.Parser/Rules/Models/ReportSeverity.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  *
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  *
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
11 |  */
12 | 
13 | namespace Puma.Security.Parser.Rules.Models
14 | {
15 |     public enum ReportSeverity : int
16 |     {
17 |         None = 0,
18 |         Low = 1,
19 |         Medium = 2,
20 |         High = 3
21 |     }
22 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Test/Puma.Security.Rules.Test.csproj:
--------------------------------------------------------------------------------
 1 | <Project Sdk="Microsoft.NET.Sdk">
 2 | 
 3 |   <PropertyGroup>
 4 |     <TargetFramework>netcoreapp2.0</TargetFramework>
 5 |   </PropertyGroup>
 6 | 
 7 |   <ItemGroup>
 8 |     <PackageReference Include="Microsoft.CodeAnalysis" Version="3.0.0" />
 9 |     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.3.0" />
10 |     <PackageReference Include="MSTest.TestAdapter" Version="1.1.18" />
11 |     <PackageReference Include="MSTest.TestFramework" Version="1.1.18" />
12 |   </ItemGroup>
13 | 
14 |   <ItemGroup>
15 |     <ProjectReference Include="..\Puma.Security.Rules\Puma.Security.Rules.csproj" />
16 |   </ItemGroup>
17 | 
18 | </Project>
19 | 


--------------------------------------------------------------------------------
/Puma.Security.Parser/Log/PumaLog.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Generic;
14 | using System.Runtime.Serialization;
15 | 
16 | namespace Puma.Security.Parser.Log
17 | {
18 |     [CollectionDataContract]
19 |     public class PumaLog: List<PumaLogEntry>
20 |     {
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/Puma.Security.Parser/Rules/IRuleProvider.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  *
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  *
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
11 |  */
12 | 
13 | using System.Collections.Generic;
14 | using Puma.Security.Parser.Rules.Models;
15 | 
16 | namespace Puma.Security.Parser.Rules
17 | {
18 |     public interface IRuleProvider
19 |     {
20 |         IEnumerable<Rule> GetRules();
21 |     }
22 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/ICompilationAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Puma.Security.Rules.Core;
14 | 
15 | namespace Puma.Security.Rules.Analyzer
16 | {
17 |     public interface ICompilationAnalyzer
18 |     {
19 |         void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext);
20 |     }
21 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Regex/IRegexHelper.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Text.RegularExpressions;
14 | 
15 | namespace Puma.Security.Rules.Regex
16 | {
17 |     internal interface IRegexHelper
18 |     {
19 |         bool HasMatch(string source);
20 | 
21 |         MatchCollection GetMatches(string source);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IBinaryFormatterExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | namespace Puma.Security.Rules.Analyzer.Core.Factories
14 | {
15 |     internal interface IBinaryFormatterExpressionVulnerableSyntaxNodeFactory : IInvocationExpressionVulnerableSyntaxNodeFactory
16 |     {
17 | 
18 |     }
19 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/IAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | 
17 | namespace Puma.Security.Rules.Suites.Core
18 | {
19 |     public interface IAnalyzerSuiteFactory
20 |     {
21 |         ImmutableArray<ICompilationAnalyzer> Create();
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IAttributeVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | 
15 | namespace Puma.Security.Rules.Analyzer.Core.Factories
16 | {
17 |     internal interface IAttributeVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<AttributeSyntax>
18 |     {
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISafeSyntaxTypeAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | namespace Puma.Security.Rules.Analyzer.Core
16 | {
17 |     internal interface ISafeSyntaxTypeAnalyzer
18 |     {
19 |         bool IsSafeSyntaxType(ISymbol symbol);
20 | 
21 |         bool IsSafeSyntaxType(SymbolInfo symbolInfo);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISanitizedSourceAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Puma.Security.Rules.Common;
15 | 
16 | namespace Puma.Security.Rules.Analyzer.Core
17 | {
18 |     internal interface ISanitizedSourceAnalyzer
19 |     {
20 |         bool IsSymbolSanitized(SymbolInfo symbolInfo, DiagnosticId ruleId);
21 |     }
22 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/IPumaCompilationAnalysisReporterService.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     internal interface IPumaCompilationAnalysisReporterService
20 |     {
21 |         Action<PumaCompilationAnalysisContext> Report(ISyntaxAnalyzer analyzer);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISanitizedFieldSymbolAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal interface ISanitizedFieldSymbolAnalyzer
20 |     {
21 |         bool IsSymbolSanitized(IFieldSymbol symbol, DiagnosticId ruleId);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISanitizedLocalSymbolAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal interface ISanitizedLocalSymbolAnalyzer
20 |     {
21 |         bool IsSymbolSanitized(ILocalSymbol symbol, DiagnosticId ruleId);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISanitizedMethodSymbolAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal interface ISanitizedMethodSymbolAnalyzer
20 |     {
21 |         bool IsSymbolSanitized(IMethodSymbol symbol, DiagnosticId ruleId);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | namespace Puma.Security.Rules.Analyzer.Core.Factories
16 | {
17 |     internal interface IVulnerableSyntaxNodeFactory<in T> where T : SyntaxNode
18 |     {
19 |         VulnerableSyntaxNode Create(T syntaxNode, params string[] messageArgs);
20 |     }
21 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISanitizedPropertySymbolAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal interface ISanitizedPropertySymbolAnalyzer
20 |     {
21 |         bool IsSymbolSanitized(IPropertySymbol symbol, DiagnosticId ruleId);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/IAdditionalTextAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Concurrent;
14 | 
15 | using Puma.Security.Rules.Model;
16 | 
17 | namespace Puma.Security.Rules.Analyzer
18 | {
19 |     internal interface IAdditionalTextAnalyzer : ICompilationAnalyzer
20 |     {
21 |         ConcurrentStack<DiagnosticInfo> VulnerableAdditionalText { get; }
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/IPumaSyntaxNodeAnalysisContextReporterService.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     internal interface IPumaSyntaxNodeAnalysisContextReporterService
20 |     {
21 |         Action<PumaSyntaxNodeAnalysisContext> Report(ISyntaxAnalyzer analyzer);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IInvocationExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | 
15 | namespace Puma.Security.Rules.Analyzer.Core.Factories
16 | {
17 |     internal interface IInvocationExpressionVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<InvocationExpressionSyntax>
18 |     {
19 | 
20 |     }
21 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISanitizedParameterSymbolAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal interface ISanitizedParameterSymbolAnalyzer
20 |     {
21 |         bool IsSymbolSanitized(IParameterSymbol symbol, DiagnosticId ruleId);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/QueryExpressionSyntaxAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Core
19 | {
20 |     internal class QueryExpressionSyntaxAnalyzer : BaseSyntaxNodeAnalyzer<QueryExpressionSyntax>
21 |     {
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/IAdditionalTextAnalyzerRegisterService.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.Diagnostics;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     internal interface IAdditionalTextAnalyzerRegisterService
20 |     {
21 |         void Register(AnalysisContext context, ICompilationAnalyzer analyzer);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/ISyntaxNodeAnalyzerRegisterService.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.Diagnostics;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     internal interface ISyntaxNodeAnalyzerRegisterService
20 |     {
21 |         void Register(PumaAnalysisContext context, ICompilationAnalyzer analyzer);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IAssignmentExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | 
15 | namespace Puma.Security.Rules.Analyzer.Core.Factories
16 | {
17 |     internal interface IAssignmentExpressionVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<AssignmentExpressionSyntax>
18 |     {
19 |         
20 |     }
21 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IObjectCreationExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | 
15 | namespace Puma.Security.Rules.Analyzer.Core.Factories
16 | {
17 |     internal interface IObjectCreationExpressionVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<ObjectCreationExpressionSyntax>
18 |     {
19 | 
20 |     }
21 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/IConfigurationFileAnalyzerRegisterService.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.Diagnostics;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     internal interface IConfigurationFileAnalyzerRegisterService
20 |     {
21 |         void Register(AnalysisContext context, ICompilationAnalyzer analyzer);
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Filters/IFileExtensionFilter.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Generic;
14 | using System.Collections.Immutable;
15 | 
16 | using Microsoft.CodeAnalysis;
17 | 
18 | namespace Puma.Security.Rules.Filters
19 | {
20 |     internal interface IFileExtensionFilter
21 |     {
22 |         IEnumerable<AdditionalText> GetFiles(ImmutableArray<AdditionalText> additionalFiles);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ICleansedMethodsProvider.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Generic;
14 | 
15 | using Puma.Security.Rules.Common;
16 | using Puma.Security.Rules.Configuration.Core;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Core
19 | {
20 |     internal interface ICleansedMethodsProvider
21 |     {
22 |         IEnumerable<CleanseMethod> GetByRuleId(DiagnosticId id);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Regex/WebForms/DataBindingExpressionRegexHelper.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | namespace Puma.Security.Rules.Regex.WebForms
14 | {
15 |     internal class DataBindingExpressionRegexHelper : BaseRegexHelper
16 |     {
17 |         private const string Regex = "<%#(?!:)(.|\t|\r|\n)+?%>";
18 | 
19 |         protected override string GetExpression()
20 |         {
21 |             return Regex;
22 |         }
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Regex/WebForms/ResponseWriteShortHandRegexHelper.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | namespace Puma.Security.Rules.Regex.WebForms
14 | {
15 |     internal class ResponseWriteShortHandRegexHelper : BaseRegexHelper
16 |     {
17 |         private const string Regex = "<%=(.|\t|\r|\n)+?%>";
18 | 
19 |         protected override string GetExpression()
20 |         {
21 |             return Regex;
22 |         }
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Csrf/Core/IAntiForgeryTokenExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Analyzer.Validation.Csrf.Core
17 | {
18 |     internal interface IAntiForgeryTokenExpressionAnalyzer
19 |     {
20 |         bool IsVulnerable(SemanticModel model, MethodDeclarationSyntax syntax);
21 |     }
22 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/RequestValidation/Core/IAllowHtmlExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Analyzer.Validation.RequestValidation.Core
17 | {
18 |     internal interface IAllowHtmlExpressionAnalyzer
19 |     {
20 |         bool IsVulnerable(SemanticModel model, AttributeSyntax syntax);
21 |     }
22 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/RequestValidation/Core/IValidateInputExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Analyzer.Validation.RequestValidation.Core
17 | {
18 |     internal interface IValidateInputExpressionAnalyzer
19 |     {
20 |         bool IsVulnerable(SemanticModel model, AttributeSyntax syntax);
21 |     }
22 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/IDesExpressionAnalzyer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
19 | {
20 |     internal interface IDesExpressionAnalzyer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/IMd5ExpressionAnalzyer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
19 | {
20 |     internal interface IMd5ExpressionAnalzyer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Configuration/Identity/Core/IPasswordValidatorExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Configuration.Identity.Core
18 | {
19 |     internal interface IPasswordValidatorExpressionAnalyzer
20 |     {
21 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax);
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/ISha1ExpressionAnalzyer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
19 | {
20 |     internal interface ISha1ExpressionAnalzyer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Model/MarkupFile.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis;
16 | using Microsoft.CodeAnalysis.Text;
17 | 
18 | namespace Puma.Security.Rules.Model
19 | {
20 |     public class MarkupFile
21 |     {
22 |         public AdditionalText Source { get; set; }
23 |         public string Path { get; set; }
24 |         public SourceText Document { get; set; }
25 |         public DateTime Created { get; set; }
26 |     }
27 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/IEcbAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
19 | {
20 |     internal interface IEcbAssignmentExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/AccessControl/Authorize/Core/IAuthorizeExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | using System.Collections.Generic;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.AccessControl.Authorize.Core
18 | {
19 |     interface IAuthorizeExpressionAnalyzer
20 |     {
21 |         List<SyntaxNode> IsVulnerable(SemanticModel model, ClassDeclarationSyntax syntax);
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Configuration/Identity/Core/IPasswordLockoutExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Analyzer.Configuration.Identity.Core
17 | {
18 |     internal interface IPasswordLockoutExpressionAnalyzer
19 |     {
20 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, out ArgumentSyntax location);
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Configuration/Cors/Core/ICorsExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Configuration.Cors.Core
18 | {
19 |     internal interface ICorsExpressionAnalyzer
20 |     {
21 |         bool IsVulnerable(SemanticModel model, MemberAccessExpressionSyntax syntax, DiagnosticId ruleId);
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/ISystemRandomExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
20 | {
21 |     internal interface ISystemRandomExpressionAnalyzer
22 |     {
23 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
24 |     }
25 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Path/Core/IFileOpenExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Path.Core
19 | {
20 |     internal interface IFileOpenExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Path/Core/IFileReadExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Path.Core
19 | {
20 |     internal interface IFileWriteExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Path/Core/IFileWriteExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Path.Core
19 | {
20 |     internal interface IFileReadExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Configuration/Core/TaintFlags.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Generic;
15 | using System.Linq;
16 | using System.Text;
17 | using System.Threading.Tasks;
18 | 
19 | namespace Puma.Security.Rules.Configuration.Core
20 | {
21 |     public enum TaintFlags : int
22 |     {
23 |         None = 0,
24 |         Web = 1,
25 |         Service = 2,
26 |         Database = 3,
27 |         System = 4,
28 |         DataType = 5,
29 |     }
30 | }
31 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Path/Core/IFileDeleteExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Path.Core
19 | {
20 |     internal interface IFileDeleteExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/AccessControl/Jwt/Core/IJwtSignatureExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.AccessControl.Jwt.Core
18 | {
19 |     internal interface IJwtSignatureExpressionAnalyzer
20 |     {
21 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IArgumentVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | using System;
15 | using System.Collections.Generic;
16 | using System.Linq;
17 | using System.Text;
18 | using System.Threading.Tasks;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Core.Factories
21 | {
22 |     internal interface IArgumentVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<ArgumentSyntax>
23 |     {
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Sql/Core/ISqlCommandObjectCreationExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | 
15 | using Puma.Security.Rules.Analyzer.Core.Factories;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Injection.Sql.Core
18 | {
19 |     internal interface ISqlCommandObjectCreationExpressionVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<ObjectCreationExpressionSyntax>
20 |     {
21 | 
22 |     }
23 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Path/Core/IFileStreamExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Path.Core
19 | {
20 |     internal interface IFileStreamExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Redirect/Core/IMvcRedirectExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Redirect.Core
19 | {
20 |     internal interface IMvcRedirectExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Xss/Core/ILabelTextAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Xss.Core
19 | {
20 |     internal interface ILabelTextAssignmentExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Xss/Core/ILiteralTextAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Xss.Core
19 | {
20 |     internal interface ILiteralTextAssignmentExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Xss/Core/IResponseWriteAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Xss.Core
19 | {
20 |     internal interface IResponseWriteAssignmentExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Redirect/Core/IResponseRedirectExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Redirect.Core
19 | {
20 |     internal interface IResponseRedirectExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IIdentifierNameVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | using System;
15 | using System.Collections.Generic;
16 | using System.Linq;
17 | using System.Text;
18 | using System.Threading.Tasks;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Core.Factories
21 | {
22 |     internal interface IIdentifierNameVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<IdentifierNameSyntax>
23 |     {
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/IConfigurationFileAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Concurrent;
14 | using System.Collections.Generic;
15 | 
16 | using Puma.Security.Rules.Model;
17 | 
18 | namespace Puma.Security.Rules.Analyzer
19 | {
20 |     internal interface IConfigurationFileAnalyzer : ICompilationAnalyzer
21 |     {
22 |         IEnumerable<ConfigurationFile> ConfigurationFiles { get; set; }
23 | 
24 |         ConcurrentStack<DiagnosticInfo> VulnerableAdditionalText { get; }
25 |     }
26 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/PumaApp.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | 
16 | namespace Puma.Security.Rules //Root namespace to make globally available
17 | {
18 |     public class PumaApp
19 |     {
20 |         private static PumaApp _pumaApp;
21 | 
22 |         internal PumaApp()
23 |         {
24 |             this.Id = Guid.NewGuid();
25 | 
26 |             _pumaApp = this;
27 |         }
28 | 
29 |         public Guid Id { get; }
30 | 
31 |         public static PumaApp Instance => _pumaApp;
32 |     }
33 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Deserialization/Core/IBinaryFormatterExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Deserialization.Core
19 | {
20 |     internal interface IBinaryFormatterExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Sql/Core/ISqlCommandInjectionAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Sql.Core
19 | {
20 |     internal interface ISqlCommandInjectionAssignmentExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Ldap/Core/ILdapDirectoryEntryPathInjectionExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Ldap.Core
19 | {
20 |     internal interface ILdapDirectoryEntryPathInjectionExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Sql/Core/ISqlCommandInjectionObjectCreationExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Sql.Core
19 | {
20 |     internal interface ISqlCommandInjectionObjectCreationExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/ILocalDeclarationStatementVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp.Syntax;
14 | using System;
15 | using System.Collections.Generic;
16 | using System.Linq;
17 | using System.Text;
18 | using System.Threading.Tasks;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Core.Factories
21 | {
22 |     internal interface ILocalDeclarationStatementVulnerableSyntaxNodeFactory : IVulnerableSyntaxNodeFactory<LocalDeclarationStatementSyntax>
23 |     {
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Deserialization/Core/INewtonsoftJsonTypeNameHandlingExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Deserialization.Core
19 | {
20 |     internal interface INewtonsoftJsonTypeNameHandlingExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Ldap/Core/ILdapDirectoryEntryPathAssignmentInjectionExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Ldap.Core
19 | {
20 |     internal interface ILdapDirectoryEntryPathAssignmentInjectionExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Sql/Core/ILinqSqlInjectionExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Sql.Core
19 | {
20 |     internal interface ILinqSqlInjectionExpressionAnalyzer
21 |     {
22 |         SyntaxNode Source { get; set; }
23 | 
24 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
25 |     }
26 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Path/Core/IMvcFileResultExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Path.Core
19 | {
20 |     internal interface IMvcFileResultExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 | 
24 |         SyntaxNode Source { get; set; }
25 |     }
26 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ISyntaxNodeAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal interface ISyntaxNodeAnalyzer
20 |     {
21 |         bool CanSuppress(SemanticModel model, SyntaxNode syntax, DiagnosticId ruleId);
22 | 
23 |         bool CanIgnore(SemanticModel model, SyntaxNode syntax);
24 |     }
25 | 
26 |     internal interface ISyntaxNodeAnalyzer<T> : ISyntaxNodeAnalyzer
27 |     {
28 | 
29 |     }
30 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Ldap/Core/ILdapDirectorySearcherFilterAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Injection.Ldap.Core
20 | {
21 |     internal interface ILdapDirectorySearcherFilterAssignmentExpressionAnalyzer
22 |     {
23 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Certificate/Core/IHttpWebRequestCertificateValidationExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Certificate.Core
19 | {
20 |     internal interface IHttpWebRequestCertificateValidationExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Sql/Core/IEfQueryCommandInjectionExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Sql.Core
19 | {
20 |     internal interface IEfQueryCommandInjectionExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 | 
24 |         SyntaxNode Source { get; set; }
25 |     }
26 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Certificate/Core/IWebRequestHandlerCertificateValidationExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Certificate.Core
19 | {
20 |     internal interface IWebRequestHandlerCertificateValidationExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/BaseConfigurationFileAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Concurrent;
14 | using System.Collections.Generic;
15 | 
16 | using Puma.Security.Rules.Model;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Core
19 | {
20 |     internal abstract class BaseConfigurationFileAnalyzer
21 |     {
22 |         public ConcurrentStack<DiagnosticInfo> VulnerableAdditionalText { get; } = new ConcurrentStack<DiagnosticInfo>();
23 | 
24 |         public IEnumerable<ConfigurationFile> ConfigurationFiles { get; set; }
25 |     }
26 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Certificate/Core/IServicePointManagerCertificateValidationExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.Certificate.Core
19 | {
20 |     internal interface IServicePointManagerCertificateValidationExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId);
23 |     }
24 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Ldap/Core/ILdapDirectorySearcherCreationExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Ldap.Core
19 | {
20 |     internal interface ILdapDirectorySearcherCreationExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 | 
24 |         SyntaxNode Source { get; set; }
25 |     }
26 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Cmd/Core/IProcessStartInvocationExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | using Puma.Security.Rules.Common;
16 | using System.Collections.Generic;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Cmd.Core
19 | {
20 |     internal interface IProcessStartInvocationExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId);
23 | 
24 |         List<SyntaxNode> Sources { get; set; }
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Cmd/Core/IProcessStartInfoCreationExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | using Puma.Security.Rules.Common;
16 | using System.Collections.Generic;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Injection.Cmd.Core
19 | {
20 |     internal interface IProcessStartInfoCreationExpressionAnalyzer
21 |     {
22 |         bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId);
23 | 
24 |         List<SyntaxNode> Sources { get; set; }
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Common/Extensions/ExpressionSyntaxExtensions.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.CSharp;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | using System;
16 | using System.Collections.Generic;
17 | using System.Text;
18 | 
19 | namespace Puma.Security.Rules.Common.Extensions
20 | {
21 |     internal static class ExpressionSyntaxExtensions
22 |     {
23 |         internal static bool IsFalse(this ExpressionSyntax syntax)
24 |         {
25 |             return syntax is LiteralExpressionSyntax && syntax?.Kind() == SyntaxKind.FalseLiteralExpression;
26 |         }
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/BaseSyntaxNodeAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal class BaseSyntaxNodeAnalyzer<T> : ISyntaxNodeAnalyzer<T>
20 |     {
21 |         public virtual bool CanSuppress(SemanticModel model, SyntaxNode syntax, DiagnosticId ruleId)
22 |         {
23 |             return false;
24 |         }
25 | 
26 |         public virtual bool CanIgnore(SemanticModel model, SyntaxNode syntax)
27 |         {
28 |             return false;
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/CsrfAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Validation.Csrf;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class CsrfAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new AntiForgeryTokenAnalyzer()
27 |             }.ToImmutableArray();
28 |         }
29 |     }
30 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Diagnostics/DiagnosticFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Puma.Security.Rules.Model;
14 | 
15 | using Microsoft.CodeAnalysis;
16 | 
17 | namespace Puma.Security.Rules.Diagnostics
18 | {
19 |     public interface IDiagnosticFactory
20 |     {
21 |         Diagnostic Create(DiagnosticDescriptor descriptor, DiagnosticInfo info);
22 |     }
23 | 
24 |     public class DiagnosticFactory : IDiagnosticFactory
25 |     {
26 |         public Diagnostic Create(DiagnosticDescriptor descriptor, DiagnosticInfo info)
27 |         {
28 |             return Diagnostic.Create(descriptor, info.Location, info.Args);
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/ISyntaxAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Concurrent;
14 | 
15 | using Microsoft.CodeAnalysis.CSharp;
16 | using Microsoft.CodeAnalysis.Diagnostics;
17 | 
18 | using Puma.Security.Rules.Analyzer.Core;
19 | using Puma.Security.Rules.Common;
20 | 
21 | namespace Puma.Security.Rules.Analyzer
22 | {
23 |     internal interface ISyntaxAnalyzer : ICompilationAnalyzer
24 |     {
25 |         SyntaxKind SinkKind { get; }
26 | 
27 |         ConcurrentStack<VulnerableSyntaxNode> VulnerableSyntaxNodes { get; }
28 | 
29 |         void GetSinks(SyntaxNodeAnalysisContext context, DiagnosticId ruleId);
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/PumaSyntaxNodeAnalysisContextReporterService.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     internal class PumaSyntaxNodeAnalysisContextReporterService : IPumaSyntaxNodeAnalysisContextReporterService
20 |     {
21 |         public Action<PumaSyntaxNodeAnalysisContext> Report(ISyntaxAnalyzer analyzer)
22 |         {
23 |             return c =>
24 |             {
25 |                 var syntaxContext = c.RosylnContext;
26 |                 analyzer.GetSinks(syntaxContext, c.DiagnosticId);
27 |             };
28 |         }
29 |     }
30 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/PumaSyntaxNodeAnalysisContext.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis.Diagnostics;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     public class PumaSyntaxNodeAnalysisContext
20 |     {
21 |         public SyntaxNodeAnalysisContext RosylnContext { get; }
22 | 
23 |         public DiagnosticId DiagnosticId { get; }
24 | 
25 |         public PumaSyntaxNodeAnalysisContext(DiagnosticId diagnosticId, SyntaxNodeAnalysisContext context)
26 |         {
27 |             this.DiagnosticId = diagnosticId;
28 |             this.RosylnContext = context;
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/ArgumentVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Analyzer.Core.Factories
17 | {
18 |     internal class ArgumentVulnerableSyntaxNodeFactory : IArgumentVulnerableSyntaxNodeFactory
19 |     {
20 |         public VulnerableSyntaxNode Create(ArgumentSyntax syntaxNode, params string[] messageArgs)
21 |         {
22 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
23 | 
24 |             return new VulnerableSyntaxNode(syntaxNode, messageArgs);
25 |         }
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/CertificateValidationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Validation.Certificate;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class CertificateValidationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new CertificateValidationAnalyzer()
27 |             }.ToImmutableArray();
28 |         }
29 |     }
30 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/AttributeVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis.CSharp.Syntax;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core.Factories
18 | {
19 |     internal class AttributeVulnerableSyntaxNodeFactory : IAttributeVulnerableSyntaxNodeFactory
20 |     {
21 |         public VulnerableSyntaxNode Create(AttributeSyntax syntaxNode, params string[] messageArgs)
22 |         {
23 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
24 | 
25 |             return new VulnerableSyntaxNode(syntaxNode, messageArgs);
26 |         }
27 |     }
28 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/MvcMarkupAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Injection.Xss;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class MvcMarkupAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new HtmlRawAnalyzer(),
27 |                 new WriteLiteralAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/IdentifierNameVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Analyzer.Core.Factories
17 | {
18 |     internal class IdentifierNameVulnerableSyntaxNodeFactory : IIdentifierNameVulnerableSyntaxNodeFactory
19 |     {
20 |         public VulnerableSyntaxNode Create(IdentifierNameSyntax syntaxNode, params string[] messageArgs)
21 |         {
22 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
23 | 
24 |             return new VulnerableSyntaxNode(syntaxNode, messageArgs);
25 |         }
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/PumaCompilationAnalysisContext.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis.Diagnostics;
16 | 
17 | using Puma.Security.Rules.Common;
18 | 
19 | namespace Puma.Security.Rules.Core
20 | {
21 |     public class PumaCompilationAnalysisContext
22 |     {
23 |         public CompilationAnalysisContext RosylnContext { get; }
24 | 
25 |         public DiagnosticId DiagnosticId { get; }
26 | 
27 |         public PumaCompilationAnalysisContext(DiagnosticId diagnosticId, CompilationAnalysisContext context)
28 |         {
29 |             this.DiagnosticId = diagnosticId;
30 |             this.RosylnContext = context;
31 |         }
32 |     }
33 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/IdentityAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Configuration.Identity;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class IdentityAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new PasswordLockoutAnalyzer(),
27 |                 new PasswordValidatorAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/CookiesConfigurationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Configuration.Cookies;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class CookiesConfigurationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new RequireSslAnalyzer(),
27 |                 new HttpOnlyAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/RequestValidationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Validation.RequestValidation;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class RequestValidationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new AllowHtmlAnalyzer(),
27 |                 new ValidateInputAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/UnvalidatedRedirectAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Validation.Redirect;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class UnvalidatedRedirectAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new MvcRedirectAnalyzer(),
27 |                 new ResponseRedirectAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/WebFormsMarkupAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Injection.Xss;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class WebFormsMarkupAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new ResponseWriteShortHandAnalyzer(),
27 |                 new DataBindExpressionAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/SessionStateConfigurationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Configuration.SessionState;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class SessionStateConfigurationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new ModeAnalyzer(),
27 |                 new TimeoutAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Parser/Rules/Models/CommonWeaknessEnumeration.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  *
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  *
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
11 |  */
12 | 
13 | namespace Puma.Security.Parser.Rules.Models
14 | {
15 |     public class CommonWeaknessEnumeration
16 |     {
17 |         public CommonWeaknessEnumeration(string id, string name)
18 |         {
19 |             this.Id = id;
20 |             this.Name = name;
21 |         }
22 | 
23 |         public string Id { get; set; }
24 | 
25 |         public string Name { get; set; }
26 | 
27 |         public string Url => $"https://cwe.mitre.org/data/definitions/{Id}.html";
28 | 
29 |         public CommonWeaknessEnumeration Clone()
30 |         {
31 |             return new CommonWeaknessEnumeration(this.Id, this.Name);
32 |         }
33 |     }
34 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/LiteralExpressionSyntaxAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Core
19 | {
20 |     internal class LiteralExpressionSyntaxAnalyzer : BaseSyntaxNodeAnalyzer<LiteralExpressionSyntax>
21 |     {
22 |         public override bool CanSuppress(SemanticModel model, SyntaxNode syntax, DiagnosticId ruleId)
23 |         {
24 |             return true;
25 |         }
26 | 
27 |         public override bool CanIgnore(SemanticModel model, SyntaxNode syntax)
28 |         {
29 |             return true;
30 |         }
31 |     }
32 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Puma.Security.Rules.Shared.shproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <PropertyGroup Label="Globals">
 4 |     <ProjectGuid>c0ce795e-8954-4401-9360-6f69d9493b6f</ProjectGuid>
 5 |     <MinimumVisualStudioVersion>14.0</MinimumVisualStudioVersion>
 6 |   </PropertyGroup>
 7 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 8 |   <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.Default.props" />
 9 |   <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.props" />
10 |   <PropertyGroup />
11 |   <Import Project="Puma.Security.Rules.Shared.projitems" Label="Shared" />
12 |   <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.CSharp.targets" />
13 | </Project>
14 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/DeserializationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Injection.Deserialization;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class DeserializationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new BinaryFormatterAnalyzer(),
27 |                 new NewtonsoftJsonTypeNameHandlingAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/HttpRuntimeConfigurationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Configuration.HttpRuntime;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class HttpRuntimeConfigurationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new HeaderCheckingAnalyzer(),
27 |                 new VersionHeaderAnalyzer()
28 |             }.ToImmutableArray();
29 |         }
30 |     }
31 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/PathTamperingAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Validation.Path;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class PathTamperingAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new FilePathResultAnalyzer(),
27 |                 new FileStreamAnalyzer(),
28 |                 new IOFileAnalyzer()
29 |             }.ToImmutableArray();
30 |         }
31 |     }
32 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/WebFormsXssAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Injection.Xss;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class WebFormsXssAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new LiteralTextAnalyzer(),
27 |                 new LabelTextAnalyzer(),
28 |                 new ResponseWriteAnalyzer()
29 |             }.ToImmutableArray();
30 |         }
31 |     }
32 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/LocalDeclarationStatementVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis.CSharp.Syntax;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core.Factories
18 | {
19 |     internal class LocalDeclarationStatementVulnerableSyntaxNodeFactory : ILocalDeclarationStatementVulnerableSyntaxNodeFactory
20 |     {
21 |         public VulnerableSyntaxNode Create(LocalDeclarationStatementSyntax syntaxNode, params string[] messageArgs)
22 |         {
23 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
24 | 
25 |             return new VulnerableSyntaxNode(syntaxNode, messageArgs);
26 |         }
27 |     }
28 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/AccessControlAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Puma.Security.Rules.Analyzer;
14 | using Puma.Security.Rules.Analyzer.AccessControl.Authorize;
15 | using Puma.Security.Rules.Analyzer.AccessControl.Jwt;
16 | using System.Collections.Immutable;
17 | 
18 | 
19 | namespace Puma.Security.Rules.Suites.Core
20 | {
21 |     public class AccessControlAnalyzerSuiteFactory : IAnalyzerSuiteFactory
22 |     {
23 |         public ImmutableArray<ICompilationAnalyzer> Create()
24 |         {
25 |             return new ICompilationAnalyzer[]
26 |             {
27 |                 new AuthorizeAnalyzer(),
28 |                 new JwtSignatureAnalyzer(),
29 |             }.ToImmutableArray();
30 |         }
31 |     }
32 | }
33 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Model/ConfigurationFile.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Xml.Linq;
15 | 
16 | using Microsoft.CodeAnalysis;
17 | 
18 | namespace Puma.Security.Rules.Model
19 | {
20 |     [Serializable]
21 |     public class ConfigurationFile
22 |     {
23 |         public string BaseConfigurationPath { get; set; }
24 | 
25 |         public string ProductionTransformPath { get; set; }
26 | 
27 |         public string ProductionConfigurationPath { get; set; }
28 | 
29 |         public XDocument BaseConfigurationDocument { get; set; }
30 | 
31 |         public XDocument ProductionConfigurationDocument { get; set; }
32 | 
33 |         public AdditionalText Source { get; set; }
34 | 
35 |         public DateTime Created { get; set; }
36 |     }
37 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Filters/ConfigurationFileFilter.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using System;
15 | using System.Collections.Generic;
16 | using System.Collections.Immutable;
17 | using System.IO;
18 | using System.Linq;
19 | using System.Text;
20 | using System.Threading.Tasks;
21 | 
22 | namespace Puma.Security.Rules.Filters
23 | {
24 |     internal class ConfigurationFileFilter : IFileExtensionFilter
25 |     {
26 |         public const string EXTENSION = ".config";
27 | 
28 |         public IEnumerable<AdditionalText> GetFiles(ImmutableArray<AdditionalText> additionalFiles)
29 |         {
30 |             return additionalFiles.Where(f => string.Compare(Path.GetExtension(f.Path), EXTENSION) == 0).ToList();
31 |         }
32 |     }
33 | }
34 | 


--------------------------------------------------------------------------------
/Puma.Security.Parser/Rules/Models/Snippet.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  *
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  *
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
11 |  */
12 | 
13 | namespace Puma.Security.Parser.Rules.Models
14 | {
15 |     public class Snippet
16 |     {
17 |         public Snippet(string badge, string content)
18 |         {
19 |             this.Badge = badge;
20 |             this.Content = content;
21 |         }
22 | 
23 |         /// <summary>
24 |         /// Markdown formatted description of the code example.
25 |         /// </summary>
26 |         public string Badge { get; set; }
27 | 
28 |         /// <summary>
29 |         /// Code snippet stored in MD.
30 |         /// </summary>
31 |         public string Content { get; set; }
32 | 
33 |         public Snippet Clone()
34 |         {
35 |             return new Snippet(this.Badge, this.Content);
36 |         }
37 |     }
38 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Common/Extensions/AssemblyExtensions.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Generic;
15 | using System.Linq;
16 | using System.Reflection;
17 | 
18 | namespace Puma.Security.Rules.Common.Extensions
19 | {
20 |     public static class AssemblyExtensions
21 |     {
22 |         public static IEnumerable<Type> GetLoadableTypes(this Assembly assembly)
23 |         {
24 |             if (assembly == null) throw new ArgumentNullException(nameof(assembly));
25 |             try
26 |             {
27 |                 return assembly.GetTypes();
28 |             }
29 |             catch (ReflectionTypeLoadException e)
30 |             {
31 |                 return e.Types.Where(t => t != null);
32 |             }
33 |         }
34 |     }
35 | }


--------------------------------------------------------------------------------
/Puma.Security.Parser/Puma.Security.Parser.csproj:
--------------------------------------------------------------------------------
 1 | <Project Sdk="Microsoft.NET.Sdk">
 2 | 
 3 |   <PropertyGroup>
 4 |     <Description>Parses msbuild output logs and exports only Puma Scan warnings for processing in CI</Description>
 5 |     <Copyright>Puma Security, LLC</Copyright>
 6 |     <Company>Puma Security LLC</Company>
 7 |     <Product>Puma Scan Community Edition</Product>
 8 |     <AssemblyTitle>Puma Scan Build Parser</AssemblyTitle>
 9 |     <TargetFramework>net6</TargetFramework>
10 |     <DebugType>portable</DebugType>
11 |     <AssemblyName>Puma.Security.Parser</AssemblyName>
12 |     <OutputType>Exe</OutputType>
13 |     <Company>Puma Security, LLC</Company>
14 |     <AssemblyName>Puma.Security.Parser</AssemblyName>
15 |     <RootNamespace>Puma.Security.Parser</RootNamespace>
16 |   </PropertyGroup>
17 | 
18 |   <ItemGroup>
19 |     <None Remove="Configuration\Rules.json" />
20 |   </ItemGroup>
21 | 
22 |   <ItemGroup>
23 |     <EmbeddedResource Include="Configuration\Rules.json" />
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <PackageReference Include="CommandLineParser" Version="2.3.0" />
27 |     <PackageReference Include="Sarif.Sdk" Version="3.1.0" />
28 |   </ItemGroup>
29 | 
30 | </Project>
31 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/BaseSemanticAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Concurrent;
14 | 
15 | using Microsoft.CodeAnalysis.Diagnostics;
16 | 
17 | using Puma.Security.Rules.Common;
18 | using Puma.Security.Rules.Core;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Core
21 | {
22 |     internal class BaseSemanticAnalyzer
23 |     {
24 |         public ConcurrentStack<VulnerableSyntaxNode> VulnerableSyntaxNodes { get; } =
25 |             new ConcurrentStack<VulnerableSyntaxNode>();
26 | 
27 |         public virtual void GetSinks(SyntaxNodeAnalysisContext context, DiagnosticId ruleId)
28 |         {
29 | 
30 |         }
31 | 
32 |         public virtual void OnCompilationEnd(PumaCompilationAnalysisContext context)
33 |         {
34 |             
35 |         }
36 |     }
37 | }
38 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/PagesConfigurationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Configuration.Pages;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class PagesConfigurationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new EventValidationAnalyzer(),
27 |                 new ValidateRequestAnalyzer(),
28 |                 new ViewStateEncryptionModeAnalyzer(),
29 |                 new ViewStateMacAnalyzer()
30 |             }.ToImmutableArray();
31 |         }
32 |     }
33 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/CryptoAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Crypto;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class CryptoAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new DesDiagnosticAnalyzer(),
27 |                 new EcbDiagnosticAnalyzer(),
28 |                 new Md5DiagnosticAnalyzer(),
29 |                 new Sha1DiagnosticAnalyzer(),
30 |                 new SystemRandomDiagnosticAnalyzer()
31 |             }.ToImmutableArray();
32 |         }
33 |     }
34 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/SqlInjectionAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Injection.Sql;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class SqlInjectionAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new LinqSqlInjectionAnalyzer(),
27 |                 new EfQueryInjectionAnalyzer(),
28 |                 new SqlCommandInjectionObjectCreationAnalyzer(),
29 |                 new SqlCommandInjectionAssignmentAnalyzer()
30 |             }.ToImmutableArray();
31 |         }
32 |     }
33 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/FormsConfigurationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Configuration.Forms;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class FormsConfigurationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new RequireSslAnalyzer(),
27 |                 new CookielessAnalyzer(),
28 |                 new ProtectionAnalyzer(),
29 |                 new TimeoutAnalyzer(),
30 |                 new CrossAppRedirectAnalyzer()
31 |             }.ToImmutableArray();
32 |         }
33 |     }
34 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/CommandInjectionAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Generic;
15 | using System.Collections.Immutable;
16 | using System.Linq;
17 | using System.Text;
18 | using System.Threading.Tasks;
19 | using Puma.Security.Rules.Analyzer;
20 | using Puma.Security.Rules.Analyzer.Injection.Cmd;
21 | 
22 | namespace Puma.Security.Rules.Suites.Core
23 | {
24 |     public class CommandInjectionAnalyzerSuiteFactory : IAnalyzerSuiteFactory
25 |     {
26 |         public ImmutableArray<ICompilationAnalyzer> Create()
27 |         {
28 |             return new ICompilationAnalyzer[]
29 |             {
30 |                 new ProcessStartInvocationAnalyzer(),
31 |                 new ProcessStartInfoCreationAnalyzer(),
32 |             }.ToImmutableArray();
33 |         }
34 |     }
35 | }
36 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/LdapInjectionAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Injection.Ldap;
17 | 
18 | namespace Puma.Security.Rules.Suites.Core
19 | {
20 |     public class LdapInjectionAnalyzerSuiteFactory : IAnalyzerSuiteFactory
21 |     {
22 |         public ImmutableArray<ICompilationAnalyzer> Create()
23 |         {
24 |             return new ICompilationAnalyzer[]
25 |             {
26 |                 new LdapDirectoryEntryPathAssignmentAnalzyer(),
27 |                 new LdapDirectoryEntryPathCreationAnalyzer(),
28 |                 new LdapDirectorySearcherCreationAnalyzer(),
29 |                 new LdapDirectorySearcherFilterAssignmentAnalyzer(),
30 |             }.ToImmutableArray();
31 |         }
32 |     }
33 | }


--------------------------------------------------------------------------------
/Puma.Security.Parser/Rules/Models/DiagnosticSeverity.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  *
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  *
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
11 |  */
12 | 
13 | namespace Puma.Security.Parser.Rules.Models
14 | {
15 |     public enum DiagnosticSeverity
16 |     {
17 |         /// <summary>
18 |         /// Something that is an issue, as determined by some authority,
19 |         /// but is not surfaced through normal means.
20 |         /// There may be different mechanisms that act on these issues.
21 |         /// </summary>
22 |         Hidden,
23 |         /// <summary>
24 |         /// Information that does not indicate a problem (i.e. not prescriptive).
25 |         /// </summary>
26 |         Info,
27 |         /// <summary>Something suspicious but allowed.</summary>
28 |         Warning,
29 |         /// <summary>
30 |         /// Something not allowed by the rules of the language or other authority.
31 |         /// </summary>
32 |         Error,
33 |     }
34 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/PumaAnalysisContext.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis.Diagnostics;
16 | 
17 | namespace Puma.Security.Rules.Core
18 | {
19 |     internal class PumaAnalysisContext
20 |     {
21 |         internal readonly AnalysisContext Context;
22 | 
23 |         internal PumaAnalysisContext(AnalysisContext context)
24 |         {
25 |             this.Context = context;
26 |         }
27 | 
28 |         internal void RegisterCompilationStartAction(Action<PumaCompilationStartAnalysisContext> registerPumaActions)
29 |         {
30 |             Context.RegisterCompilationStartAction(c =>
31 |             {
32 |                 var pumaCompilationStartAnalysisContext = new PumaCompilationStartAnalysisContext(c);
33 |                 registerPumaActions.Invoke(pumaCompilationStartAnalysisContext);
34 |             });
35 |         }
36 |     }
37 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Regex/Mvc/WriteLiteralRegexHelper.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | namespace Puma.Security.Rules.Regex.Mvc
14 | {
15 |     internal class WriteLiteralRegexHelper : BaseRegexHelper
16 |     {
17 |         //TODO: this one could use some more love. As if two WriteLiteral's exist in one code block it will only fire 1 rule violation. Want to only match on 
18 |         //WriteLiterals within the code block @{}, but not necessarily have the regex expression match the code block. Could have analyzer run two regexes or 
19 |         //just get better at Regex :)
20 |         //private const string Regex = "@{(.|\t|\r|\n)+?(WriteLiteral\\()*(.|\t|\r|\n)+?}"; //Too many false positives, too greedy
21 |         private const string Regex = "WriteLiteral\\((.|\n|\r|\t)+?\\);";
22 | 
23 |         protected override string GetExpression()
24 |         {
25 |             return Regex;
26 |         }
27 |     }
28 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/SyntaxNodeAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | namespace Puma.Security.Rules.Analyzer.Core
18 | {
19 |     internal class SyntaxNodeAnalyzer : BaseSyntaxNodeAnalyzer<SyntaxNode>
20 |     {
21 |         public override bool CanIgnore(SemanticModel model, SyntaxNode syntax)
22 |         {
23 |             var expressionSyntaxAnalyzer = SyntaxNodeAnalyzerFactory.Create(syntax);
24 | 
25 |             return expressionSyntaxAnalyzer.CanIgnore(model, syntax);
26 |         }
27 | 
28 |         public override bool CanSuppress(SemanticModel model, SyntaxNode syntax, DiagnosticId ruleId)
29 |         {
30 |             var expressionSyntaxAnalyzer = SyntaxNodeAnalyzerFactory.Create(syntax);
31 | 
32 |             return expressionSyntaxAnalyzer.CanSuppress(model, syntax, ruleId);
33 |         }
34 |     }
35 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/BinaryFormatterExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Immutable;
15 | 
16 | using Microsoft.CodeAnalysis;
17 | using Microsoft.CodeAnalysis.CSharp.Syntax;
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Core.Factories
20 | {
21 |     internal class BinaryFormatterExpressionVulnerableSyntaxNodeFactory : IBinaryFormatterExpressionVulnerableSyntaxNodeFactory
22 |     {
23 |         public VulnerableSyntaxNode Create(InvocationExpressionSyntax syntaxNode, params string[] messageArgs)
24 |         {
25 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
26 | 
27 |             var sources = new[] { syntaxNode.ArgumentList.Arguments[0] }.ToImmutableArray<SyntaxNode>();
28 | 
29 |             return new VulnerableSyntaxNode(syntaxNode, sources, messageArgs);
30 |         }
31 |     }
32 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Filters/WebFormMarkupFileFilter.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Generic;
14 | using System.Collections.Immutable;
15 | using System.IO;
16 | using System.Linq;
17 | 
18 | using Microsoft.CodeAnalysis;
19 | 
20 | namespace Puma.Security.Rules.Filters
21 | {
22 |     internal class WebFormMarkupFileFilter : IFileExtensionFilter
23 |     {
24 |         private const string WEBFORMS_EXTENSION = ".aspx";
25 |         private const string WEBCONTROL_EXTENSION = ".ascx";
26 | 
27 |         public IEnumerable<AdditionalText> GetFiles(ImmutableArray<AdditionalText> additionalFiles)
28 |         {
29 |             return
30 |                 additionalFiles.Where(f => (string.Compare(Path.GetExtension(f.Path), WEBFORMS_EXTENSION, true) == 0) ||
31 |                     (string.Compare(Path.GetExtension(f.Path), WEBCONTROL_EXTENSION, true) == 0)
32 |                 ).ToList();
33 |         }
34 |     }
35 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Filters/MvcMarkupFileFilter.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Generic;
14 | using System.Collections.Immutable;
15 | using System.IO;
16 | using System.Linq;
17 | 
18 | using Microsoft.CodeAnalysis;
19 | 
20 | namespace Puma.Security.Rules.Filters
21 | {
22 |     internal class MvcMarkupFileFilter : IFileExtensionFilter
23 |     {
24 |         public const string CS_RAZOR_EXTENSION = ".cshtml";
25 |         public const string VB_RAZOR_EXTENSION = ".vbhtml";
26 | 
27 |         public IEnumerable<AdditionalText> GetFiles(ImmutableArray<AdditionalText> additionalFiles)
28 |         {
29 |             return
30 |                 additionalFiles.Where(f => 
31 |                     string.Compare(Path.GetExtension(f.Path), CS_RAZOR_EXTENSION) == 0 ||
32 |                     string.Compare(Path.GetExtension(f.Path), VB_RAZOR_EXTENSION) == 0)
33 |                     .ToList();
34 |         }
35 |     }
36 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/InvocationExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Immutable;
15 | using System.Linq;
16 | 
17 | using Microsoft.CodeAnalysis;
18 | using Microsoft.CodeAnalysis.CSharp.Syntax;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Core.Factories
21 | {
22 |     internal class InvocationExpressionVulnerableSyntaxNodeFactory : IInvocationExpressionVulnerableSyntaxNodeFactory
23 |     {
24 |         public VulnerableSyntaxNode Create(InvocationExpressionSyntax syntaxNode, params string[] messageArgs)
25 |         {
26 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
27 | 
28 |             var sources = syntaxNode.ArgumentList.Arguments.ToArray().Select(p => p.Expression).ToImmutableArray<SyntaxNode>();
29 | 
30 |             return new VulnerableSyntaxNode(syntaxNode, sources, messageArgs);
31 |         }
32 |     }
33 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Regex/Mvc/HtmlRawRegexHelper.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Text.RegularExpressions;
14 | 
15 | namespace Puma.Security.Rules.Regex.Mvc
16 | {
17 |     internal class HtmlRawRegexHelper : BaseRegexHelper
18 |     {
19 |         private const string Regex = @"\@Html.Raw\(
20 |                                             (
21 |                                                 [^()]+         
22 |                                                 | (?<Level>\() 
23 |                                                 | (?<-Level>\))
24 |                                             )+                 
25 |                                             (?(Level)(?!))     
26 |                                         \)";
27 | 
28 |         internal HtmlRawRegexHelper() : base(RegexOptions.IgnorePatternWhitespace) { }
29 | 
30 |         protected override string GetExpression()
31 |         {
32 |             return Regex;
33 |         }
34 |     }
35 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Suites/Core/ConfigurationAnalyzerSuiteFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Collections.Immutable;
14 | 
15 | using Puma.Security.Rules.Analyzer;
16 | using Puma.Security.Rules.Analyzer.Configuration.Compilation;
17 | using Puma.Security.Rules.Analyzer.Configuration.Cors;
18 | using Puma.Security.Rules.Analyzer.Configuration.CustomErrors;
19 | using Puma.Security.Rules.Analyzer.Configuration.MachineKey;
20 | 
21 | namespace Puma.Security.Rules.Suites.Core
22 | {
23 |     public class ConfigurationAnalyzerSuiteFactory : IAnalyzerSuiteFactory
24 |     {
25 |         public ImmutableArray<ICompilationAnalyzer> Create()
26 |         {
27 |             return new ICompilationAnalyzer[]
28 |             {
29 |                 new CompilationAnalyzer(),
30 |                 new CustomErrorsAnalyzer(),
31 |                 new MachineKeyAnalyzer(),
32 |                 new CorsAllowAnyOriginAnalyzer(),
33 |             }.ToImmutableArray();
34 |         }
35 |     }
36 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Regex/BaseRegexHelper.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Text.RegularExpressions;
14 | 
15 | namespace Puma.Security.Rules.Regex
16 | {
17 |     internal abstract class BaseRegexHelper : IRegexHelper
18 |     {
19 |         private readonly RegexOptions _options;
20 | 
21 |         protected BaseRegexHelper(RegexOptions options = RegexOptions.None)
22 |         {
23 |             _options = options;
24 |         }
25 | 
26 |         public bool HasMatch(string source)
27 |         {
28 |             var regex = new System.Text.RegularExpressions.Regex(GetExpression(), _options);
29 | 
30 |             var hasMatch = regex.Match(source);
31 | 
32 |             return hasMatch.Success;
33 |         }
34 | 
35 |         public MatchCollection GetMatches(string source)
36 |         {
37 |             var regex = new System.Text.RegularExpressions.Regex(GetExpression(), _options);
38 | 
39 |             return regex.Matches(source);
40 |         }
41 | 
42 |         protected abstract string GetExpression();
43 |     }
44 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2022/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following 
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("Puma.Security.Rules.Vsix.VS2022")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Puma.Security.Rules.Vsix.VS2022")]
13 | [assembly: AssemblyCopyright("")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible 
18 | // to COM components.  If you need to access a type in this assembly from 
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // Version information for an assembly consists of the following four values:
23 | //
24 | //      Major Version
25 | //      Minor Version 
26 | //      Build Number
27 | //      Revision
28 | //
29 | // You can specify all the values or you can default the Build and Revision Numbers 
30 | // by using the '*' as shown below:
31 | // [assembly: AssemblyVersion("1.0.*")]
32 | [assembly: AssemblyVersion("1.0.0.0")]
33 | [assembly: AssemblyFileVersion("1.0.0.0")]
34 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Common/Extensions/MethodDeclarationSyntaxExtensions.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Common.Extensions
17 | {
18 |     internal static class MethodDeclarationSyntaxExtensions
19 |     {
20 |         internal static bool ContainsReturnType(this MethodDeclarationSyntax syntax, SemanticModel model, params string[] args)
21 |         {
22 |             foreach (SyntaxNode node in syntax.ReturnType.DescendantNodesAndSelf())
23 |             {
24 |                 //Grab the return type symbol and return if it is not a named type
25 |                 var symbol = model.GetSymbolInfo(node).Symbol as INamedTypeSymbol;
26 |                 if (symbol == null)
27 |                     continue;
28 | 
29 |                 //Check the symbol for the 
30 |                 if (symbol.InheritsStartsWith(args))
31 |                     return true;
32 |             }
33 | 
34 |             return false;
35 |         }
36 |     }
37 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Common/Extensions/DiagnosticIdExtensions.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Linq;
15 | 
16 | using Puma.Security.Rules.Diagnostics;
17 | 
18 | namespace Puma.Security.Rules.Common.Extensions
19 | {
20 |     internal static class DiagnosticIdExtensions
21 |     {
22 |         /// <summary>
23 |         ///     Gets the diagnostic id from the given type's SupportedDiagnosticAttribute attribute data
24 |         /// </summary>
25 |         /// <param name="type"></param>
26 |         /// <returns></returns>
27 |         internal static DiagnosticId GetDiagnosticId(this Type type)
28 |         {
29 |             var supportedDiagnosticAttribute = type
30 |                 .GetCustomAttributes(typeof(SupportedDiagnosticAttribute), true)
31 |                 .FirstOrDefault() as SupportedDiagnosticAttribute;
32 | 
33 |             var diagnosticId = DiagnosticId.None;
34 |             Enum.TryParse(supportedDiagnosticAttribute.Code, out diagnosticId);
35 |             return diagnosticId;
36 |         }
37 |     }
38 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Common/Extensions/ConfigurationFileExtensions.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.Xml;
14 | using System.Xml.Linq;
15 | using System.Xml.XPath;
16 | 
17 | using Puma.Security.Rules.Model;
18 | 
19 | namespace Puma.Security.Rules.Common.Extensions
20 | {
21 |     internal static class ConfigurationFileExtensions
22 |     {
23 |         internal static IXmlLineInfo GetProductionLineInfo(this ConfigurationFile file, XElement element, string xPathExpression)
24 |         {
25 |             //Get the line info from the element
26 |             IXmlLineInfo lineInfo = element;
27 | 
28 |             //If we are using a transform, we need to identify the element in the base config document
29 |             if (!string.IsNullOrEmpty(file.ProductionTransformPath))
30 |             {
31 |                 var lineElement = file.BaseConfigurationDocument.XPathSelectElement(xPathExpression);
32 |                 if (lineElement != null)
33 |                     lineInfo = lineElement;
34 |             }
35 | 
36 |             return lineInfo;
37 |         }
38 |     }
39 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/ConfigurationFiles/ShouldUpdateConfigurationFile.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System.IO;
14 | 
15 | namespace Puma.Security.Rules.Core.ConfigurationFiles
16 | {
17 |     internal interface IShouldUpdateConfigurationFile
18 |     {
19 |         bool Execute(Model.ConfigurationFile file);
20 |     }
21 | 
22 |     public class ShouldUpdateConfigurationFile : IShouldUpdateConfigurationFile
23 |     {
24 |         public bool Execute(Model.ConfigurationFile file)
25 |         {
26 |             var fiBaseConfig = new FileInfo(file.BaseConfigurationPath);
27 |             var fiProductionTransform = new FileInfo(file.ProductionTransformPath);
28 |             var fiProductionConfigurationPath = new FileInfo(file.ProductionConfigurationPath);
29 | 
30 |             return !fiProductionConfigurationPath.Exists |
31 |                    (fiProductionConfigurationPath.LastWriteTimeUtc < fiBaseConfig.LastWriteTimeUtc) |
32 |                    (fiProductionConfigurationPath.LastWriteTimeUtc < fiProductionTransform.LastWriteTimeUtc);
33 |         }
34 |     }
35 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Model/DiagnosticInfo.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | 
15 | namespace Puma.Security.Rules.Model
16 | {
17 |     public class DiagnosticInfo
18 |     {
19 |         public DiagnosticInfo(Location location, params object[] args)
20 |         {
21 |             Args = args;
22 |             Location = location;
23 |         }
24 | 
25 |         public DiagnosticInfo(string path, int lineNumber, string elementText) : this(Location.None, path, lineNumber,
26 |             elementText)
27 |         {
28 |         }
29 | 
30 |         public DiagnosticInfo(string path, int lineNumber, string elementText, string arg) : this(Location.None, path,
31 |             lineNumber, elementText, arg)
32 |         {
33 |         }
34 | 
35 |         public DiagnosticInfo(string path, int lineNumber, string elementText, params object[] args) : this(
36 |             Location.None, path, lineNumber, elementText, args)
37 |         {
38 |         }
39 | 
40 |         public object[] Args { get; }
41 | 
42 |         public Location Location { get; }
43 |     }
44 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Diagnostics/SupportedDiagnosticAttribute.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Puma.Security.Rules.Common;
16 | 
17 | using Microsoft.CodeAnalysis;
18 | using Puma.Security.Rules.Configuration.Core;
19 | 
20 | namespace Puma.Security.Rules.Diagnostics
21 | {
22 |     [AttributeUsage(AttributeTargets.Class)]
23 |     public class SupportedDiagnosticAttribute : Attribute
24 |     {
25 |         public SupportedDiagnosticAttribute(DiagnosticId code, DiagnosticSeverity severity = DiagnosticSeverity.Warning,
26 |             DiagnosticCategory category = DiagnosticCategory.Security)
27 |         {
28 |             Code = code.ToString();
29 |             Severity = severity;
30 |             Category = category;
31 |         }
32 | 
33 |         public DiagnosticCategory Category { get; set; }
34 | 
35 |         public DiagnosticSeverity Severity { get; set; }
36 | 
37 |         public string Code { get; }
38 | 
39 |         public DiagnosticDescriptor GetDescriptor()
40 |         {
41 |             return DiagnosticDescriptorFactory.Create(Code, Severity, Category);
42 |         }
43 |     }
44 | }


--------------------------------------------------------------------------------
/Puma.Security.Parser/Models/Options.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using CommandLine;
14 | using System.Collections.Generic;
15 | 
16 | namespace Puma.Security.Parser.Models
17 | {
18 | 
19 |     public enum ReportFormat
20 |     {
21 |         MSBuild,
22 |         Sarif
23 |     }
24 | 
25 |     public class Options
26 |     {
27 |         [Option('w', "workspace", Required = true, HelpText = "Jenkins workspace root directory")]
28 |         public string Workspace { get; set; }
29 | 
30 |         [Option('f', "file", Required = true, HelpText = "Build file to parse")]
31 |         public string BuildFile { get; set; }
32 | 
33 |         [Option('o', "output", Required = true, HelpText = "Output file name")]
34 |         public string OutputFile { get; set; }
35 | 
36 |         [Option('r', "report", Required = false, HelpText = "Report format. MSBuild or Sarif")]
37 |         public ReportFormat ReportFormat { get; set; }
38 | 
39 |         [Option('e', "errors", Required = false, Separator = ',', HelpText = "List of rule ids to be treated as build errors, causing the task to fail. E.g. --errors SEC0029,SEC0108")]
40 |         public IEnumerable<string> Errors { get; set; }
41 |     }
42 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix/Publish/Production/overview.md:
--------------------------------------------------------------------------------
 1 | Security analyzers for C# that performs static code analysis for vulnerabilities identified in the OWASP Top 10, SANS/CWE Top 25, and other common insecure coding patterns.
 2 | 
 3 | ## Analysis Categories
 4 | 
 5 | - Insecure Configuration
 6 | - SQL Injection
 7 | - LDAP Injection
 8 | - Path Tampering
 9 | - Weak Password Configuration
10 | - Unvalidated Redirects
11 | - Cross-Site Scripting
12 | - Cross-Site Request Forgery
13 | - Weak Input Validation
14 | - Insecure Cryptography
15 | - Deserialization Vulnerabilities
16 | - Missing Access Control
17 | 
18 | See the git repository for more details: https://github.com/pumasecurity/puma-scan
19 | 
20 | ## Start Scanning
21 | 
22 | [https://github.com/pumasecurity/puma-scan/wiki](https://github.com/pumasecurity/puma-scan/wiki)
23 | 
24 | ## Building Custom Rules
25 | 
26 | [Contributing to the Puma Scan Community Edition](https://pumasecurity.io/resources/blog/contributing-to-puma-scan-community-edition/)
27 | 
28 | ## Release Notes
29 | 
30 | [https://github.com/pumasecurity/puma-scan/releases](https://github.com/pumasecurity/puma-scan/releases)
31 | 
32 | ## Issues or Questions
33 | 
34 | For tracking purposes, Q & A has been disabled for this extension. [GitHub](https://github.com/pumasecurity/puma-scan) is the central repository for tracking questions and issues. Please read the [wiki](https://github.com/pumasecurity/puma-scan/wiki) and review the existing [GitHub issues](https://github.com/pumasecurity/puma-scan/issues) before opening new [GitHub issues](https://github.com/pumasecurity/puma-scan/issues) for questions and support.


--------------------------------------------------------------------------------
/Puma.Security.Parser/Log/PumaLogEntry.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  *
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  *
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
11 |  */
12 | 
13 | using System.Runtime.Serialization;
14 | 
15 | namespace Puma.Security.Parser.Log
16 | {
17 |     [DataContract]
18 |     public class PumaLogEntry
19 |     {
20 |         [DataMember(Name = "ruleSeverity", IsRequired = true, EmitDefaultValue = true)]
21 |         public string RuleSeverity { get; set; }
22 | 
23 |         [DataMember(Name = "category", IsRequired = true, EmitDefaultValue = true)]
24 |         public string RuleId { get; set; }
25 | 
26 |         [DataMember(Name = "path", IsRequired = true, EmitDefaultValue = true)]
27 |         public string Path { get; set; }
28 | 
29 |         [DataMember(Name = "columnNumber", IsRequired = true, EmitDefaultValue = true)]
30 |         public int ColumnNumber { get; set; }
31 | 
32 |         [DataMember(Name = "lineNumber", IsRequired = true, EmitDefaultValue = true)]
33 |         public int LineNumber { get; set; }
34 | 
35 |         [DataMember(Name = "message", IsRequired = true, EmitDefaultValue = true)]
36 |         public string Message { get; set; }
37 | 
38 |         [DataMember(Name = "project", IsRequired = true, EmitDefaultValue = true)]
39 |         public string Project { get; set; }
40 |     }
41 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2017/Publish/Production/overview.md:
--------------------------------------------------------------------------------
 1 | Security analyzers for C# that performs static code analysis for vulnerabilities identified in the OWASP Top 10, SANS/CWE Top 25, and other common insecure coding patterns.
 2 | 
 3 | ## Analysis Categories
 4 | 
 5 | - Insecure Configuration
 6 | - SQL Injection
 7 | - LDAP Injection
 8 | - Path Tampering
 9 | - Weak Password Configuration
10 | - Unvalidated Redirects
11 | - Cross-Site Scripting
12 | - Cross-Site Request Forgery
13 | - Weak Input Validation
14 | - Insecure Cryptography
15 | - Deserialization Vulnerabilities
16 | - Missing Access Control
17 | 
18 | See the git repository for more details: https://github.com/pumasecurity/puma-scan
19 | 
20 | ## Start Scanning
21 | 
22 | [https://github.com/pumasecurity/puma-scan/wiki](https://github.com/pumasecurity/puma-scan/wiki)
23 | 
24 | ## Building Custom Rules
25 | 
26 | [Contributing to the Puma Scan Community Edition](https://pumasecurity.io/resources/blog/contributing-to-puma-scan-community-edition/)
27 | 
28 | ## Release Notes
29 | 
30 | [https://github.com/pumasecurity/puma-scan/releases](https://github.com/pumasecurity/puma-scan/releases)
31 | 
32 | ## Issues or Questions
33 | 
34 | For tracking purposes, Q & A has been disabled for this extension. [GitHub](https://github.com/pumasecurity/puma-scan) is the central repository for tracking questions and issues. Please read the [wiki](https://github.com/pumasecurity/puma-scan/wiki) and review the existing [GitHub issues](https://github.com/pumasecurity/puma-scan/issues) before opening new [GitHub issues](https://github.com/pumasecurity/puma-scan/issues) for questions and support.


--------------------------------------------------------------------------------
/Puma.Security.Rules.Vsix.VS2022/Publish/Production/overview.md:
--------------------------------------------------------------------------------
 1 | Security analyzers for C# that performs static code analysis for vulnerabilities identified in the OWASP Top 10, SANS/CWE Top 25, and other common insecure coding patterns.
 2 | 
 3 | ## Analysis Categories
 4 | 
 5 | - Insecure Configuration
 6 | - SQL Injection
 7 | - LDAP Injection
 8 | - Path Tampering
 9 | - Weak Password Configuration
10 | - Unvalidated Redirects
11 | - Cross-Site Scripting
12 | - Cross-Site Request Forgery
13 | - Weak Input Validation
14 | - Insecure Cryptography
15 | - Deserialization Vulnerabilities
16 | - Missing Access Control
17 | 
18 | See the git repository for more details: https://github.com/pumasecurity/puma-scan
19 | 
20 | ## Start Scanning
21 | 
22 | [https://github.com/pumasecurity/puma-scan/wiki](https://github.com/pumasecurity/puma-scan/wiki)
23 | 
24 | ## Building Custom Rules
25 | 
26 | [Contributing to the Puma Scan Community Edition](https://pumasecurity.io/resources/blog/contributing-to-puma-scan-community-edition/)
27 | 
28 | ## Release Notes
29 | 
30 | [https://github.com/pumasecurity/puma-scan/releases](https://github.com/pumasecurity/puma-scan/releases)
31 | 
32 | ## Issues or Questions
33 | 
34 | For tracking purposes, Q & A has been disabled for this extension. [GitHub](https://github.com/pumasecurity/puma-scan) is the central repository for tracking questions and issues. Please read the [wiki](https://github.com/pumasecurity/puma-scan/wiki) and review the existing [GitHub issues](https://github.com/pumasecurity/puma-scan/issues) before opening new [GitHub issues](https://github.com/pumasecurity/puma-scan/issues) for questions and support.


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Common/Extensions/SyntaxNodeExtensions.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | namespace Puma.Security.Rules.Common.Extensions
17 | {
18 |     internal static class SyntaxNodeExtensions
19 |     {
20 |         internal static SyntaxNode TrimTrivia(this SyntaxNode node)
21 |         {
22 |             return node.WithoutLeadingTrivia().WithoutTrailingTrivia();
23 |         }
24 | 
25 |         internal static ClassDeclarationSyntax GetClassDeclaration(this SyntaxNode syntax)
26 |         {
27 |             while (true)
28 |             {
29 |                 //Check the symbol type
30 |                 if (syntax is ClassDeclarationSyntax)
31 |                     return syntax as ClassDeclarationSyntax;
32 | 
33 |                 //If no match, walk up the chain to the base type
34 |                 if (syntax.Parent != null)
35 |                 {
36 |                     syntax = syntax.Parent;
37 |                     continue;
38 |                 }
39 | 
40 |                 //Break when the base type hits null
41 |                 break;
42 |             }
43 | 
44 |             return null;
45 |         }
46 |     }
47 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/AssignmentExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Immutable;
15 | 
16 | using Microsoft.CodeAnalysis;
17 | using Microsoft.CodeAnalysis.CSharp.Syntax;
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Core.Factories
20 | {
21 |     internal class AssignmentExpressionVulnerableSyntaxNodeFactory : IAssignmentExpressionVulnerableSyntaxNodeFactory
22 |     {
23 |         public  VulnerableSyntaxNode Create(AssignmentExpressionSyntax syntaxNode, params string[] messageArgs)
24 |         {
25 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
26 | 
27 |             ImmutableArray<SyntaxNode> sources;
28 | 
29 |             var conditionalExpressionSyntax = syntaxNode?.Right as ConditionalExpressionSyntax;
30 |             if (conditionalExpressionSyntax != null)
31 |                 sources = new[] { conditionalExpressionSyntax.WhenTrue, conditionalExpressionSyntax.WhenFalse }.ToImmutableArray<SyntaxNode>();
32 |             else
33 |                 sources = new[] { syntaxNode?.Right }.ToImmutableArray<SyntaxNode>();
34 | 
35 |             return new VulnerableSyntaxNode(syntaxNode.Left, sources, messageArgs);
36 |         }
37 |     }
38 | }


--------------------------------------------------------------------------------
/docker/pumascan.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Command usage menu
 4 | usage(){
 5 |   echo -e "\nUSAGE: 
 6 | 		`basename $0` -s <path/to/code> [-e project.csproj,test.csproj] [ -h ]
 7 | 
 8 | Options:
 9 | 	-s <path/to/src>		Directory containg the source code to analyze
10 | 	-e <project.csproj>		Project(s) to to exclude from the scan.
11 | 	-h				Display this help menu.
12 | "
13 | echo ""
14 | exit
15 | }
16 | 
17 | while getopts "hs:e:" OPTION; do
18 |    case $OPTION in
19 |      h )
20 |         usage
21 |         exit 1
22 |         ;;
23 |      s )
24 |         SOURCE=$OPTARG
25 |         echo "Source directory set to $SOURCE"
26 |         ;;
27 |      e )
28 |         EXCLUDE=$OPTARG
29 | 		IFS=',' read -ra EXCLUDE_ITEMS <<< "$EXCLUDE"
30 | 		echo "Exclude set to $EXCLUDE"
31 | 		;;
32 |      : )
33 |         echo -e "\nERROR!  -$OPTARG requires an argument\n"
34 |         usage
35 |         exit 1
36 |         ;;
37 |      ? )
38 |         echo -e "\nERROR! Invalid option"
39 |         usage
40 |         exit 1
41 |         ;;
42 |    esac
43 | done
44 | 
45 | if [[ "" == $SOURCE ]] ; then
46 | 	usage; 
47 | 	exit 1;
48 | fi
49 | 
50 | 
51 | # Change to source directory
52 | echo Chaning directory to $SOURCE
53 | cd $SOURCE
54 | 
55 | # Loop through projects and add code analysis 2.9 / puma scan package
56 | for project in `find . -iname "*.csproj" -type f`; do
57 | 	
58 | 	# Check exclude projects
59 | 	for e in "${EXCLUDE_ITEMS[@]}"; do
60 | 		#echo Exclude: "./$e"
61 | 		#echo Project: $project
62 | 
63 | 		if [[ "./Puma.Security.Rules.Test/*" ~= "$project" ]]; then
64 | 			echo "Excluding project or path $project"
65 | 		fi
66 | 	done
67 | 	#echo "Analyzing project $project"
68 | done
69 | 
70 | 
71 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/RequestValidation/Core/AllowHtmlExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis;
16 | using Microsoft.CodeAnalysis.CSharp.Syntax;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Validation.RequestValidation.Core
19 | {
20 |     internal class AllowHtmlExpressionAnalyzer : IAllowHtmlExpressionAnalyzer
21 |     {
22 |         public bool IsVulnerable(SemanticModel model, AttributeSyntax syntax)
23 |         {
24 |             //Check the type name
25 |             if (!ContainsTypeName(syntax)) return false;
26 | 
27 |             //If we found it, verify the namespace
28 |             var symbol = model.GetSymbolInfo(syntax).Symbol;
29 | 
30 |             if (!IsType(symbol)) return false;
31 | 
32 |             return true;
33 |         }
34 | 
35 |         private static bool ContainsTypeName(AttributeSyntax syntax)
36 |         {
37 |             return string.Compare(syntax?.Name.ToString(), "AllowHtml", StringComparison.Ordinal) == 0;
38 |         }
39 | 
40 |         private bool IsType(ISymbol symbol)
41 |         {
42 |             if (symbol == null)
43 |                 return false;
44 | 
45 |             return symbol.ContainingNamespace.ToString().Equals("System.Web.Mvc");
46 |         }
47 |     }
48 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/DesExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis;
16 | using Microsoft.CodeAnalysis.CSharp.Syntax;
17 | 
18 | using Puma.Security.Rules.Common;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
21 | {
22 |     internal class DesExpressionAnalyzer : IDesExpressionAnalzyer
23 |     {
24 |         public bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId)
25 |         {
26 |             //Check for the type
27 |             if (!ContainsTypeName(syntax)) return false;
28 | 
29 |             //If we found it, verify the namespace
30 |             var symbol = model.GetSymbolInfo(syntax).Symbol;
31 | 
32 |             if (!IsType(symbol)) return false;
33 | 
34 |             return true;
35 |         }
36 | 
37 |         private static bool ContainsTypeName(ObjectCreationExpressionSyntax syntax)
38 |         {
39 |             return syntax.Type.ToString().Equals("DESCryptoServiceProvider");
40 |         }
41 | 
42 |         private bool IsType(ISymbol symbol)
43 |         {
44 |             if (symbol == null)
45 |                 return false;
46 | 
47 |             return symbol.ContainingNamespace.ToString().Equals("System.Security.Cryptography");
48 |         }
49 |     }
50 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/SystemRandomExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis;
16 | using Microsoft.CodeAnalysis.CSharp.Syntax;
17 | 
18 | using Puma.Security.Rules.Common;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
21 | {
22 |     internal class SystemRandomExpressionAnalyzer : ISystemRandomExpressionAnalyzer
23 |     {
24 |         public bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId)
25 |         {
26 |             //Check for the SystemRandomServiceProvider type
27 |             if (!ContainsTypeName(syntax)) return false;
28 | 
29 |             //If we found it, verify the namespace
30 |             var symbol = model.GetSymbolInfo(syntax).Symbol;
31 | 
32 |             if (!IsType(symbol)) return false;
33 | 
34 |             return true;
35 |         }
36 | 
37 |         private static bool ContainsTypeName(ObjectCreationExpressionSyntax syntax)
38 |         {
39 |             return syntax.Type.ToString().Contains("Random");
40 |         }
41 | 
42 |         private bool IsType(ISymbol symbol)
43 |         {
44 |             if (symbol == null)
45 |                 return false;
46 | 
47 |             return symbol.ContainingNamespace.ToString().Equals("System");
48 |         }
49 |     }
50 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/Md5ExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis;
16 | using Microsoft.CodeAnalysis.CSharp.Syntax;
17 | 
18 | using Puma.Security.Rules.Common;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
21 | {
22 |     internal class Md5ExpressionAnalyzer : IMd5ExpressionAnalzyer
23 |     {
24 |         public bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId)
25 |         {
26 |             //Check for the DESCryptoServiceProvider type
27 |             if (!ContainsTypeName(syntax)) return false;
28 | 
29 |             //If we found it, verify the namespace
30 |             var symbol = model.GetSymbolInfo(syntax).Symbol;
31 | 
32 |             if (!IsType(symbol)) return false;
33 | 
34 |             return true;
35 |         }
36 | 
37 |         private static bool ContainsTypeName(ObjectCreationExpressionSyntax syntax)
38 |         {
39 |             return syntax.Type.ToString().Contains("MD5CryptoServiceProvider");
40 |         }
41 | 
42 |         private bool IsType(ISymbol symbol)
43 |         {
44 |             if (symbol == null)
45 |                 return false;
46 | 
47 |             return symbol.ContainingNamespace.ToString().Equals("System.Security.Cryptography");
48 |         }
49 |     }
50 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Xss/Core/LabelTextAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Analyzer.Core;
17 | using Puma.Security.Rules.Common;
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Injection.Xss.Core
20 | {
21 |     internal class LabelTextAssignmentExpressionAnalyzer : ILabelTextAssignmentExpressionAnalyzer
22 |     {
23 |         public bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId)
24 |         {
25 |             var leftSyntax = syntax?.Left as MemberAccessExpressionSyntax;
26 | 
27 |             if (leftSyntax == null || leftSyntax.Name.Identifier.ValueText.ToLower() != "text") return false;
28 | 
29 |             var leftSymbol = model.GetSymbolInfo(leftSyntax).Symbol;
30 | 
31 |             if (!(leftSymbol != null && leftSymbol.ToString().StartsWith("System.Web.UI.WebControls.Label.Text"))) return false;
32 | 
33 |             var expressionAnalyzer = SyntaxNodeAnalyzerFactory.Create(syntax.Right);
34 |             if (expressionAnalyzer.CanIgnore(model, syntax.Right))
35 |                 return false;
36 |             if (expressionAnalyzer.CanSuppress(model, syntax.Right, ruleId))
37 |                 return false;
38 | 
39 |             return true;
40 |         }
41 |     }
42 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/BinaryExpressionSyntaxAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Core
19 | {
20 |     internal class BinaryExpressionSyntaxAnalyzer : BaseSyntaxNodeAnalyzer<BinaryExpressionSyntax>
21 |     {
22 |         private readonly ISyntaxNodeAnalyzer<SyntaxNode> _analyzer;
23 | 
24 |         internal BinaryExpressionSyntaxAnalyzer()
25 |         {
26 |             _analyzer = new SyntaxNodeAnalyzer();
27 |         }
28 | 
29 |         public override bool CanIgnore(SemanticModel model, SyntaxNode syntax)
30 |         {
31 |             var binaryExpressionSyntax = syntax as BinaryExpressionSyntax;
32 | 
33 |             return _analyzer.CanIgnore(model, binaryExpressionSyntax.Right) &&
34 |                    _analyzer.CanIgnore(model, binaryExpressionSyntax.Left);
35 |         }
36 | 
37 |         public override bool CanSuppress(SemanticModel model, SyntaxNode syntax, DiagnosticId ruleId)
38 |         {
39 |             var binaryExpressionSyntax = syntax as BinaryExpressionSyntax;
40 | 
41 |             return _analyzer.CanSuppress(model, binaryExpressionSyntax.Right, ruleId) &&
42 |                    _analyzer.CanSuppress(model, binaryExpressionSyntax.Left, ruleId);
43 |         }
44 |     }
45 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Xss/Core/LiteralTextAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Analyzer.Core;
17 | using Puma.Security.Rules.Common;
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Injection.Xss.Core
20 | {
21 |     internal class LiteralTextAssignmentExpressionAnalyzer : ILiteralTextAssignmentExpressionAnalyzer
22 |     {
23 |         public bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId)
24 |         {
25 |             var leftSyntax = syntax?.Left as MemberAccessExpressionSyntax;
26 | 
27 |             if (leftSyntax == null || leftSyntax.Name.Identifier.ValueText.ToLower() != "text") return false;
28 | 
29 |             var leftSymbol = model.GetSymbolInfo(leftSyntax).Symbol;
30 | 
31 |             if (!(leftSymbol != null && leftSymbol.ToString().StartsWith("System.Web.UI.WebControls.Literal.Text"))) return false;
32 | 
33 |             var expressionAnalyzer = SyntaxNodeAnalyzerFactory.Create(syntax.Right);
34 |             if (expressionAnalyzer.CanIgnore(model, syntax.Right))
35 |                 return false;
36 |             if (expressionAnalyzer.CanSuppress(model, syntax.Right, ruleId))
37 |                 return false;
38 | 
39 |             return true;
40 |         }
41 |     }
42 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Crypto/Core/Sha1ExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis;
16 | using Microsoft.CodeAnalysis.CSharp.Syntax;
17 | 
18 | using Puma.Security.Rules.Common;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Crypto.Core
21 | {
22 |     internal class Sha1ExpressionAnalyzer : ISha1ExpressionAnalzyer
23 |     {
24 |         public bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId)
25 |         {
26 |             //Check for the DESCryptoServiceProvider type
27 |             if (!ContainsTypeName(syntax)) return false;
28 | 
29 |             //If we found it, verify the namespace
30 |             var symbol = model.GetSymbolInfo(syntax).Symbol;
31 | 
32 |             if (!IsType(symbol)) return false;
33 | 
34 |             return true;
35 |         }
36 | 
37 |         private static bool ContainsTypeName(ObjectCreationExpressionSyntax syntax)
38 |         {
39 |             return syntax.Type.ToString().Contains("SHA1CryptoServiceProvider")
40 |                 || syntax.Type.ToString().Contains("SHA1Managed");
41 |         }
42 | 
43 |         private bool IsType(ISymbol symbol)
44 |         {
45 |             if (symbol == null)
46 |                 return false;
47 | 
48 |             return symbol.ContainingNamespace.ToString().Equals("System.Security.Cryptography");
49 |         }
50 |     }
51 | }


--------------------------------------------------------------------------------
/Puma.Security.Parser/RegexConstants.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  *
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  *
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
11 |  */
12 | 
13 | namespace Puma.Security.Parser
14 | {
15 |     public static class RegexConstants
16 |     {
17 |         public const string _REGEX_PUMA_CATEGORY = @"(warning) (SEC)[\d]+:";
18 |         public const string _REGEX_PUMA_ERROR_CODE = @"(SEC)[\d]+";
19 |         public const string _REGEX_RULE_SEVERITY = @"([^\s]+)";
20 |         public const string _REGEX_FULL_WIN_FILE_PATH = @"\b[A-Z]:\\(?:[^\\/:*?""<>|\x00-\x1F]+\\)*[^\\/:*?""<>|\x00-\x1F\]]*";
21 |         public const string _REGEX_WIN_DIRECTORY = @"([A-Z]:|\\\\[a-z0-9 %._-]+\\[a-z0-9 $%._-]+)?(\\?(?:[^\\/:*?""<>|\x00-\x1F]+\\)+)";
22 |         public const string _REGEX_VS_RELATIVE_PATH = @"([^\\/:*?""<>|\x00-\x1F]+\\)*[^\\/:*?""<>|\x00-\x1F]+\(\d+,\d+\)";
23 |         public const string _REGEX_WARNING_DELIMITER = @":\ \[?";
24 |         public const char _VS_PATH_DELIMETER_OPEN = '(';
25 |         public const char _VS_PATH_DELIMETER_CLOSE = ')';
26 |         public const char _VS_LOCATION_DELIMETER = ',';
27 |         public const char _VS_PROJECT_DELIMETER_OPEN = '[';
28 |         public const char _VS_PROJECT_DELIMETER_CLOSE = ']';
29 |         public const string _MS_BUILD_WARNING_FORMAT = @"{0}({1},{2}): warning {3}: {4} [{5}]";
30 |         public const string _REGEX_ADDITIONAL_FILES_PATH = @" [A-Za-z]:\\[A-Za-z0-9 %\._-]+";
31 |         public const string _REGEX_ADDITIONAL_FILES_METADATA = @" \{0\}(\{1\}): \{2\}";
32 |     }
33 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules/tools/install.ps1:
--------------------------------------------------------------------------------
 1 | param($installPath, $toolsPath, $package, $project)
 2 | 
 3 | if($project.Object.SupportsPackageDependencyResolution)
 4 | {
 5 |     if($project.Object.SupportsPackageDependencyResolution())
 6 |     {
 7 |         # Do not install analyzers via install.ps1, instead let the project system handle it.
 8 |         return
 9 |     }
10 | }
11 | 
12 | $analyzersPaths = Join-Path (Join-Path (Split-Path -Path $toolsPath -Parent) "analyzers") * -Resolve
13 | 
14 | foreach($analyzersPath in $analyzersPaths)
15 | {
16 |     if (Test-Path $analyzersPath)
17 |     {
18 |         # Install the language agnostic analyzers.
19 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$analyzersPath\*.dll" -Exclude *.resources.dll)
20 |         {
21 |             if($project.Object.AnalyzerReferences)
22 |             {
23 |                 $project.Object.AnalyzerReferences.Add($analyzerFilePath.FullName)
24 |             }
25 |         }
26 |     }
27 | }
28 | 
29 | # $project.Type gives the language name like (C# or VB.NET)
30 | $languageFolder = ""
31 | if($project.Type -eq "C#")
32 | {
33 |     $languageFolder = "cs"
34 | }
35 | if($project.Type -eq "VB.NET")
36 | {
37 |     $languageFolder = "vb"
38 | }
39 | if($languageFolder -eq "")
40 | {
41 |     return
42 | }
43 | 
44 | foreach($analyzersPath in $analyzersPaths)
45 | {
46 |     # Install language specific analyzers.
47 |     $languageAnalyzersPath = join-path $analyzersPath $languageFolder
48 |     if (Test-Path $languageAnalyzersPath)
49 |     {
50 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$languageAnalyzersPath\*.dll" -Exclude *.resources.dll)
51 |         {
52 |             if($project.Object.AnalyzerReferences)
53 |             {
54 |                 $project.Object.AnalyzerReferences.Add($analyzerFilePath.FullName)
55 |             }
56 |         }
57 |     }
58 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.2017/tools/install.ps1:
--------------------------------------------------------------------------------
 1 | param($installPath, $toolsPath, $package, $project)
 2 | 
 3 | if($project.Object.SupportsPackageDependencyResolution)
 4 | {
 5 |     if($project.Object.SupportsPackageDependencyResolution())
 6 |     {
 7 |         # Do not install analyzers via install.ps1, instead let the project system handle it.
 8 |         return
 9 |     }
10 | }
11 | 
12 | $analyzersPaths = Join-Path (Join-Path (Split-Path -Path $toolsPath -Parent) "analyzers") * -Resolve
13 | 
14 | foreach($analyzersPath in $analyzersPaths)
15 | {
16 |     if (Test-Path $analyzersPath)
17 |     {
18 |         # Install the language agnostic analyzers.
19 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$analyzersPath\*.dll" -Exclude *.resources.dll)
20 |         {
21 |             if($project.Object.AnalyzerReferences)
22 |             {
23 |                 $project.Object.AnalyzerReferences.Add($analyzerFilePath.FullName)
24 |             }
25 |         }
26 |     }
27 | }
28 | 
29 | # $project.Type gives the language name like (C# or VB.NET)
30 | $languageFolder = ""
31 | if($project.Type -eq "C#")
32 | {
33 |     $languageFolder = "cs"
34 | }
35 | if($project.Type -eq "VB.NET")
36 | {
37 |     $languageFolder = "vb"
38 | }
39 | if($languageFolder -eq "")
40 | {
41 |     return
42 | }
43 | 
44 | foreach($analyzersPath in $analyzersPaths)
45 | {
46 |     # Install language specific analyzers.
47 |     $languageAnalyzersPath = join-path $analyzersPath $languageFolder
48 |     if (Test-Path $languageAnalyzersPath)
49 |     {
50 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$languageAnalyzersPath\*.dll" -Exclude *.resources.dll)
51 |         {
52 |             if($project.Object.AnalyzerReferences)
53 |             {
54 |                 $project.Object.AnalyzerReferences.Add($analyzerFilePath.FullName)
55 |             }
56 |         }
57 |     }
58 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.2022/tools/install.ps1:
--------------------------------------------------------------------------------
 1 | param($installPath, $toolsPath, $package, $project)
 2 | 
 3 | if($project.Object.SupportsPackageDependencyResolution)
 4 | {
 5 |     if($project.Object.SupportsPackageDependencyResolution())
 6 |     {
 7 |         # Do not install analyzers via install.ps1, instead let the project system handle it.
 8 |         return
 9 |     }
10 | }
11 | 
12 | $analyzersPaths = Join-Path (Join-Path (Split-Path -Path $toolsPath -Parent) "analyzers") * -Resolve
13 | 
14 | foreach($analyzersPath in $analyzersPaths)
15 | {
16 |     if (Test-Path $analyzersPath)
17 |     {
18 |         # Install the language agnostic analyzers.
19 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$analyzersPath\*.dll" -Exclude *.resources.dll)
20 |         {
21 |             if($project.Object.AnalyzerReferences)
22 |             {
23 |                 $project.Object.AnalyzerReferences.Add($analyzerFilePath.FullName)
24 |             }
25 |         }
26 |     }
27 | }
28 | 
29 | # $project.Type gives the language name like (C# or VB.NET)
30 | $languageFolder = ""
31 | if($project.Type -eq "C#")
32 | {
33 |     $languageFolder = "cs"
34 | }
35 | if($project.Type -eq "VB.NET")
36 | {
37 |     $languageFolder = "vb"
38 | }
39 | if($languageFolder -eq "")
40 | {
41 |     return
42 | }
43 | 
44 | foreach($analyzersPath in $analyzersPaths)
45 | {
46 |     # Install language specific analyzers.
47 |     $languageAnalyzersPath = join-path $analyzersPath $languageFolder
48 |     if (Test-Path $languageAnalyzersPath)
49 |     {
50 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$languageAnalyzersPath\*.dll" -Exclude *.resources.dll)
51 |         {
52 |             if($project.Object.AnalyzerReferences)
53 |             {
54 |                 $project.Object.AnalyzerReferences.Add($analyzerFilePath.FullName)
55 |             }
56 |         }
57 |     }
58 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/ConditionalExpressionSyntaxAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Core
19 | {
20 |     internal class ConditionalExpressionSyntaxAnalyzer : BaseSyntaxNodeAnalyzer<ConditionalExpressionSyntax>
21 |     {
22 |         private readonly ISyntaxNodeAnalyzer<SyntaxNode> _analyzer;
23 | 
24 |         internal ConditionalExpressionSyntaxAnalyzer()
25 |         {
26 |             _analyzer = new SyntaxNodeAnalyzer();
27 |         }
28 | 
29 |         public override bool CanIgnore(SemanticModel model, SyntaxNode syntax)
30 |         {
31 |             var conditionalExpressionSyntax = syntax as ConditionalExpressionSyntax;
32 | 
33 |             return _analyzer.CanIgnore(model, conditionalExpressionSyntax.WhenTrue) &&
34 |                    _analyzer.CanIgnore(model, conditionalExpressionSyntax.WhenFalse);
35 |         }
36 | 
37 |         public override bool CanSuppress(SemanticModel model, SyntaxNode syntax, DiagnosticId ruleId)
38 |         {
39 |             var conditionalExpressionSyntax = syntax as ConditionalExpressionSyntax;
40 | 
41 |             return _analyzer.CanSuppress(model, conditionalExpressionSyntax.WhenTrue, ruleId) &&
42 |                    _analyzer.CanSuppress(model, conditionalExpressionSyntax.WhenFalse, ruleId);
43 |         }
44 |     }
45 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Specialized/IsArgumentOnlyExpression.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Common.Extensions;
17 | 
18 | namespace Puma.Security.Rules.Analyzer.Core.Specialized
19 | {
20 |     internal interface IIsArgumentOnlyExpression
21 |     {
22 |         bool Execute(SemanticModel model, InvocationExpressionSyntax syntax);
23 |     }
24 | 
25 |     public class IsArgumentOnlyExpression : IIsArgumentOnlyExpression
26 |     {
27 |         public bool Execute(SemanticModel model, InvocationExpressionSyntax syntax)
28 |         {
29 |             if (ContainsArgumentOnlyMethodName(syntax))
30 |             {
31 |                 var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
32 |                 if (symbol != null)
33 |                 {
34 |                     return IsArgumentOnlyMethod(symbol);
35 |                 }
36 |             }
37 | 
38 |             return false;
39 |         }
40 | 
41 |         private bool ContainsArgumentOnlyMethodName(InvocationExpressionSyntax syntax)  => syntax.ToString().Contains("MapPath") || syntax.ToString().Contains("string.Format") || syntax.ToString().Contains("String.Format");
42 | 
43 |         private bool IsArgumentOnlyMethod(IMethodSymbol symbol) => symbol.IsMethod("System.Web.HttpRequest", "MapPath") || symbol.IsMethod("System.Web.HttpServerUtility", "MapPath") || symbol.IsMethod("string", "Format");
44 |     }
45 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Injection/Sql/Core/SqlCommandInjectionAssignmentExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Analyzer.Core;
17 | using Puma.Security.Rules.Common;
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Injection.Sql.Core
20 | {
21 |     internal class SqlCommandInjectionAssignmentExpressionAnalyzer : ISqlCommandInjectionAssignmentExpressionAnalyzer
22 |     {
23 |         public bool IsVulnerable(SemanticModel model, AssignmentExpressionSyntax syntax, DiagnosticId ruleId)
24 |         {
25 |             var leftSyntax = syntax?.Left as MemberAccessExpressionSyntax;
26 | 
27 |             if (leftSyntax == null || leftSyntax.Name.Identifier.ValueText.ToLower() != "commandtext") return false;
28 | 
29 |             var leftSymbol = model.GetSymbolInfo(leftSyntax).Symbol;
30 | 
31 |             if (!(leftSymbol != null && (leftSymbol.ToString().StartsWith("System.Data.SqlClient.SqlCommand")) || leftSymbol.ToString().StartsWith("Microsoft.Data.Sqlite.SqliteCommand"))) 
32 |                 return false;
33 | 
34 |             var expressionAnalyzer = SyntaxNodeAnalyzerFactory.Create(syntax.Right);
35 |             if (expressionAnalyzer.CanIgnore(model, syntax.Right))
36 |                 return false;
37 |             if (expressionAnalyzer.CanSuppress(model, syntax.Right, ruleId))
38 |                 return false;
39 | 
40 |             return true;
41 |         }
42 |     }
43 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Path/Core/FileStreamExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Analyzer.Core;
17 | using Puma.Security.Rules.Common;
18 | using Puma.Security.Rules.Common.Extensions;
19 | 
20 | namespace Puma.Security.Rules.Analyzer.Validation.Path.Core
21 | {
22 |     internal class FileStreamExpressionAnalyzer : IFileStreamExpressionAnalyzer
23 |     {
24 |         public bool IsVulnerable(SemanticModel model, ObjectCreationExpressionSyntax syntax, DiagnosticId ruleId)
25 |         {
26 |             if (!syntax.ToString().Contains("FileStream")) return false;
27 | 
28 |             var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
29 |             if (symbol.IsCtorFor("System.IO.FileStream"))
30 |             {
31 |                 if (syntax.ArgumentList.Arguments.Count > 0)
32 |                 {
33 |                     var argSyntax = syntax.ArgumentList.Arguments[0].Expression;
34 |                     var expressionAnalyzer = SyntaxNodeAnalyzerFactory.Create(argSyntax);
35 |                     if (expressionAnalyzer.CanIgnore(model, argSyntax))
36 |                         return false;
37 |                     if (expressionAnalyzer.CanSuppress(model, argSyntax, ruleId))
38 |                         return false;
39 |                 }
40 |                 return true;
41 |             }
42 | 
43 |             return false;
44 |         }
45 |     }
46 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Redirect/Core/MvcRedirectExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Analyzer.Core;
17 | using Puma.Security.Rules.Common;
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Validation.Redirect.Core
20 | {
21 |     internal class MvcRedirectExpressionAnalyzer : IMvcRedirectExpressionAnalyzer
22 |     {
23 |         public bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId)
24 |         {
25 |             if (!syntax.ToString().Contains("Redirect")) return false;
26 | 
27 |             var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
28 |             if (symbol?.Name == "Redirect" && symbol?.ReceiverType.ToString() == "System.Web.Mvc.Controller")
29 |             {
30 |                 if (syntax.ArgumentList.Arguments.Count == 1)
31 |                 {
32 |                     var argSyntax = syntax.ArgumentList.Arguments[0].Expression;
33 |                     var expressionAnalyzer = SyntaxNodeAnalyzerFactory.Create(argSyntax);
34 |                     if (expressionAnalyzer.CanIgnore(model, argSyntax))
35 |                         return false;
36 |                     if (expressionAnalyzer.CanSuppress(model, argSyntax, ruleId))
37 |                         return false;
38 |                 }
39 |                 return true;
40 |             }
41 | 
42 |             return false;
43 |         }
44 |     }
45 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/CompilationAnalyzerExtensions.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Linq;
15 | 
16 | using Microsoft.CodeAnalysis;
17 | 
18 | using Puma.Security.Rules.Common;
19 | using Puma.Security.Rules.Diagnostics;
20 | 
21 | namespace Puma.Security.Rules.Analyzer
22 | {
23 |     internal static class CompilationAnalyzerExtensions
24 |     {
25 |         internal static DiagnosticDescriptor GetDiagnosticDescriptor(this ICompilationAnalyzer analyzer)
26 |         {
27 |             var diagnosticAnalyzerAttribute = analyzer.GetSupportedDiagnosticAttribute();
28 | 
29 |             return diagnosticAnalyzerAttribute.GetDescriptor();
30 |         }
31 | 
32 |         internal static SupportedDiagnosticAttribute GetSupportedDiagnosticAttribute(this ICompilationAnalyzer analyzer)
33 |         {
34 |             var supportedDiagnosticAttribute = analyzer.GetType()
35 |                 .GetCustomAttributes(typeof(SupportedDiagnosticAttribute), true)
36 |                 .FirstOrDefault() as SupportedDiagnosticAttribute;
37 | 
38 |             return supportedDiagnosticAttribute;
39 |         }
40 | 
41 |         internal static DiagnosticId GetDiagnosticId(this ICompilationAnalyzer analyzer)
42 |         {
43 |             var diagnosticAnalyzerAttribute = analyzer.GetSupportedDiagnosticAttribute();
44 | 
45 |             DiagnosticId diagnosticId;
46 |             Enum.TryParse(diagnosticAnalyzerAttribute.Code, out diagnosticId);
47 | 
48 |             return diagnosticId;
49 |         }
50 |     }
51 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Core/Factories/ObjectCreationExpressionVulnerableSyntaxNodeFactory.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Generic;
15 | using System.Collections.Immutable;
16 | using System.Linq;
17 | 
18 | using Microsoft.CodeAnalysis;
19 | using Microsoft.CodeAnalysis.CSharp.Syntax;
20 | 
21 | namespace Puma.Security.Rules.Analyzer.Core.Factories
22 | {
23 |     internal class ObjectCreationExpressionVulnerableSyntaxNodeFactory : IObjectCreationExpressionVulnerableSyntaxNodeFactory
24 |     {
25 |         public VulnerableSyntaxNode Create(ObjectCreationExpressionSyntax syntaxNode, params string[] messageArgs)
26 |         {
27 |             if (syntaxNode == null) throw new ArgumentNullException(nameof(syntaxNode));
28 | 
29 |             var sources = new List<SyntaxNode>();
30 |             
31 |             //Standard arguments passed into a constructor
32 |             if (syntaxNode.ArgumentList != null && syntaxNode.ArgumentList.Arguments.Any())
33 |             {
34 |                 sources.AddRange(syntaxNode.ArgumentList.Arguments.ToArray().Select(p => p.Expression));
35 |             }
36 |             //Initializer arguments passed in via the inline syntax object = new object() { x = y; }
37 |             if (syntaxNode.Initializer != null)
38 |             {
39 |                 sources.AddRange(syntaxNode.Initializer.Expressions);
40 |             }
41 | 
42 |             return new VulnerableSyntaxNode(syntaxNode, sources.ToImmutableArray(), messageArgs);
43 |         }
44 |     }
45 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Configuration/Cors/Core/CorsExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | using System.Collections.Generic;
15 | using System.Text;
16 | using Microsoft.CodeAnalysis;
17 | using Microsoft.CodeAnalysis.CSharp.Syntax;
18 | using Puma.Security.Rules.Common;
19 | using Puma.Security.Rules.Common.Extensions;
20 | 
21 | namespace Puma.Security.Rules.Analyzer.Configuration.Cors.Core
22 | {
23 |     internal class CorsExpressionAnalyzer : ICorsExpressionAnalyzer
24 |     {
25 |         public bool IsVulnerable(SemanticModel model, MemberAccessExpressionSyntax syntax, DiagnosticId ruleId)
26 |         {
27 |             //Quick check for the object name
28 |             if (!IsTypeName(syntax)) return false;
29 | 
30 |             //Verify full namesapce
31 |             var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
32 |             if (!symbol.IsMethod("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder", "AllowAnyOrigin"))
33 |                 return false;
34 | 
35 |             return true;
36 |         }
37 | 
38 |         private static bool IsTypeName(MemberAccessExpressionSyntax syntax)
39 |         {
40 |             return syntax.Name.ToString().Equals("AllowAnyOrigin");
41 |         }
42 | 
43 |         private bool IsType(ISymbol symbol)
44 |         {
45 |             if (symbol == null)
46 |                 return false;
47 | 
48 |             return symbol.ContainingNamespace.ToString().Equals("Microsoft.AspNetCore.Cors.Infrastructure");
49 |         }
50 |     }
51 | }
52 | 


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Core/PumaCompilationStartAnalysisContext.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using System;
14 | 
15 | using Microsoft.CodeAnalysis.CSharp;
16 | using Microsoft.CodeAnalysis.Diagnostics;
17 | 
18 | using Puma.Security.Rules.Common;
19 | 
20 | namespace Puma.Security.Rules.Core
21 | {
22 |     internal class PumaCompilationStartAnalysisContext
23 |     {
24 |         private readonly CompilationStartAnalysisContext _context;
25 | 
26 |         internal PumaCompilationStartAnalysisContext(CompilationStartAnalysisContext context)
27 |         {
28 |             this._context = context;
29 |         }
30 | 
31 |         internal void RegisterSyntaxNodeAction(Action<PumaSyntaxNodeAnalysisContext> registerSyntaxAction, SyntaxKind syntaxKind, DiagnosticId diagnosticId)
32 |         {
33 |             _context.RegisterSyntaxNodeAction(c =>
34 |             {
35 |                 var pumaCompilationEndContext = new PumaSyntaxNodeAnalysisContext(diagnosticId, c);
36 |                 registerSyntaxAction.Invoke(pumaCompilationEndContext);
37 |             }, syntaxKind);
38 |         }
39 | 
40 |         internal void RegisterCompilationEndAction(Action<PumaCompilationAnalysisContext> compilationEndAction, DiagnosticId diagnosticId)
41 |         {
42 |             _context.RegisterCompilationEndAction(c =>
43 |             {
44 |                 var pumaCompilationEndContext = new PumaCompilationAnalysisContext(diagnosticId, c);
45 |                 compilationEndAction.Invoke(pumaCompilationEndContext);
46 |             });
47 |         }
48 |     }
49 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Analyzer/Validation/Redirect/Core/ResponseRedirectExpressionAnalyzer.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | using Microsoft.CodeAnalysis;
14 | using Microsoft.CodeAnalysis.CSharp.Syntax;
15 | 
16 | using Puma.Security.Rules.Analyzer.Core;
17 | using Puma.Security.Rules.Common;
18 | 
19 | namespace Puma.Security.Rules.Analyzer.Validation.Redirect.Core
20 | {
21 |     internal class ResponseRedirectExpressionAnalyzer : IResponseRedirectExpressionAnalyzer
22 |     {
23 |         public bool IsVulnerable(SemanticModel model, InvocationExpressionSyntax syntax, DiagnosticId ruleId)
24 |         {
25 |             if (!syntax.ToString().Contains("Redirect")) return false;
26 | 
27 |             var symbol = model.GetSymbolInfo(syntax).Symbol as IMethodSymbol;
28 |             if ((symbol?.Name == "Redirect" || symbol?.Name == "RedirectPermanent")
29 |                 && symbol?.ReceiverType.ToString() == "System.Web.HttpResponse")
30 |             {
31 |                 if (syntax.ArgumentList.Arguments.Count > 0)
32 |                 {
33 |                     var argSyntax = syntax.ArgumentList.Arguments[0].Expression;
34 |                     var expressionAnalyzer = SyntaxNodeAnalyzerFactory.Create(argSyntax);
35 |                     if (expressionAnalyzer.CanIgnore(model, argSyntax))
36 |                         return false;
37 |                     if (expressionAnalyzer.CanSuppress(model, argSyntax, ruleId))
38 |                         return false;
39 |                 }
40 |                 return true;
41 |             }
42 | 
43 |             return false;
44 |         }
45 |     }
46 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.Shared/Common/Enum.cs:
--------------------------------------------------------------------------------
 1 | /* 
 2 |  * Copyright(c) 2016 - 2020 Puma Security, LLC (https://pumasecurity.io)
 3 |  * 
 4 |  * Project Leads:
 5 |  * Eric Johnson (eric.johnson@pumascan.com)
 6 |  * Eric Mead (eric.mead@pumascan.com)
 7 |  * 
 8 |  * This Source Code Form is subject to the terms of the Mozilla Public
 9 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
10 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. 
11 |  */
12 | 
13 | namespace Puma.Security.Rules.Common
14 | {
15 |     public enum DiagnosticCategory
16 |     {
17 |         None = 0,
18 |         Security = 1,
19 |         Syntax = 2, 
20 |         License = 3
21 |     }
22 | 
23 |     public enum DiagnosticId
24 |     {
25 |         None,
26 |         SEC0001,
27 |         SEC0002,
28 |         SEC0003,
29 |         SEC0004,
30 |         SEC0005,
31 |         SEC0006,
32 |         SEC0007,
33 |         SEC0008,
34 |         SEC0009,
35 |         SEC0010,
36 |         SEC0011,
37 |         SEC0012,
38 |         SEC0013,
39 |         SEC0014,
40 |         SEC0015,
41 |         SEC0016,
42 |         SEC0017,
43 |         SEC0018,
44 |         SEC0019,
45 |         SEC0020,
46 |         SEC0021,
47 |         SEC0022,
48 |         SEC0023,
49 |         SEC0024,
50 |         SEC0025,
51 |         SEC0026,
52 |         SEC0027,
53 |         SEC0028,
54 |         SEC0029,
55 |         SEC0030,
56 |         SEC0031,
57 |         SEC0032,
58 |         SEC0033,
59 |         //leaving a gap to prevent merge issues.
60 |         SEC0100,
61 |         SEC0101,
62 |         SEC0102,
63 |         SEC0103,
64 |         SEC0104,
65 |         SEC0105,
66 |         SEC0106,
67 |         SEC0107,
68 |         SEC0108,
69 |         SEC0109,
70 |         SEC0110,
71 |         SEC0111,
72 |         SEC0112,
73 |         SEC0113,
74 |         SEC0114,
75 |         SEC0115,
76 |         SEC0116,
77 |         SEC0117,
78 |         SEC0118,
79 |         SEC0119,
80 |         SEC0120,
81 |         SEC0121,
82 |         SEC0122
83 |     }
84 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules/tools/uninstall.ps1:
--------------------------------------------------------------------------------
 1 | param($installPath, $toolsPath, $package, $project)
 2 | 
 3 | if($project.Object.SupportsPackageDependencyResolution)
 4 | {
 5 |     if($project.Object.SupportsPackageDependencyResolution())
 6 |     {
 7 |         # Do not uninstall analyzers via uninstall.ps1, instead let the project system handle it.
 8 |         return
 9 |     }
10 | }
11 | 
12 | $analyzersPaths = Join-Path (Join-Path (Split-Path -Path $toolsPath -Parent) "analyzers") * -Resolve
13 | 
14 | foreach($analyzersPath in $analyzersPaths)
15 | {
16 |     # Uninstall the language agnostic analyzers.
17 |     if (Test-Path $analyzersPath)
18 |     {
19 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$analyzersPath\*.dll" -Exclude *.resources.dll)
20 |         {
21 |             if($project.Object.AnalyzerReferences)
22 |             {
23 |                 $project.Object.AnalyzerReferences.Remove($analyzerFilePath.FullName)
24 |             }
25 |         }
26 |     }
27 | }
28 | 
29 | # $project.Type gives the language name like (C# or VB.NET)
30 | $languageFolder = ""
31 | if($project.Type -eq "C#")
32 | {
33 |     $languageFolder = "cs"
34 | }
35 | if($project.Type -eq "VB.NET")
36 | {
37 |     $languageFolder = "vb"
38 | }
39 | if($languageFolder -eq "")
40 | {
41 |     return
42 | }
43 | 
44 | foreach($analyzersPath in $analyzersPaths)
45 | {
46 |     # Uninstall language specific analyzers.
47 |     $languageAnalyzersPath = join-path $analyzersPath $languageFolder
48 |     if (Test-Path $languageAnalyzersPath)
49 |     {
50 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$languageAnalyzersPath\*.dll" -Exclude *.resources.dll)
51 |         {
52 |             if($project.Object.AnalyzerReferences)
53 |             {
54 |                 try
55 |                 {
56 |                     $project.Object.AnalyzerReferences.Remove($analyzerFilePath.FullName)
57 |                 }
58 |                 catch
59 |                 {
60 | 
61 |                 }
62 |             }
63 |         }
64 |     }
65 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.2017/tools/uninstall.ps1:
--------------------------------------------------------------------------------
 1 | param($installPath, $toolsPath, $package, $project)
 2 | 
 3 | if($project.Object.SupportsPackageDependencyResolution)
 4 | {
 5 |     if($project.Object.SupportsPackageDependencyResolution())
 6 |     {
 7 |         # Do not uninstall analyzers via uninstall.ps1, instead let the project system handle it.
 8 |         return
 9 |     }
10 | }
11 | 
12 | $analyzersPaths = Join-Path (Join-Path (Split-Path -Path $toolsPath -Parent) "analyzers") * -Resolve
13 | 
14 | foreach($analyzersPath in $analyzersPaths)
15 | {
16 |     # Uninstall the language agnostic analyzers.
17 |     if (Test-Path $analyzersPath)
18 |     {
19 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$analyzersPath\*.dll" -Exclude *.resources.dll)
20 |         {
21 |             if($project.Object.AnalyzerReferences)
22 |             {
23 |                 $project.Object.AnalyzerReferences.Remove($analyzerFilePath.FullName)
24 |             }
25 |         }
26 |     }
27 | }
28 | 
29 | # $project.Type gives the language name like (C# or VB.NET)
30 | $languageFolder = ""
31 | if($project.Type -eq "C#")
32 | {
33 |     $languageFolder = "cs"
34 | }
35 | if($project.Type -eq "VB.NET")
36 | {
37 |     $languageFolder = "vb"
38 | }
39 | if($languageFolder -eq "")
40 | {
41 |     return
42 | }
43 | 
44 | foreach($analyzersPath in $analyzersPaths)
45 | {
46 |     # Uninstall language specific analyzers.
47 |     $languageAnalyzersPath = join-path $analyzersPath $languageFolder
48 |     if (Test-Path $languageAnalyzersPath)
49 |     {
50 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$languageAnalyzersPath\*.dll" -Exclude *.resources.dll)
51 |         {
52 |             if($project.Object.AnalyzerReferences)
53 |             {
54 |                 try
55 |                 {
56 |                     $project.Object.AnalyzerReferences.Remove($analyzerFilePath.FullName)
57 |                 }
58 |                 catch
59 |                 {
60 | 
61 |                 }
62 |             }
63 |         }
64 |     }
65 | }


--------------------------------------------------------------------------------
/Puma.Security.Rules.2022/tools/uninstall.ps1:
--------------------------------------------------------------------------------
 1 | param($installPath, $toolsPath, $package, $project)
 2 | 
 3 | if($project.Object.SupportsPackageDependencyResolution)
 4 | {
 5 |     if($project.Object.SupportsPackageDependencyResolution())
 6 |     {
 7 |         # Do not uninstall analyzers via uninstall.ps1, instead let the project system handle it.
 8 |         return
 9 |     }
10 | }
11 | 
12 | $analyzersPaths = Join-Path (Join-Path (Split-Path -Path $toolsPath -Parent) "analyzers") * -Resolve
13 | 
14 | foreach($analyzersPath in $analyzersPaths)
15 | {
16 |     # Uninstall the language agnostic analyzers.
17 |     if (Test-Path $analyzersPath)
18 |     {
19 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$analyzersPath\*.dll" -Exclude *.resources.dll)
20 |         {
21 |             if($project.Object.AnalyzerReferences)
22 |             {
23 |                 $project.Object.AnalyzerReferences.Remove($analyzerFilePath.FullName)
24 |             }
25 |         }
26 |     }
27 | }
28 | 
29 | # $project.Type gives the language name like (C# or VB.NET)
30 | $languageFolder = ""
31 | if($project.Type -eq "C#")
32 | {
33 |     $languageFolder = "cs"
34 | }
35 | if($project.Type -eq "VB.NET")
36 | {
37 |     $languageFolder = "vb"
38 | }
39 | if($languageFolder -eq "")
40 | {
41 |     return
42 | }
43 | 
44 | foreach($analyzersPath in $analyzersPaths)
45 | {
46 |     # Uninstall language specific analyzers.
47 |     $languageAnalyzersPath = join-path $analyzersPath $languageFolder
48 |     if (Test-Path $languageAnalyzersPath)
49 |     {
50 |         foreach ($analyzerFilePath in Get-ChildItem -Path "$languageAnalyzersPath\*.dll" -Exclude *.resources.dll)
51 |         {
52 |             if($project.Object.AnalyzerReferences)
53 |             {
54 |                 try
55 |                 {
56 |                     $project.Object.AnalyzerReferences.Remove($analyzerFilePath.FullName)
57 |                 }
58 |                 catch
59 |                 {
60 | 
61 |                 }
62 |             }
63 |         }
64 |     }
65 | }


--------------------------------------------------------------------------------