ci(security): add Semgrep XXE rule and CI scan job
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m2s
CI / OCR Service Tests (pull_request) Successful in 18s
CI / Backend Unit Tests (pull_request) Successful in 3m3s
CI / fail2ban Regex (pull_request) Successful in 40s
CI / Semgrep Security Scan (pull_request) Successful in 1m11s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m1s
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m2s
CI / OCR Service Tests (pull_request) Successful in 18s
CI / Backend Unit Tests (pull_request) Successful in 3m3s
CI / fail2ban Regex (pull_request) Successful in 40s
CI / Semgrep Security Scan (pull_request) Successful in 1m11s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m1s
Add .semgrep/security.yml with rules for DocumentBuilderFactory, SAXParserFactory, and XMLInputFactory without XXE hardening (CWE-611). Add semgrep-scan CI job — runs in parallel with backend-unit-tests, local rules only, --error flag fails the build on any match. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
49
.semgrep/security.yml
Normal file
49
.semgrep/security.yml
Normal file
@@ -0,0 +1,49 @@
|
||||
# Semgrep security rules for Familienarchiv backend.
|
||||
# These rules catch the absence of XXE protection on XML parser factories.
|
||||
# CWE-611: Improper Restriction of XML External Entity Reference.
|
||||
# Run: semgrep --config .semgrep/security.yml --error backend/src/
|
||||
|
||||
rules:
|
||||
|
||||
# DocumentBuilderFactory without XXE hardening.
|
||||
# All call sites must call setFeature("…disallow-doctype-decl", true) before use.
|
||||
- id: dbf-xxe-default
|
||||
patterns:
|
||||
- pattern: $X = DocumentBuilderFactory.newInstance();
|
||||
- pattern-not-inside: |
|
||||
...
|
||||
$X.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
...
|
||||
message: >
|
||||
DocumentBuilderFactory without XXE protection (CWE-611).
|
||||
Call XxeSafeXmlParser.hardenedFactory() instead of DocumentBuilderFactory.newInstance().
|
||||
languages: [java]
|
||||
severity: WARNING
|
||||
|
||||
# SAXParserFactory without XXE hardening.
|
||||
- id: sax-xxe-default
|
||||
patterns:
|
||||
- pattern: $X = SAXParserFactory.newInstance();
|
||||
- pattern-not-inside: |
|
||||
...
|
||||
$X.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
...
|
||||
message: >
|
||||
SAXParserFactory without XXE protection (CWE-611).
|
||||
Apply disallow-doctype-decl and disable external entity features before use.
|
||||
languages: [java]
|
||||
severity: WARNING
|
||||
|
||||
# XMLInputFactory without XXE hardening (StAX parser).
|
||||
- id: stax-xxe-default
|
||||
patterns:
|
||||
- pattern: $X = XMLInputFactory.newInstance();
|
||||
- pattern-not-inside: |
|
||||
...
|
||||
$X.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||
...
|
||||
message: >
|
||||
XMLInputFactory without XXE protection (CWE-611).
|
||||
Set IS_SUPPORTING_EXTERNAL_ENTITIES to false and SUPPORT_DTD to false before use.
|
||||
languages: [java]
|
||||
severity: WARNING
|
||||
Reference in New Issue
Block a user