Skip to content

Commit 0601dad

Browse files
ESS-ENNESS-ENN
committed
ruby-excon-hardcoded-secret-ruby
1 parent b622bca commit 0601dad

5 files changed

+560
-0
lines changed

rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml

Lines changed: 242 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,242 @@
1+
id: ruby-excon-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
Excon.new(..., :password => "...", ...):
19+
# Excon.new(..., :password => "...", ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: constant
25+
regex: ^Excon$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^new$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: neighbor
38+
kind: pair
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
kind: simple_symbol
43+
regex: ^:password$
44+
- has:
45+
stopBy: neighbor
46+
kind: string
47+
48+
- any:
49+
- inside:
50+
stopBy: end
51+
follows:
52+
stopBy: end
53+
kind: call
54+
pattern: require 'excon'
55+
- follows:
56+
stopBy: end
57+
kind: call
58+
pattern: require 'excon'
59+
60+
Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...):
61+
# Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
62+
kind: call
63+
all:
64+
- has:
65+
stopBy: neighbor
66+
kind: constant
67+
regex: ^Excon$
68+
- has:
69+
stopBy: neighbor
70+
regex: ^.$
71+
- has:
72+
stopBy: neighbor
73+
kind: identifier
74+
regex: ^new$
75+
- has:
76+
stopBy: neighbor
77+
kind: argument_list
78+
has:
79+
stopBy: neighbor
80+
kind: pair
81+
all:
82+
- has:
83+
stopBy: neighbor
84+
kind: simple_symbol
85+
regex: ^:password$
86+
- has:
87+
stopBy: neighbor
88+
kind: call
89+
all:
90+
- has:
91+
stopBy: neighbor
92+
kind: scope_resolution
93+
regex: ^Excon::Utils$
94+
- has:
95+
stopBy: neighbor
96+
regex: ^.$
97+
- has:
98+
stopBy: neighbor
99+
kind: identifier
100+
regex: ^escape_uri$
101+
- has:
102+
stopBy: neighbor
103+
kind: argument_list
104+
has:
105+
stopBy: neighbor
106+
kind: string
107+
- any:
108+
- inside:
109+
stopBy: end
110+
follows:
111+
stopBy: end
112+
kind: call
113+
pattern: require 'excon'
114+
- follows:
115+
stopBy: end
116+
kind: call
117+
pattern: require 'excon'
118+
119+
Excon.new(..., :password => "...", ...)_instance:
120+
# Excon.new(..., :password => "...", ...)
121+
kind: call
122+
all:
123+
- has:
124+
stopBy: neighbor
125+
kind: constant
126+
regex: ^Excon$
127+
- has:
128+
stopBy: neighbor
129+
regex: ^.$
130+
- has:
131+
stopBy: neighbor
132+
kind: identifier
133+
regex: ^new$
134+
- has:
135+
stopBy: neighbor
136+
kind: argument_list
137+
has:
138+
stopBy: neighbor
139+
kind: pair
140+
all:
141+
- has:
142+
stopBy: neighbor
143+
kind: simple_symbol
144+
regex: ^:password$
145+
- has:
146+
stopBy: neighbor
147+
kind: identifier
148+
pattern: $VAR
149+
- any:
150+
- inside:
151+
stopBy: end
152+
follows:
153+
stopBy: end
154+
kind: call
155+
pattern: require 'excon'
156+
- follows:
157+
stopBy: end
158+
kind: call
159+
pattern: require 'excon'
160+
- any:
161+
- inside:
162+
stopBy: end
163+
follows:
164+
stopBy: end
165+
kind: assignment
166+
all:
167+
- has:
168+
kind: identifier
169+
pattern: $VAR
170+
- has:
171+
kind: string
172+
173+
174+
Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance:
175+
# Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
176+
kind: call
177+
all:
178+
- has:
179+
stopBy: neighbor
180+
kind: constant
181+
regex: ^Excon$
182+
- has:
183+
stopBy: neighbor
184+
regex: ^.$
185+
- has:
186+
stopBy: neighbor
187+
kind: identifier
188+
regex: ^new$
189+
- has:
190+
stopBy: neighbor
191+
kind: argument_list
192+
has:
193+
stopBy: neighbor
194+
kind: pair
195+
all:
196+
- has:
197+
stopBy: neighbor
198+
kind: simple_symbol
199+
regex: ^:password$
200+
- has:
201+
kind: identifier
202+
pattern: $VAR
203+
- any:
204+
- inside:
205+
stopBy: end
206+
follows:
207+
stopBy: end
208+
kind: assignment
209+
pattern: $VAR = Excon::Utils.escape_uri('$$$')
210+
- follows:
211+
stopBy: end
212+
kind: assignment
213+
pattern: $VAR = Excon::Utils.escape_uri('$$$')
214+
- any:
215+
- inside:
216+
stopBy: end
217+
follows:
218+
stopBy: end
219+
kind: call
220+
pattern: require 'excon'
221+
- follows:
222+
stopBy: end
223+
kind: call
224+
pattern: require 'excon'
225+
226+
rule:
227+
kind: call
228+
any:
229+
- matches: Excon.new(..., :password => "...", ...)
230+
- matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
231+
232+
- matches: Excon.new(..., :password => "...", ...)_instance
233+
- matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance
234+
all:
235+
- not:
236+
has:
237+
stopBy: end
238+
kind: ERROR
239+
- not:
240+
inside:
241+
stopBy: end
242+
kind: ERROR

tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: insecure-binaryformatter-deserialization-csharp
2+
snapshots:
3+
? "using System.Runtime.Serialization.Formatters.Binary; \nnamespace InsecureDeserialization\n{\n public class InsecureBinaryFormatterDeserialization\n {\n public void BinaryFormatterDeserialization(string json)\n {\n try\n {\n BinaryFormatter binaryFormatter = new BinaryFormatter();\n\n MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));\n binaryFormatter.Deserialize(memoryStream);\n memoryStream.Close();\n }\n catch (Exception e)\n {\n Console.WriteLine(e);\n }\n }\n}\n}\n"
4+
: labels:
5+
- source: new BinaryFormatter()
6+
style: primary
7+
start: 281
8+
end: 302
9+
- source: using System.Runtime.Serialization.Formatters.Binary;
10+
style: secondary
11+
start: 0
12+
end: 53
13+
- source: using System.Runtime.Serialization.Formatters.Binary;
14+
style: secondary
15+
start: 0
16+
end: 53

tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
id: ruby-cassandra-hardcoded-secret-ruby
2+
snapshots:
3+
? |
4+
require 'cassandra'
5+
cluster = Cassandra.cluster( username: 'user',password: 'password')
6+
: labels:
7+
- source: 'Cassandra.cluster( username: ''user'',password: ''password'')'
8+
style: primary
9+
start: 30
10+
end: 87
11+
- source: Cassandra
12+
style: secondary
13+
start: 30
14+
end: 39
15+
- source: .
16+
style: secondary
17+
start: 39
18+
end: 40
19+
- source: cluster
20+
style: secondary
21+
start: 40
22+
end: 47
23+
- source: password
24+
style: secondary
25+
start: 66
26+
end: 74
27+
- source: password
28+
style: secondary
29+
start: 77
30+
end: 85
31+
- source: '''password'''
32+
style: secondary
33+
start: 76
34+
end: 86
35+
- source: 'password: ''password'''
36+
style: secondary
37+
start: 66
38+
end: 86
39+
- source: '( username: ''user'',password: ''password'')'
40+
style: secondary
41+
start: 47
42+
end: 87
43+
- source: require 'cassandra'
44+
style: secondary
45+
start: 0
46+
end: 19
47+
- source: require 'cassandra'
48+
style: secondary
49+
start: 0
50+
end: 19
51+
? |
52+
require 'cassandra'
53+
password = 'password'
54+
cluster = Cassandra.cluster( username: 'user',password: password)
55+
: labels:
56+
- source: 'Cassandra.cluster( username: ''user'',password: password)'
57+
style: primary
58+
start: 52
59+
end: 107
60+
- source: Cassandra
61+
style: secondary
62+
start: 52
63+
end: 61
64+
- source: .
65+
style: secondary
66+
start: 61
67+
end: 62
68+
- source: cluster
69+
style: secondary
70+
start: 62
71+
end: 69
72+
- source: password
73+
style: secondary
74+
start: 88
75+
end: 96
76+
- source: password
77+
style: secondary
78+
start: 98
79+
end: 106
80+
- source: 'password: password'
81+
style: secondary
82+
start: 88
83+
end: 106
84+
- source: '( username: ''user'',password: password)'
85+
style: secondary
86+
start: 69
87+
end: 107
88+
- source: require 'cassandra'
89+
style: secondary
90+
start: 0
91+
end: 19
92+
- source: require 'cassandra'
93+
style: secondary
94+
start: 0
95+
end: 19
96+
- source: password
97+
style: secondary
98+
start: 20
99+
end: 28
100+
- source: password
101+
style: secondary
102+
start: 32
103+
end: 40
104+
- source: '''password'''
105+
style: secondary
106+
start: 31
107+
end: 41
108+
- source: password = 'password'
109+
style: secondary
110+
start: 20
111+
end: 41
112+
- source: password = 'password'
113+
style: secondary
114+
start: 20
115+
end: 41

0 commit comments

Comments
 (0)