This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rules: | |
| - id: potential-malicious-activity-execution-in-python-code | |
| patterns: | |
| - pattern-either: | |
| - patterns: | |
| - pattern-inside: exec(...) | |
| - pattern-either: | |
| - pattern: Fernet(...).decrypt(...) | |
| - pattern: requests.$X | |
| - pattern: __import__(...).$X | |
| - pattern: bytes(...) | |
| - pattern: bytes.$X | |
| - pattern: base64.$X | |
| - patterns: | |
| - pattern: | | |
| $PARAM = $PAYLOAD | |
| ... | |
| exec($PARAM) | |
| - metavariable-pattern: | |
| metavariable: $PAYLOAD | |
| pattern-either: | |
| - pattern: Fernet(...).decrypt(...) | |
| - pattern: requests.$X | |
| - pattern: __import__(...).$X | |
| - pattern: bytes(...) | |
| - pattern: bytes.$X | |
| - patterns: | |
| - pattern: exec($STR) | |
| - metavariable-regex: | |
| metavariable: $STR | |
| regex: ^["']+\\nimport | |
| - patterns: | |
| - pattern: | | |
| $PARAM = $PAYLOAD | |
| ... | |
| exec($PARAM) | |
| - metavariable-regex: | |
| metavariable: $PARAM | |
| regex: ^["']+\\nimport | |
| - pattern: __import__("builtins").exec(...) | |
| message: A potential software supply chain security risk is detected. They can be used to compromise the software development and deployment pipeline, affecting not just a single application but potentially an entire ecosystem of applications that depend on compromised components. The distributed nature of software dependencies means that a single compromised component can pose a risk to any number of downstream projects. | |
| languages: | |
| - python | |
| severity: ERROR | |
| metadata: | |
| category: security | |
| references: | |
| - https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack | |
| - https://www.arnica.io/blog/malicious-code-campaign-on-github-repos | |
| subcategory: | |
| - vuln | |
| cwe: | |
| - "CWE 506: Embedded Malicious Code" | |
| confidence: HIGH | |
| likelihood: HIGH | |
| impact: HIGH |