Merge pull request #305 from DataDog/emilehugo.spir/shady-link-false-…

…positive Address some false positives with shady-links
DataDog · Feb 14, 2024 · d464501 · d464501
2 parents e44c6ad + b322b98
commit d464501
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml
@@ -7,13 +7,20 @@ rules:
     patterns:
       # Semgrep not robust enough to ignore comments in lists
       - pattern-not-regex: \# .*
+      # Exclude local IPv4 sometimes used in tests
+      - pattern-not-regex: (http[s]?:\/\/[^/?#]*(?:192\.168|10\.\d{1,3}|172\.(?:1[6-9]|2\d|3[0-1])|127\.\d{1,3})\.\d{1,3}\.\d{1,3})
       # TODO: make a rule for long comments
       - pattern-either:
           - pattern-regex: (http[s]?:\/\/bit\.ly.*)$
           - pattern-regex: (http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream))$
           - pattern-regex: (http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/)
           - pattern-regex: (http[s]?:\/\/[^/?#]*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))
           - pattern-regex: (http[s]?://[^\[/?#]*(?:\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\])
+    paths:
+      exclude:
+        - "*/test/*"
+        - "*/tests/*"
+        - "*/test_*"
     languages:
       - python
       - javascript

diff --git a/tests/analyzer/sourcecode/shady-links.py b/tests/analyzer/sourcecode/shady-links.py
@@ -19,8 +19,10 @@
 goodlink2 = "https://id.atlassian.com/login?continue=https%3A%2F%2Fstart.atlassian.com%2F&application=start"
 
 # ok: shady-links
-goodlink1 = "http://xn--n3h.net//"
+goodlink3 = "http://xn--n3h.net//"
 
+# ok: shady-links
+goodlink4 = "http://192.168.1.1/"
 
 """ OK: urls with free domain extensions in other parts of link
 """
@@ -68,7 +70,7 @@
 """
 
 # ruleid: shady-links
-req = urllib3.Request("https://127.0.0.1/foo.exe", headers={"User-Agent": os})
+req = urllib3.Request("https://128.0.0.1/foo.exe", headers={"User-Agent": os})
 
 # ruleid: shady-links
 req = urllib3.Request("https://[email protected]", headers={"User-Agent": os})
@@ -80,7 +82,7 @@
 req = urllib3.Request("https://[email protected]", headers={"User-Agent": os})
 
 # ruleid: shady-links
-req = urllib3.Request("https://root:pw@127.0.0.1", headers={"User-Agent": os})
+req = urllib3.Request("https://root:pw@128.0.0.1", headers={"User-Agent": os})
 
 """ RULEID: IPv6
 """