Add content for rule guidance containing "TO DO"s. (#617)

* Add guidance for weak random rule

* Add guidance for outdated TLS protocol

* Add guidance for XXE rule

* Add guidance for weak cipher mode rule

* Point disabled cert validation rules at complete guidance

* Add guidance for DPAPI entropy rule

* Use existing HTTPS guidance for Ruby rule

* Add guidance for strncat rule

* Add guidance for strncpy rule

* Add guidance for 3DES rule

* Add guidance for C gets rule

* Add guidance for C strcat rule

* Add guidance for C strcpy rule

* Add guidance for C malloc rule

* Add guidance for banned C function rule

* Add guidance for InitializeSecurityContext rule

* Add guidance for PowerShell restricted function rule

* Add guidance for NOT implementing MD5/SHA1 rule

* Add guidance for objective-c format string rule

* Add guidance for memcpy rule

* Point C++ TLS version rule to existing guidance

* Point .NET outdated SSL rule to general guidance

* Add guidance for seeding RNG with time rule

* Add guidance for mcrypt rules

* Add guidance for debug rule

* Add guidance for iOS uniqueIdentifier rule

* Add guidance for obj-c xss rule

* Add guidance for eval XSS rule

* Add guidance for hardcoded secret rule

* Add guidance for C FILE copy rule

* Add guidance for PHP file include rule

* Add guidance for ASPNET Controller rule

* Add guidance for iOS NSUserDefaults rule

* Add guidance for hashing time rule

* Remove optional encryption rule (applies to unknown tech?)

* Add test condition that guidance must have content

* Update changelog for guidance changes

Author: danfiedler-msft

Changelog.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.38] - 2024-6-05
+### Incomplete Guidance
+Expanded content for rule guidance containing "TO DO"s.
+
 ## [1.0.37] - 2024-5-23
 ### Missing Guidance
 Added guidance for several rules such as weak hash algorithm, disabling certificate validation, and TLS client configuration.

DevSkim-DotNet/Microsoft.DevSkim.Tests/DefaultRulesTests.cs

@@ -148,7 +148,6 @@ public void Rule_guidance_file_should_be_specified_and_exist(DevSkimRule rule)
         Assert.IsTrue(File.Exists(guidanceFile), $"Guidance file {guidanceFile} does not exist.");
     }
 
-    [Ignore] // TODO: temporary to get missing guidance in.
     [TestMethod]
     [DynamicData(nameof(DefaultRules))]
     public void Rule_guidance_should_be_complete(DevSkimRule rule)
@@ -170,8 +169,12 @@ public void Rule_guidance_should_be_complete(DevSkimRule rule)
         }
 
         string guidance = File.ReadAllText(guidanceFile);
-        if(guidance.Contains("TODO", StringComparison.OrdinalIgnoreCase) 
-            || guidance.Contains("TO DO", StringComparison.OrdinalIgnoreCase))
+        bool hasContent = !string.IsNullOrEmpty(guidance);
+        Assert.IsTrue(hasContent, $"Guidance file {guidanceFile} is empty.");
+
+        if (rule.Id != "DS176209" && // "Suspicious comment" - a TODO comment
+            (guidance.Contains("TODO", StringComparison.OrdinalIgnoreCase)
+            || guidance.Contains("TO DO", StringComparison.OrdinalIgnoreCase)))
         {
             Assert.Fail($"Guidance file {guidanceFile} contains TODO.");
         }

guidance/DS101155.md

@@ -1,11 +1,23 @@
-## Initializing Security Context
+# Initializing Security Context
 
-### Summary
-SecurityContext initialization, look here for cryptography functions.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+The `InitializeSecurityContext` function was detected; its usage and surrounding code should be reviewed for security issues.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+The `InitializeSecurityContext` function is used to build a security context between the client application and a remote peer.
+A security context contains security data relevant to the connection (such as user identifiers or session key.)
+
+Proper initialization, usage, and cleanup of security contexts can be a complex process and mistakes can lead to security issues.
+See the [InitializeSecurityContext documentation](https://learn.microsoft.com/en-us/windows/win32/secauthn/initializesecuritycontext--general#remarks)
+for more guidance. In particular, use of cryptography in this area should be carefully reviewed for potential problems.
+
+## Severity Considerations
+
+Code including usage of the `InitializeSecurityContext` function should be very carefully reviewed
+by a security expert or cryptographer to identify security issues and understand the risks involved.
+
+## References
+
+* [Microsoft Learn: InitializeSecurityContext function](https://learn.microsoft.com/en-us/windows/win32/secauthn/initializesecuritycontext--general)

guidance/DS101159.md

@@ -1,11 +1,35 @@
-## Use of restricted functions.
+# Use of Restricted Functions
 
-### Summary
-Use of restricted functions.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+* A restricted PowerShell function was detected.
+* Remove or replace usage of the restricted function if possible.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+Use of several different PowerShell functions open up applications to classes of vulnerabilities that would otherwise not normally occur.
+We refer to these functions as restricted functions.
+For example, `System.Runtime.InteropServices.Marshal` functions could be used to allocate memory in a way that an attacker could use to corrupt memory and potentially execute code.
+
+## Solution
+
+Replace usage of the restricted function with a conventional function if possible (for example, replace `Invoke-Command` or `Invoke-Expression` with `Start-Process`).
+
+## Severity Considerations
+
+Usage of restricted PowerShell functions should be very carefully reviewed
+by a security expert to identify security issues and understand the risks involved.
+
+## Restricted Function List
+
+* `GetDelegateForFunctionPointer`
+* `System.Runtime.InteropServices.Marshal`
+* `WriteByte`
+* `Microsoft.Win32.UnsafeNativeMethods`
+* `PtrToStructure`
+* `StructureToPtr`
+* `NtCreateThreadEx`
+* `CreateRemoteThread`
+* `Invoke-Command`
+* `Invoke-Expression`
+* `VirtualProtect`

guidance/DS104456.md

@@ -6,11 +6,11 @@ The DES cipher was found, which is widely considered to be broken.
 
 ## Details
 
-The [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard), or DES, 
+The [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard), or DES,
 is a symmetric block cipher created in the 1970s. It has since been broken and should not be used
 anywhere.
 
-In general, the [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), 
+In general, the [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard),
 or AES, algorithm, is preferred for all cases where symmetric encryption is needed.
 
 ### Solution

guidance/DS106864.md

@@ -1,11 +1,27 @@
-## Banned C function detected (strncat)
+# Banned C function detected (strncat)
 
-### Summary
-strncat adds the null terminator at character 'n + 1', rather than at the nth character. this frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+* Use of the `strncat` function to concatenate strings can lead to a buffer overrun vulnerability.
+* Resolve this issue by using secure versions such as `strncat_s` to help prevent buffer overruns.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+The `strncat` function does not check for sufficient space in the destination string which is a potential cause of buffer overruns.
+The `strncat` function appends characters to a string followed by the null terminator at character 'n + 1', rather than at the nth character.
+This behavior frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer.
+
+## Solution
+
+Use secure versions such as `strncat_s` to help prevent buffer overruns.
+
+## Severity Considerations
+
+In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise.
+
+## References
+
+* [CodeQL: Potentially unsafe call to strncat](https://codeql.github.com/codeql-query-help/cpp/cpp-unsafe-strncat/)
+* [Microsoft Learn: strncat_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncat-s-strncat-s-l-wcsncat-s-wcsncat-s-l-mbsncat-s-mbsncat-s-l?view=msvc-170)
+* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns)
+* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)

guidance/DS108330.md

@@ -1,11 +1,25 @@
-## Do not use the 3DES symmetric block cipher.
+# Do not use the 3DES symmetric block cipher
 
-### Summary
-The 3DES cipher was found, which is only secure if three independent keys are used.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+* The 3DES cipher was found which does not provide sufficient security.
+* Replace usage of 3DES with AES if possible.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+The [Data Encryption Standard](https://en.wikipedia.org/wiki/Triple_DES), or 3DES, is a symmetric block cipher created in the 1970s.
+TripleDES is broken due to its inadequate key size and [CVE-2016-2183](https://nvd.nist.gov/vuln/detail/CVE-2016-2183) and should not be used anywhere.
+
+## Severity Considerations
+
+Any use of the 3DES algorithm should be very carefully reviewed by a security expert or cryptographer to understand the risks involved.
+
+## Solution
+
+### .NET
+
+Use the following method: `System.Security.Cryptography.Aes.Create()`
+
+## References
+
+* [CodeQL: Use of a broken or risky cryptographic algorithm](https://codeql.github.com/codeql-query-help/cpp/cpp-weak-cryptographic-algorithm/)

guidance/DS109501.md

@@ -1,11 +1,30 @@
-## Source implementation of a weak/broken cryptography hash function
+# Source Implementation of a Weak/Broken Cryptographic Hash Function
 
-### Summary
-An implementation of a weak/broken hash function was found in source code.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+* An implementation of a weak/broken hash function such as MD-5 or SHA-1 was found in source code.
+* Remove the implementation of the weak/broken hash function.
+* Replace the use of insecure hashing algorithms with more secure alternatives such as an algorithm from the SHA-2 family (SHA256, SHA384, and SHA512).
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+### Custom Cryptographic Implementation
+
+Correct and secure implementation of cryptographic algorithms is very complex and difficult.
+Developers should always use well-vetted libraries for cryptographic operations rather than producing their own implementations of those functions.
+
+### Weak Hash Algorithms
+
+Hash collisions are computationally feasible for older, weak hash algorithms such as MD2, MD4, MD5, and SHA-1.
+A hash collision allows an attacker to substitute an alternative input that results in the same hash value.
+Collision attacks allow attackers to undermine the security of systems using an insecure hash algorithm (e.g., by forging digital signatures, concealing data tampering, or cracking passwords).
+
+## Severity Considerations
+
+Developers should almost never implement their own versions of cryptographic operations. Furthermore, weak hash algorithms should not be used, especially for security purposes.
+
+## Solution
+
+### .NET
+
+Replace usages of insecure hash algorithms with `System.Security.Cryptography.SHA512Cng`, `System.Security.Cryptography.SHA384Cng`, or `System.Security.Cryptography.SHA256Cng`.

guidance/DS109733.md

@@ -1,11 +1,26 @@
-## Banned C function detected (strncpy)
+# Banned C function detected (strncpy)
 
-### Summary
-strncpy is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+* Use of the `strncpy` function to copy strings can lead to a buffer overrun vulnerability.
+* Resolve this issue by using secure versions such as `strncpy_s` to help prevent buffer overruns.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+The `strncpy` function does NOT check for sufficient space in the destination buffer which may lead to a buffer overrun vulnerability.
+The `strncpy` function is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination.
+
+## Solution
+
+Use secure versions such as `strncpy_s` to help prevent buffer overruns.
+
+## Severity Considerations
+
+In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise.
+
+## References
+
+* [CodeQL: Potentially unsafe call to strncpy](https://codeql.github.com/codeql-query-help/cpp/cpp-bad-strncpy-size/)
+* [Microsoft Learn: strncpy_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l?view=msvc-170)
+* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns)
+* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)

guidance/DS111237.md

@@ -1,11 +1,24 @@
-## ProtectedData used without additional entropy
+# ProtectedData used without additional entropy
 
-### Summary
-The ProtectedData class should be used with additional entropy to reduce the risk of other application calling DPAPI to access the data.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+The DPAPI `ProtectedData.Protect` method should be used with additional entropy to reduce the risk of other applications accessing the data.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+The `ProtectedData.Protect` method's `optionalEntropy` parameter is an "optional additional byte array used to increase the complexity of the encryption."
+Depending on the value of the `scope` parameter, user data encrypted without entropy can be accessed:
+
+* **DataProtectionScope.CurrentUser**: by other threads or applications running under the current user.
+* **DataProtectionScope.LocalMachine**: by any process running on the computer.
+
+The `optionalEntropy` parameter should be set to a non-null value unique to your application.
+
+## Severity Considerations
+
+The severity of this finding should be increased if the underlying security
+context is highly sensitive or if the environment hosting the application has low trust.
+
+## References
+
+* [Microsoft Learn: How to: Use Data Protection](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection)

guidance/DS112266.md

@@ -22,10 +22,15 @@ Software with hardcoded cryptographic algorithms may require code changes in the
 * When `Switch.System.Net.DontEnableSchUseStrongCrypto` is `false`, the application will use more secure network protocols. Do not set `DontEnableSchUseStrongCrypto` to `true`.
 * When application code sets a value for `System.Net.ServicePointManager.SecurityProtocol`, the application will override the TLS protocol chosen by the operating system. This makes the application less crypto-agile and may make the application less secure. Do not set a value for `System.Net.ServicePointManager.SecurityProtocol` in application code.
 
+#### C++ (Schannel)
+
+* Ensure that you do not set `grbitEnabledProtocols` to anything but `0`. Setting this field to zero instructs the operating system to use its configured TLS version.
+
 ## References
 
 * [TLS Best Practices with .NET Framework](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls)
 * [Security Briefs - Cryptographic Agility](https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/august/cryptographic-agility)
 * [Microsoft SDL Cryptographic Recommendations](http://download.microsoft.com/download/6/3/A/63AFA3DF-BB84-4B38-8704-B27605B99DA7/Microsoft%20SDL%20Cryptographic%20Recommendations.pdf)
 * [SSL Labs: SSL and TLS Deployment Best Practices](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices)
 * [OWASP: Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html)
+* [Microsoft Learn: SCHANNEL_CRED structure](https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred)

guidance/DS112835.md

@@ -1,11 +1,26 @@
-## Do not include user-input directly in format strings
+# Do Not Include User Input Directly in Format Strings
 
-### Summary
-Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+* Do not create NSString objects using a user-provided format string, as this could lead to a vulnerability.
+* Either remove creation of the NSString object entirely or remove the user-provided format string from the NSString object.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+If an attacker is able to control a format string then the attacker may be able to execute arbitrary code,
+read data in memory, or crash the application. This is known as an uncontrolled format string vulnerability.
+Format string vulnerabilities commonly occur when a developer intends to output user-controlled data (to a screen, buffer, or file)
+but mistakenly outputs a buffer directly or treats user data as a format string.
+
+## Solution
+
+Either remove creation of the NSString object entirely or remove the user-provided format string from the NSString object.
+
+## Severity Considerations
+
+In the worst case, a format string vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise.
+
+## References
+
+* [SEI CERT C Coding Standard: FIO30-C. Exclude user input from format strings](https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings)
+* [CWE-134: Use of Externally-Controlled Format String](https://cwe.mitre.org/data/definitions/134.html)

guidance/DS113286.md

@@ -1,11 +1,24 @@
-## Problematic C function detected (memcpy)
+# Problematic C Function Detected (memcpy)
 
-### Summary
-There are a number of conditions in which memcpy can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternatives perform additional validation of the source and destination buffer.
+## Summary
 
-### Details
-TO DO - put more details of problem and solution here
+* Use of the `memcpy` function can lead to a buffer overrun vulnerability.
+* Resolve this issue by using secure versions such as `memcpy_s` to help prevent buffer overruns.
 
-### Severity Considerations
-TO DO - put more details on the severity of the issue here.  Generally how big of a problem is this, and what makes it more or less of a problem?
+## Details
 
+There are a number of conditions in which `memcpy` can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternatives perform additional validation of the source and destination buffer.
+
+## Solution
+
+Usages of `memcpy` should be replaced with more secure versions such as `memcpy_s` to help prevent buffer overruns.
+
+## Severity Considerations
+
+In the worst case, a buffer overrun vulnerability can provide an attacker the ability to execute arbitrary code leading to complete system compromise.
+
+## References
+
+* [Microsoft Learn: memcpy_s](https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/memcpy-s-wmemcpy-s?view=msvc-170)
+* [Avoiding Buffer Overruns](https://learn.microsoft.com/en-us/windows/win32/SecBP/avoiding-buffer-overruns)
+* [OWASP: Buffer Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)