Skip to content

Commit 01d7caa

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add YAML security rules and tests for tormysql empty/hardcoded creds (#165)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * python-tormysql-hardcoded-secret-python * python-tormysql-empty-password-python --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 2ab03ac commit 01d7caa

6 files changed

+870
-0
lines changed

rules/python/security/python-tormysql-empty-password-python.yml

Lines changed: 313 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,313 @@
1+
id: python-tormysql-empty-password-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287]: Improper Authentication
13+
[OWASP A07:2021]: Identification and Authentication Failures
14+
[REFERENCES]
15+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
16+
17+
ast-grep-essentials: true
18+
19+
utils:
20+
python-tormysql-hardcoded-secret:
21+
kind: call
22+
all:
23+
- has:
24+
kind: attribute
25+
all:
26+
- has:
27+
kind: identifier
28+
nthChild: 1
29+
regex: ^tormysql$
30+
- has:
31+
kind: identifier
32+
nthChild: 2
33+
regex: ^ConnectionPool$
34+
- has:
35+
kind: argument_list
36+
has:
37+
kind: keyword_argument
38+
all:
39+
- has:
40+
kind: identifier
41+
nthChild: 1
42+
regex: ^(password|passwd)$
43+
- has:
44+
kind: string
45+
not:
46+
has:
47+
kind: string_content
48+
49+
python-tormysql-hardcoded-secret_INSTANCE:
50+
kind: call
51+
all:
52+
- has:
53+
kind: attribute
54+
all:
55+
- has:
56+
kind: identifier
57+
nthChild: 1
58+
regex: ^tormysql$
59+
- has:
60+
kind: identifier
61+
nthChild: 2
62+
regex: ^ConnectionPool$
63+
- has:
64+
kind: argument_list
65+
has:
66+
kind: keyword_argument
67+
all:
68+
- has:
69+
kind: identifier
70+
nthChild: 1
71+
regex: ^(password|passwd)$
72+
- has:
73+
kind: identifier
74+
nthChild: 2
75+
pattern: $PASSWORD
76+
- any:
77+
- inside:
78+
stopBy: end
79+
follows:
80+
stopBy: end
81+
kind: expression_statement
82+
has:
83+
kind: assignment
84+
all:
85+
- has:
86+
kind: identifier
87+
nthChild: 1
88+
pattern: $PASSWORD
89+
- has:
90+
kind: string
91+
not:
92+
has:
93+
kind: string_content
94+
- follows:
95+
stopBy: end
96+
kind: expression_statement
97+
has:
98+
kind: assignment
99+
all:
100+
- has:
101+
kind: identifier
102+
nthChild: 1
103+
pattern: $PASSWORD
104+
- has:
105+
kind: string
106+
not:
107+
has:
108+
kind: string_content
109+
110+
ConnectionPool(password=""):
111+
kind: call
112+
all:
113+
- has:
114+
kind: identifier
115+
nthChild: 1
116+
regex: ^ConnectionPool$
117+
- has:
118+
kind: argument_list
119+
has:
120+
kind: keyword_argument
121+
all:
122+
- has:
123+
kind: identifier
124+
nthChild: 1
125+
regex: ^(password|passwd)$
126+
- has:
127+
kind: string
128+
not:
129+
has:
130+
kind: string_content
131+
- any:
132+
- inside:
133+
stopBy: end
134+
follows:
135+
stopBy: end
136+
kind: import_from_statement
137+
pattern: from tormysql import ConnectionPool
138+
- follows:
139+
stopBy: end
140+
kind: import_from_statement
141+
pattern: from tormysql import ConnectionPool
142+
143+
ConnectionPool(password="")_INSTANCE:
144+
kind: call
145+
all:
146+
- has:
147+
kind: identifier
148+
nthChild: 1
149+
regex: ^ConnectionPool$
150+
- has:
151+
kind: argument_list
152+
has:
153+
kind: keyword_argument
154+
all:
155+
- has:
156+
kind: identifier
157+
nthChild: 1
158+
regex: ^(password|passwd)$
159+
- has:
160+
kind: identifier
161+
nthChild: 2
162+
pattern: $PASSWORD
163+
- any:
164+
- inside:
165+
stopBy: end
166+
follows:
167+
stopBy: end
168+
kind: expression_statement
169+
has:
170+
kind: assignment
171+
all:
172+
- has:
173+
kind: identifier
174+
nthChild: 1
175+
pattern: $PASSWORD
176+
- has:
177+
kind: string
178+
not:
179+
has:
180+
kind: string_content
181+
- follows:
182+
stopBy: end
183+
kind: expression_statement
184+
has:
185+
kind: assignment
186+
all:
187+
- has:
188+
kind: identifier
189+
nthChild: 1
190+
pattern: $PASSWORD
191+
- has:
192+
kind: string
193+
not:
194+
has:
195+
kind: string_content
196+
- any:
197+
- inside:
198+
stopBy: end
199+
follows:
200+
stopBy: end
201+
kind: import_from_statement
202+
pattern: from tormysql import ConnectionPool
203+
- follows:
204+
stopBy: end
205+
kind: import_from_statement
206+
pattern: from tormysql import ConnectionPool
207+
208+
$VAR(password=""):
209+
kind: call
210+
all:
211+
- has:
212+
kind: identifier
213+
nthChild: 1
214+
pattern: $VAR
215+
- has:
216+
kind: argument_list
217+
has:
218+
kind: keyword_argument
219+
all:
220+
- has:
221+
kind: identifier
222+
nthChild: 1
223+
regex: ^(password|passwd)$
224+
- has:
225+
kind: string
226+
not:
227+
has:
228+
kind: string_content
229+
- any:
230+
- inside:
231+
stopBy: end
232+
follows:
233+
stopBy: end
234+
kind: import_from_statement
235+
pattern: from tormysql import ConnectionPool as $VAR
236+
- follows:
237+
stopBy: end
238+
kind: import_from_statement
239+
pattern: from tormysql import ConnectionPool as $VAR
240+
241+
$VAR(password="")_INSTANCE:
242+
kind: call
243+
all:
244+
- has:
245+
kind: identifier
246+
nthChild: 1
247+
pattern: $VAR
248+
- has:
249+
kind: argument_list
250+
has:
251+
kind: keyword_argument
252+
all:
253+
- has:
254+
kind: identifier
255+
nthChild: 1
256+
regex: ^(password|passwd)$
257+
- has:
258+
kind: identifier
259+
nthChild: 2
260+
pattern: $PASSWORD
261+
- any:
262+
- inside:
263+
stopBy: end
264+
follows:
265+
stopBy: end
266+
kind: expression_statement
267+
has:
268+
kind: assignment
269+
all:
270+
- has:
271+
kind: identifier
272+
nthChild: 1
273+
pattern: $PASSWORD
274+
- has:
275+
kind: string
276+
not:
277+
has:
278+
kind: string_content
279+
- follows:
280+
stopBy: end
281+
kind: expression_statement
282+
has:
283+
kind: assignment
284+
all:
285+
- has:
286+
kind: identifier
287+
nthChild: 1
288+
pattern: $PASSWORD
289+
- has:
290+
kind: string
291+
not:
292+
has:
293+
kind: string_content
294+
- any:
295+
- inside:
296+
stopBy: end
297+
follows:
298+
stopBy: end
299+
kind: import_from_statement
300+
pattern: from tormysql import ConnectionPool as $VAR
301+
- follows:
302+
stopBy: end
303+
kind: import_from_statement
304+
pattern: from tormysql import ConnectionPool as $VAR
305+
306+
rule:
307+
any:
308+
- matches: python-tormysql-hardcoded-secret
309+
- matches: python-tormysql-hardcoded-secret_INSTANCE
310+
- matches: ConnectionPool(password="")
311+
- matches: ConnectionPool(password="")_INSTANCE
312+
- matches: $VAR(password="")
313+
- matches: $VAR(password="")_INSTANCE

0 commit comments

Comments
 (0)