Merge pull request #77 from EMSeek/master

wireghoul · web-flow · commit b80772075634 · 2025-04-20T13:45:43.000+10:00
Version bump
diff --git a/Changelog b/Changelog
@@ -1,3 +1,14 @@
+3.8		2025 Apr 20
+		Updated default rules
+		Updated js rules
+		Updated ruby rules
+		Updated fruit rules
+		Updated exec rules
+		Updated dotnet rules
+		Updated xss rules
+		Updated php rules
+		Updated secret rules
+
 3.7		2024 Dec 20
 		Updated javascript rules
 		Updated typescript rules
diff --git a/graudit b/graudit
@@ -5,7 +5,7 @@
 set -- $GRARGS $@
 set -e
 set -o pipefail
-VERSION='3.7'
+VERSION='3.8'
 basedir=$(dirname "$0")
 BINFILE=$(which grep)
 
@@ -44,7 +44,7 @@ banner() {
         \___  /|__|  (____  /____/\____ | |__||__|  
        /_____/            \/           \/           
               grep rough audit - static analysis tool
-                  v3.7 written by @Wireghoul
+                  v3.8 written by @Wireghoul
 =================================[justanotherhacker.com]==='
     fi
 }
diff --git a/signatures/default.db b/signatures/default.db
@@ -19,6 +19,7 @@ eval[[:space:]]*\(.*\$.*\)
 (mysql.?_|pg_|sqlsrv_|::)query[[:space:]]*\(.*\$.*\)
 [Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=.*\$[^; ]+
 ([Ww][Hh][Ee][Rr][Ee]|[Aa][Nn][Dd]|[Oo][Rr])[[:space:]]+.*[[:space:]]+[Ll][Ii][Kk][Ee][[:space:]]+.*\$
+VALUES[[:space:]]*\([^\)]*\$.*\)
 ^[[:space:]]*(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
 print.*param[[:space:]]*\(.*\);
 extract[[:space:]]*\(\$_(GET|POST|REQUEST|COOKIE|SERVER)
diff --git a/signatures/dotnet.db b/signatures/dotnet.db
@@ -31,6 +31,7 @@ new[[:space:]]+(System\.Diagnostic\.)?Process(StartInfo)?[[:space:]]*\(.*
 new[[:space:]]+Cli[[:space:]]*\(.*
 # via Microsoft.VisualBasic
 \.Shell[[:space:]]*\(.*
+\.Invoke[[:space:]]*\([^\)]+\)
 <%=[[:space:]]*[Rr]equest\.[Qq]uery[Ss]tring\[.*%>
 #[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+.*\{[0-9]+\}
 [Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+.*[\'\"][[:space:]]*\+[[:space:]]*[Rr]equest\..*
diff --git a/signatures/dotnet/exec.db b/signatures/dotnet/exec.db
@@ -5,3 +5,4 @@ new[[:space:]]+(System\.Diagnostic\.)?Process(StartInfo)?[[:space:]]*\(.*
 new[[:space:]]+Cli[[:space:]]*\(.*
 # via Microsoft.VisualBasic
 \.Shell[[:space:]]*\(.*
+\.Invoke[[:space:]]*\([^\)]+\)
diff --git a/signatures/exec.db b/signatures/exec.db
@@ -5,6 +5,7 @@ new[[:space:]]+(System\.Diagnostic\.)?Process(StartInfo)?[[:space:]]*\(.*
 new[[:space:]]+Cli[[:space:]]*\(.*
 # via Microsoft.VisualBasic
 \.Shell[[:space:]]*\(.*
+\.Invoke[[:space:]]*\([^\)]+\)
 exec\.Command[[:space:]]*\(
 syscall\.Exec[[:space:]]*\(
 os\.StartProcess[[:space:]]*\(
@@ -31,11 +32,11 @@ system([[:space:]]*\(|[[:space:]]+[\"\']).*\)?
 \.instance_eval.*
 eval([[:space:]]*\(|[[:space:]]+[^\(])
 spawn([[:space:]]*\(|[[:space:]]+[^\(])
+system([[:space:]]*\(|[[:space:]]+").*\#\{[^\}]+\}
 system[[:space:]]*\(
 \.open[[:space:]]*\(
 \.(public_)?send[[:space:]]*\(
 `.*#\{[^`]+`
-File\.(read|new|open|delete)[[:space:]]*\(
 .*\=.*\!\!
 [a-z0-9A-Z]\.\!
 \.execSync[[:space:]]*\(
diff --git a/signatures/fruit.db b/signatures/fruit.db
@@ -50,8 +50,11 @@ eval[[:space:]]*\([^\)\;\"]*([Rr]eq(uest)?[\.\)]|\.[Gg]et[Pp]aram[[:space:]]*[\[
 (LIMIT|limit)[[:space:]]+([0-9,]+)?[;:space:]]*[\'\"][\'\"]?[[:space:]]*\+[[:space:]]*[^\"\']
 \.query\([^\);]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 eval[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
+eval[[:space:]]*\(.*[Rr]eq(quest)?\.(query|body|param)?
 <%-[[:space:]]+.*%>
 \.(spawn|exec)(File)?(Sync)?\([^\);]*([\'\"] *\+|\$\{)
+set(Interval|Timeout)[[:space:]]*\([^,\}\)]*[Rr]eq(quest)?\.[A-Za-z0-9]+
+\.SafeString[[:space:]]*\([^\)]*[\"'][[:space:]]*\+
 asm[[:space:]]+[\'\"].*
 unsafeAddr
 execShellCmd[[:space:]]*\(
@@ -112,10 +115,18 @@ pg_query[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*
 (LIKE|like)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 (LIMIT|limit)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
+VALUES[[:space:]]*\([^\)]*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 \.execute[[:space:]]*\([\"\'].*%.*[\"\'][[:space:]]*%.*\)
 ^[[:space:]]*`[^`]*#\{[^\}]+\}.*`
 [=\(][[:space:]]*`[^`]*#\{[^\}]+.*\}
 render[[:space:]]+:?(text|plain):?.*#\{[Pp][Aa][Rr][Aa][Mm][^\}]*\}
+File\.(read|new|open|delete|write)[[:space:]]*\("[^"]*\#\{[^\}]+[^\)]*\)
+['"(: ][Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+.*#\{[^\}]+
+(WHERE|where)[[:space:]]+.*=[[:space:]]*['"]*#\{[^\}]+
+[\'\" ]+AND[[:space:]]+.*=.*\+[[:space:]]*#\{[^\}]+
+(LIKE|like)[[:space:]]+.*#\{[^\}]+
+(ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\+[[:space:]]*#\{[^\}]+
+['" ](LIMIT|limit)[[:space:]]+.*#\{[^\}]+
 Source\.fromFile[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 sql\".*\#\$.*\"\.as\[.*
 SQL[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
diff --git a/signatures/js.db b/signatures/js.db
@@ -1,4 +1,7 @@
 (document|\$)\.cookie[[:space:]]*\(
+[Mm][Dd]5[[:space:]]*\(
+[Ss][Hh][Aa]1[[:space:]]*\(
+createHash[[:space:]]*\([[:space:]]*['"]([Ss][Hh][Aa][1]?|[Mm][Dd][5])['"]
 \.write[[:space:]]*\([^;]+\.location\.href
 nodeIntegration
 nodeIntegrationInWorker
@@ -16,8 +19,11 @@ openExternal[[:space:]]*\(
 ELECTRON_RUN_AS_NODE
 \.query\([^\);]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 eval[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
+eval[[:space:]]*\(.*[Rr]eq(quest)?\.(query|body|param)?
 <%-[[:space:]]+.*%>
 \.(spawn|exec)(File)?(Sync)?\([^\);]*([\'\"] *\+|\$\{)
+set(Interval|Timeout)[[:space:]]*\([^,\}\)]*[Rr]eq(quest)?\.[A-Za-z0-9]+
+\.SafeString[[:space:]]*\([^\)]*[\"'][[:space:]]*\+
 eval[[:space:]]*\(
 dangerouslySetInnerHTML
 trustAsHtml
diff --git a/signatures/js/crypto.db b/signatures/js/crypto.db
@@ -0,0 +1,3 @@
+[Mm][Dd]5[[:space:]]*\(
+[Ss][Hh][Aa]1[[:space:]]*\(
+createHash[[:space:]]*\([[:space:]]*['"]([Ss][Hh][Aa][1]?|[Mm][Dd][5])['"]
diff --git a/signatures/js/fruit.db b/signatures/js/fruit.db
@@ -1,4 +1,7 @@
 \.query\([^\);]*[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
 eval[[:space:]]*\([^\)\;]+[\'\"][[:space:]]*\+[[:space:]]*[^\'\"]+
+eval[[:space:]]*\(.*[Rr]eq(quest)?\.(query|body|param)?
 <%-[[:space:]]+.*%>
 \.(spawn|exec)(File)?(Sync)?\([^\);]*([\'\"] *\+|\$\{)
+set(Interval|Timeout)[[:space:]]*\([^,\}\)]*[Rr]eq(quest)?\.[A-Za-z0-9]+
+\.SafeString[[:space:]]*\([^\)]*[\"'][[:space:]]*\+
diff --git a/signatures/php.db b/signatures/php.db
@@ -50,6 +50,7 @@ eval[[:space:]]*\(.*\$.*\)
 (mysql.?_|pg_|sqlsrv_|::)query[[:space:]]*\(.*\$.*\)
 [Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=.*\$[^; ]+
 ([Ww][Hh][Ee][Rr][Ee]|[Aa][Nn][Dd]|[Oo][Rr])[[:space:]]+.*[[:space:]]+[Ll][Ii][Kk][Ee][[:space:]]+.*\$
+VALUES[[:space:]]*\([^\)]*\$.*\)
 ^[[:space:]]*(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
 print.*param[[:space:]]*\(.*\);
 extract[[:space:]]*\(\$_(GET|POST|REQUEST|COOKIE|SERVER)
@@ -135,6 +136,7 @@ pg_query[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*
 (LIKE|like)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 (LIMIT|limit)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
+VALUES[[:space:]]*\([^\)]*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 # PHP hash extension rules, helps to identify Hard-coded credentials/secret
 hash[[:space:]]*\(.*\)
 hash_init[[:space:]]*\(.*\)
diff --git a/signatures/php/default.db b/signatures/php/default.db
@@ -15,6 +15,7 @@ eval[[:space:]]*\(.*\$.*\)
 (mysql.?_|pg_|sqlsrv_|::)query[[:space:]]*\(.*\$.*\)
 [Ww][Hh][Ee][Rr][Ee][[:space:]]+.*=.*\$[^; ]+
 ([Ww][Hh][Ee][Rr][Ee]|[Aa][Nn][Dd]|[Oo][Rr])[[:space:]]+.*[[:space:]]+[Ll][Ii][Kk][Ee][[:space:]]+.*\$
+VALUES[[:space:]]*\([^\)]*\$.*\)
 ^[[:space:]]*(include|include_once|require|require_once)[[:space:]]*\([^\;\}\{]*\$.*\)
 print.*param[[:space:]]*\(.*\);
 extract[[:space:]]*\(\$_(GET|POST|REQUEST|COOKIE|SERVER)
diff --git a/signatures/php/fruit.db b/signatures/php/fruit.db
@@ -40,3 +40,4 @@ pg_query[[:space:]]*\(.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*
 (LIKE|like)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 (ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 (LIMIT|limit)[[:space:]]+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
+VALUES[[:space:]]*\([^\)]*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
diff --git a/signatures/ruby.db b/signatures/ruby.db
@@ -2,14 +2,23 @@
 \.instance_eval.*
 eval([[:space:]]*\(|[[:space:]]+[^\(])
 spawn([[:space:]]*\(|[[:space:]]+[^\(])
+system([[:space:]]*\(|[[:space:]]+").*\#\{[^\}]+\}
 system[[:space:]]*\(
 \.open[[:space:]]*\(
 \.(public_)?send[[:space:]]*\(
 `.*#\{[^`]+`
-File\.(read|new|open|delete)[[:space:]]*\(
+File\.(read|new|open|delete)[[:space:]]*\([^\)]+\)
+send_file([[:space:]]*\(|[[:space:]]+[^\(])
 ^[[:space:]]*`[^`]*#\{[^\}]+\}.*`
 [=\(][[:space:]]*`[^`]*#\{[^\}]+.*\}
 render[[:space:]]+:?(text|plain):?.*#\{[Pp][Aa][Rr][Aa][Mm][^\}]*\}
+File\.(read|new|open|delete|write)[[:space:]]*\("[^"]*\#\{[^\}]+[^\)]*\)
+['"(: ][Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+.*#\{[^\}]+
+(WHERE|where)[[:space:]]+.*=[[:space:]]*['"]*#\{[^\}]+
+[\'\" ]+AND[[:space:]]+.*=.*\+[[:space:]]*#\{[^\}]+
+(LIKE|like)[[:space:]]+.*#\{[^\}]+
+(ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\+[[:space:]]*#\{[^\}]+
+['" ](LIMIT|limit)[[:space:]]+.*#\{[^\}]+
 # Ruby - Execution
 _send_[[:space:]]*\(
 __send__[[:space:]]*\(
@@ -35,3 +44,6 @@ new[[:space:]]*\(params\[:[a-zA-Z0-9_]+\]
 \.find_(or_(create|initialize)_)?by!?.*:
 I18n.t[[:space:]]*\(['"][^'"]+['"][[:space:]]*,[[:space:]]*query:[[:space:]]*@.*
 render[[:space:]]+:?(text|plain):?.*#\{[^\}]+\}
+render[[:space:]]+[^:]+:.*\#\{[^\}]+
+render.*params?\[
+<%=[[:space:]]*[Pp][Aa][Rr][Aa][Mm]
diff --git a/signatures/ruby/exec.db b/signatures/ruby/exec.db
@@ -1,8 +1,8 @@
 \.instance_eval.*
 eval([[:space:]]*\(|[[:space:]]+[^\(])
 spawn([[:space:]]*\(|[[:space:]]+[^\(])
+system([[:space:]]*\(|[[:space:]]+").*\#\{[^\}]+\}
 system[[:space:]]*\(
 \.open[[:space:]]*\(
 \.(public_)?send[[:space:]]*\(
 `.*#\{[^`]+`
-File\.(read|new|open|delete)[[:space:]]*\(
diff --git a/signatures/ruby/file.db b/signatures/ruby/file.db
@@ -0,0 +1,2 @@
+File\.(read|new|open|delete)[[:space:]]*\([^\)]+\)
+send_file([[:space:]]*\(|[[:space:]]+[^\(])
diff --git a/signatures/ruby/fruit.db b/signatures/ruby/fruit.db
@@ -1,3 +1,10 @@
 ^[[:space:]]*`[^`]*#\{[^\}]+\}.*`
 [=\(][[:space:]]*`[^`]*#\{[^\}]+.*\}
 render[[:space:]]+:?(text|plain):?.*#\{[Pp][Aa][Rr][Aa][Mm][^\}]*\}
+File\.(read|new|open|delete|write)[[:space:]]*\("[^"]*\#\{[^\}]+[^\)]*\)
+['"(: ][Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+.*#\{[^\}]+
+(WHERE|where)[[:space:]]+.*=[[:space:]]*['"]*#\{[^\}]+
+[\'\" ]+AND[[:space:]]+.*=.*\+[[:space:]]*#\{[^\}]+
+(LIKE|like)[[:space:]]+.*#\{[^\}]+
+(ORDER[[:space:]]+BY|order[[:space:]]+by)[[:space:]]+.*\+[[:space:]]*#\{[^\}]+
+['" ](LIMIT|limit)[[:space:]]+.*#\{[^\}]+
diff --git a/signatures/ruby/xss.db b/signatures/ruby/xss.db
@@ -1,2 +1,5 @@
 I18n.t[[:space:]]*\(['"][^'"]+['"][[:space:]]*,[[:space:]]*query:[[:space:]]*@.*
 render[[:space:]]+:?(text|plain):?.*#\{[^\}]+\}
+render[[:space:]]+[^:]+:.*\#\{[^\}]+
+render.*params?\[
+<%=[[:space:]]*[Pp][Aa][Rr][Aa][Mm]
diff --git a/signatures/secrets.db b/signatures/secrets.db
@@ -29,6 +29,7 @@ PHP_AUTH_(USER|PW).*[\!\=][\!\=].+
 [Dd][Bb][Cc]:.*([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|[Pp][Ww][Dd])[[:space:]]*=[^;]+
 \.connect[[:space:]]*\(.*([Pp][Ww][Dd]|[Tt][Oo][Kk][Ee][Nn])=.*
 ://[^:/@;]+:[^:@/;]+@.*
+[Cc][Rr][Ee][Aa][Tt][Ee][[:space:]]+[Uu][Ss][Ee][Rr][[:space:]]+.*[Ii][Dd][Ee][Nn][Tt][Ii][Ff][Ii][Ee][Dd][[:space:]]+[Bb][Yy][[:space:]]+['"][^'"]+['"]
 mysqldump[[:space:]]+.*--password[= ].+
 curl[[:space:]]+.*-?-([UEu](ser)?[^:]+:[^ ]+|tlspassword .*|pass .*|cert *[^: ]+:[^ ]+)
 curl_setopt[[:space:]]*\(.*CURLOPT_USERPWD.*\)
diff --git a/signatures/xss.db b/signatures/xss.db
@@ -22,3 +22,6 @@ print_r([[:space:]]*\(|[[:space:]]+).*\)?\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SE
 \<[\?\%]\=\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
 I18n.t[[:space:]]*\(['"][^'"]+['"][[:space:]]*,[[:space:]]*query:[[:space:]]*@.*
 render[[:space:]]+:?(text|plain):?.*#\{[^\}]+\}
+render[[:space:]]+[^:]+:.*\#\{[^\}]+
+render.*params?\[
+<%=[[:space:]]*[Pp][Aa][Rr][Aa][Mm]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[Mm][Dd]5[[:space:]]*\(`
	`2`	`+[Ss][Hh][Aa]1[[:space:]]*\(`
	`3`	`+createHash[[:space:]]\([[:space:]]['"]([Ss][Hh][Aa][1]?\|[Mm][Dd][5])['"]`