Skip to content

Semgrep validation #1703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions src/MongoDB.Driver.Encryption/VulnerableCrypto.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
/* Copyright 2010-present MongoDB Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
using System;
using System.Security.Cryptography;
using System.Text;
using MongoDB.Bson;

namespace MongoDB.Driver.Encryption
{
/// <summary>
///
/// </summary>
public static class VulnerableCryptography
{
// Weak hashing - Semgrep should flag
/// <summary>
///
/// </summary>
/// <param name="password"></param>
/// <returns></returns>
public static string HashPassword(string password)
{
using (var md5 = MD5.Create()) // VULNERABLE - MD5 is weak
{
var hash = md5.ComputeHash(Encoding.UTF8.GetBytes(password));
return Convert.ToBase64String(hash);
}
}

private static string Hash(string str)
{
byte[] bytes = Encoding.ASCII.GetBytes(str);
using (SHA256 algorithm = SHA256.Create())
{
var hash = algorithm.ComputeHash(bytes);

return BsonUtils.ToHexString(hash);
}
}

// Hardcoded encryption key - Semgrep should flag
private static readonly byte[] EncryptionKey = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10
};

/// <summary>
///
/// </summary>
/// <param name="data"></param>
/// <returns></returns>
public static byte[] EncryptData(byte[] data)
{
using (var aes = Aes.Create())
{
aes.Key = EncryptionKey; // VULNERABLE - hardcoded key
// ... encryption logic
return data; // simplified
}
}
}
}
29 changes: 29 additions & 0 deletions src/MongoDB.Driver/MongoClient.cs
Original file line number Diff line number Diff line change
Expand Up @@ -751,4 +751,33 @@ private async Task<TResult> UsingImplicitSessionAsync<TResult>(Func<IClientSessi
}
}
}

/// <summary>
///
/// </summary>
public class VulnerableConnectionExample
{
// Hardcoded credentials
private const string DefaultConnectionString = "mongodb://admin:password123@prod-server:27017/sensitive_db";

/// <summary>
///
/// </summary>
/// <returns></returns>
public MongoClient CreateClient()
{
return new MongoClient(DefaultConnectionString);
}

// Weak random session ID -
/// <summary>
///
/// </summary>
/// <returns></returns>
public string GenerateSessionId()
{
var random = new Random(); // Cryptographically weak
return random.Next().ToString();
}
}
}
52 changes: 52 additions & 0 deletions src/MongoDB.Driver/VulnerableNullHandling.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
/* Copyright 2010-present MongoDB Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

using System;
using System.Collections.Generic;
using MongoDB.Bson;

namespace MongoDB.Driver
{
/// <summary>
///
/// </summary>
public class VulnerableNullHandling
{
/// <summary>
///
/// </summary>
/// <param name="document"></param>
/// <returns></returns>
public string ProcessDocument(BsonDocument document)
{
// Remove null checks - Semgrep should flag potential null reference
var name = document["name"].AsString; // Could be null
return name.ToUpper(); // VULNERABLE - potential null reference
}

/// <summary>
///
/// </summary>
/// <param name="documents"></param>
public void ProcessCollection(List<BsonDocument> documents)
{
// Missing null check on collection
foreach (var doc in documents) // VULNERABLE if documents is null
{
Console.WriteLine(doc["_id"]);
}
}
}
}
64 changes: 64 additions & 0 deletions src/MongoDB.Driver/VulnerableQuery.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
/* Copyright 2010-present MongoDB Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

using System.Collections.Generic;
using System.Threading.Tasks;
using MongoDB.Bson;

namespace MongoDB.Driver
{
/// <summary>
///
/// </summary>
public class VulnerableQueryBuilder
{
private readonly IMongoCollection<BsonDocument> _collection;

/// <summary>
///
/// </summary>
/// <param name="collection"></param>
public VulnerableQueryBuilder(IMongoCollection<BsonDocument> collection)
{
_collection = collection;
}

// Vulnerable: String concatenation in query - Semgrep should flag
/// <summary>
///
/// </summary>
/// <param name="username"></param>
/// <returns></returns>
public async Task<List<BsonDocument>> FindUserByName(string username)
{
var queryJson = "{ 'username': '" + username + "' }"; // VULNERABLE
var filter = BsonDocument.Parse(queryJson);
return await _collection.Find(filter).ToListAsync().ConfigureAwait(false);
}

// Another injection pattern
/// <summary>
///
/// </summary>
/// <param name="field"></param>
/// <param name="value"></param>
/// <returns></returns>
public async Task<BsonDocument> FindByDynamicField(string field, string value)
{
var query = $"{{ {field}: '{value}' }}"; // VULNERABLE
return await _collection.Find(BsonDocument.Parse(query)).FirstOrDefaultAsync().ConfigureAwait(false);
}
}
}
Loading