Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
Home Page: https://www.pumascan.com
License: Mozilla Public License 2.0
Receive an intermittent warning that says: Analyzer assembly \packages\Puma.Security.Rules.1.0.6\analyzers\dotnet\cs\Microsoft.Build.dll' depends on 'Microsoft.Build.Engine, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' but it was not found. Analyzers may not run correctly unless the missing assembly is added as an analyzer reference as well.
If I uninstall and re-install the nuget - it goes away temporarily. Any ideas?
Add additional SQL injection rules for .sql files (additional files):
Look for sp_executesql without the 2, 3 parameters or EXEC statement.
Find all where one of these methods is called using a string data w/ no parms. Plus, go a step back and make sure a string variable is appended into the statement.
https://msdn.microsoft.com/en-us/library/bb399403(v=vs.110).aspx
Debugging the release 2.0 branch to benchmark findings across the old version versus new version. Analayzers are failing to fire:
Warning AD0001 Analyzer 'Puma.Security.Rules.Suites.PathTamperingDiagnosticSuite' threw an exception of type 'System.ArgumentNullException' with message 'Value cannot be null.
Parameter name: syntax'
1 source, Func2 predicate)2 data) at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action1 analyze, TArg argument, Nullable`1 info)'.
Web Forms: Response.Redirect( )
MVC: Redirect
Hi,
can Puma will analyse the project which is written in Vb coding.
i am using VS 2015
First i've written the code in C# then puma scanner is showing the vulnerability error
Severity Code Description Project File Line Suppression State
Warning SEC0110 Unvalidated redirect location is passed to the Response.Redirect method. Sample1 C:\Users\KDDuser\Desktop\Sample1\Sample1\Account\Register.aspx.cs 28 Active
Warning SEC0107 SQL Injection - ADO.NET method is passed a dynamic SQL statement. Sample1 C:\Users\KDDuser\Desktop\Sample1\Sample1\Register.aspx.cs 45 Active
i've written the code in VB it was not showing any vulnerability error
so can you please conform can puma scanner will analyse the Vb written code.
if yes please let me know steps to check why it is not scanning the Vb code.
Thanks,
Hemanth.
Hi,
I'm using Puma Scan Version 1.0.7 in VS 2015 mainly. It does not prompt any warnings in my error list panel. However, it prompted errors in VS 2017 when i'm using version 2.0.0.1. It does not tally with VS 2015. Is it Cos' version 1.0.7 is depreciating?? If so, is there no fixes for it?
Thanks.
Currently, the RuleOptions.cs file contains some hard-coded values that drives some of the rules (auth timeout, password complexity, etc.)
This needs to be editable via a configuration screen in IDE. Something like Tools > Options > Puma Scan > General. This could produce a ruleoptions.json file if we want it to.
For the NuGet package, this can be done via a ruleoptions.json file with the same configuration values.
Each rule should have an enabled / disabled flag that selects which rules run. Any rules that are taint oriented should have a list of vulnerable sinks and sources that can be configured within the rule, each one having its own enabled flag as well.
The PumaScan NuGet package should set itself as a development dependency, as it is a dependency that is only useful for development and should not be required by other packages by default. This can be done by adding the following to the .nuspec file.
<developmentDependency>true</developmentDependency>Check controllers, actions, and model properties for disabling validate request.
Controllers / actions with [ValidateInput(false)]
Model properties with [AllowHtml]
Either of those can indicate xss bypass entry points that require additional validation...
Puma gives false positives at times. In the following example:
string sq = "select * from tab";
SqlCommand sqll = new SqlCommand(sq);
SqlDataAdapter sqa = new SqlDataAdapter(sqll);
I tried modifying the SqlCommandInjectionObjectCreationExpressionAnalyzer.cs for detecting and raising warnings if the first argument of SqlCommand and SqlDataAdapter are tainted. So if they are tainted , diagnostics are raised properly. String "sq" in this case is not tainted. But still diagnostics are raised for SqlDataAdapter.
Reconfigure the reference to the netstandard20 Roslyn / code analysis packages to support the traditional framework and .NET Core in Visual Studio.
I actually want to edit this pumasecurity, create nuget package and then integrate it with sonarqube.
May I know how can we create nuget package after editing puma security?
Base XSS rules:
Web forms:
Label.Text =
Literal.Text =
<%= %>
<%# %>
MVC:
@Html.Raw
@{ WriteLiteral(); }
Add a new rule covering the HttpResponse.Write sink. Currently, this is not flagged as a potential XSS issue:
try
{
...
}
catch ( Exception ex )
{
response.Write( "" + ex.Message + "" );
}
Create the wiki
Create a page helping people learn the framework and how to add / configure rules.
I want to integrate this project with sonarqube. Is there any way to do this?
Look for hard-coded passwords in the source code. Keyword list / match terms:
password,pwd,passwd,
Flag the following issues in the session state element:
mode="StateServer" - Missing auth for session data on remote server and and insecure transmission of session data.
timeout < RuleOptions.SessionExpirationMax
mode="SQLServer" and sqlConnectionString contains a connection string password
https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.71).aspx
400+ errors when the project is opened in Visual Studio for Mac Preview 1. Looks like a lot of them have to do with Visual Studio integration, not Roslyn. Will try to go through them.
VS 2017 incompatible
A newer pattern exists for auto validating CSRF tokens in .NET Core to protect all endpoints through global filter configuration. Is there any pattern for detecting this attribute is globally applied and disable SEC0019? Potentially here SEC0019 could apply to the use of the ignore attribute.
Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
AutoValidateAntiforgeryTokenAttribute can be applied as a global filter to trigger validation of antiforgery tokens by default for an application.
Also, we should call out the usage of IgnoreAntiforgeryTokenAttribute here.
Blog explaining the topic: https://andrewlock.net/automatically-validating-anti-forgery-tokens-in-asp-net-core-with-the-autovalidateantiforgerytokenattribute/
This would be dependent on .NET Core support #36
Start with Mead's example from his code review in an MVC controller.
Other areas to look File.Read, File.Write, and maybe File.Exists?
I have VS 2017 Community. I installed Puma Scan as extension and also performed NuGet command specified here (without this command analysis failed with CA0064: No analysis was performed because the specified rule set could not be loaded or did not contain any managed code analysis rules):
PM > Get-Project -All | Install-Package Puma.Security.Rules
Now the analysis is hanging (that is, not returning for 3+ hours) on very simple project WebGoat. Looking at task manager, I see csc.exe and devenv.exe taking ~25% each all the time.
I run analysis via Analyze -> Run Code ANalysis on Solution. WIthout Puma (default rules only) this works fine.
Please let me know what other info I need to provide if any to troubleshoot this.
In VS2017 SEC0109 is being raised with the following example code, which pretty much mirrors what the documentation says to do to fix it.
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl); //this line is flagged with SEC109
}
String url = "https://www.stackoverflow.com";
HttpWebRequest request = HttpWebRequest.CreateHttp(url);
request.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => { return true; };
OR
ServicePointManager.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
OR
using (var handler = new WebRequestHandler())
{
handler.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
using (var client = new HttpClient(handler))
{
}
}
It might be the cause of #39 because I found it running the same project.
There is no break at the end of while(true) in GetParentLocalDeclarationStatement as it is in SymbolInheritsFrom. This causes an eternal loop when an item is not null, not LocalDeclarationStatementSyntax and doesn't have a parent.
May I suggest also adding something similar to snippet below to prevent it in the future:
var analyzeTask = AnalyzeAsync();
var timeoutTask = Task.Delay(10000);
var completedTask = await Task.WhenAny(analyzeTask, timeoutTask);
if (completedTask == timeoutTask)
throw new TimeoutException();
Look for Process.Start commands that take in non-hard coded string values (could contain user supplied values).
Ruleset for PCI-DSS checks needs to be included in the project.
https://www.pcisecuritystandards.org/
p.s. nice project, hopefully I can help contribute soon.
Adding a CR LF in a diagnostic message cuts the message off in the warnings when produced by MSBuild. Review the existing rules and remove CR LF chars.
Look for dynamic values being created appended into LDAP filters or DN's. Examples below:
Filters:
DirectoryEntry.Filter =
OR
DN's:
DirectoryEntr de = new DirectoryEntry("LDAP://yourserver/CN=Users,dc=,dc=com");
RE: Hkim
We were evaluating Puma.Security.Rules 1.0.6 against our old project and we are experiencing weird behavior. When you build, it says “build has started…” and just stays there… I was able to reconstruct this behavior and have created a console app to demonstrate this. Below is the snippet of code where this occurs.
I was expecting to see SEC0027 and SEC0029 warning messages but instead, it hangs during build and never finishes. Do you have any suggestions?
class Program
{
enum enuHashMethod : int
{
MD5 = 0,
SHA1 = 1,
SHA256 = 2,
SHA384 = 3,
SHA512 = 4
}
static void Main(string[] args)
{
}
private static HashAlgorithm Algorithm(enuHashMethod hashMethod)
{
HashAlgorithm hashAlg = null;
switch (hashMethod)
{
case enuHashMethod.MD5:
hashAlg = new MD5CryptoServiceProvider(); // Build hangs… commenting out builds fine…
break;
case enuHashMethod.SHA1:
hashAlg = new SHA1Managed(); // Build hangs… commenting out builds fine…
break;
case enuHashMethod.SHA256:
hashAlg = new SHA256Managed();
break;
case enuHashMethod.SHA384:
hashAlg = new SHA384Managed();
break;
case enuHashMethod.SHA512:
hashAlg = new SHA512Managed();
break;
}
return (hashAlg);
}
}
Add rules for BinaryFormatter and Newtonsoft JSON.
Research how to execute the Roslyn extension rules during MSBuild. This could be very useful during a CI pipeline for automating the scan, retrieving the results, and making a determination on failing the build.
Great find by the @absoluteappsec folks. Flag redirects that pass false into the 2nd parameter. Redirects are typically used in older web forms projects for custom authorization. It's interesting that the documentation actually says to use "false" to improve performance.
Setting false will allow execution to continue after the redirect line is executed and responses will include the view's data. E.g. Redirect to login on an admin page that has sensitive info. Revealing additional admin endpoints, which can also be invoked if the same line exists in those admin endpoints.
https://docs.microsoft.com/en-us/dotnet/api/system.web.httpresponse.redirect?view=netframework-4.7.2
Any use of a variable in the File API appears to trigger this warning. The only way I can find to satisfy the analyzer is to use a hard coded string for the file path. Even the secure example code from the documentation triggers the warning:
[HttpPost]
public HttpResponseMessage Delete(Guid fileId)
{
string path = Path.Combine(ConfigurationManager.AppSettings["DownloadPath"], fileId.ToString());
File.Delete(path);
return Request.CreateResponse(HttpStatusCode.OK);
}Is the only way prevent this warning hard coding the path or manual suppression?
Look for secrets in the web.config:
Password, Key,
The rule documentation for SEC0108 recommends...
To ensure calls to vulnerable EF methods are parameterized, pass parameters into the statement using the method’s second argument: params object[] parameters.
However the following code still causes a warning for usage of ExecuteSqlCommand and SqlQuery...
public void ExecuteProcedure(string procedureName, List<SqlParameter> parameters = null)
{
var procedure = ParameterizeProcedure(procedureName, parameters);
var boundParams = (parameters ?? new List<SqlParameter>()).ToArray();
this.Database.ExecuteSqlCommand(procedure, boundParams);
}
public List<TReturn> ExecuteProcedure<TReturn>(string procedureName, List<SqlParameter> parameters = null)
where TReturn : class
{
var procedure = ParameterizeProcedure(procedureName, parameters);
var boundParams = (parameters ?? new List<SqlParameter>()).ToArray();
return this.Database.SqlQuery<TReturn>(procedure, boundParams).ToList();
}
Is this a bug or are we doing something wrong?
VS extension is really nice, but it will be even better to run it in a CI. Is that possible or planned to be supported sometime in the future?
Weak Hash Algorithms: MD2, MD4 and MD5, SHA1
Weak Crypto Algorithm: DES
Static IV's
Hard-coded Keys
Weak Key Length: Blowfish (< 128), RSA (< 2048)
ECB Mode on a block cipher
Hi,
I am having issues compiling a Visual Studio 2015 solution I have with project properties "Treat warnings as errors" enabled using version 1.0.5 of Puma Security because it is referencing an old version of Microsoft.Net.Compilers. The error I am recieving is:
CSC error CS8032: An instance of analyzer Puma.Security.Rules.Suites.CertificateValidationDiagnosticSuite cannot be created from ...\packages\Puma.Security.Rules.1.0.5\analyzers\dotnet\cs\Puma.Security.Rules.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=1.3.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
Please could you provide a timeframe when this could be addressed and fixed.
Thanks.
@joshbw proposed a standard format for suppressing false positives using commands on a line of code in our extension tools.
Fields proposed:
What other fields would be helpful?
Format could be something simple:
Thoughts on the format?
Look for httponly, secure turned off in cookied auth mode.
I'm developing a reporting web with Visual Studio 2017. All my SQL queries are parameterized and works properly. The problem is in some queries that have exec command like in a procedure.
For example: instead of select * from tabla where id=@id I put exec('select * from tabla where id=@id')
The exec case doesn't work. The message error is:
Must declare the scalar variable ""@id""." & vbCrLf & "Must declare the scalar variable ""@id""."
Anyone knows a possible solution?
Thanks a lot!
Feature request to support a common test output format from the command line test runner.
This would enable test results to be reported as part of VSTS Test dashboards using CI/CD Release Pipelines
Look for data (credit card number, ssn, etc.) being stored into a backend data store. Start with database to being with.
Refactor code base to use the new DataFlowAnalyzer, SemanticAnalyzer, ViewMarkupAnalyzer, and ConfigurationAnalyzer base classes. Add in the new code block analyzer feature to help reduce false positives.
Puma Scan didn’t detect missing HttpOnly and Secure flags here.
Secure settings are Secure = true, HttpOnly = true, and Expires can only be set to a past date.
HttpCookie CreateCookie(string value)
{
var ck = new HttpCookie(COOKIE_NAME, value);
if (string.IsNullOrWhiteSpace(value)) ck.Expires = DateTime.Now.AddYears(-1);
return ck;
}
or
```cs
Response.SetCookie(new HttpCookie("sid", sid) { Expires = DateTime.Now.AddDays(1) });Few months ago, I was using Puma Scan in Visual Studio 2015. However, it seem like it only support in Visual Studio 2017 now. Does it not support in Visual Studio 2015 anymore??
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.