python-webrepl-hardcoded-secret-python

Sakshis · Sakshis · commit 0d5a1e25bf80 · 2024-12-12T08:50:13.000Z
diff --git a/rules/python/security/python-webrepl-hardcoded-secret-python.yml b/rules/python/security/python-webrepl-hardcoded-secret-python.yml
@@ -0,0 +1,111 @@
+id: python-webrepl-hardcoded-secret-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  match_call:
+    kind: call
+    all:
+      - has:
+          stopBy: end
+          kind: attribute
+          field: function
+          all:
+            - has:
+                stopBy: end
+                kind: identifier
+                field: object
+                regex: "^webrepl$"
+            - has:
+                stopBy: end
+                kind: identifier
+                field: attribute
+                regex: "^start$"
+      - has:
+          stopBy: end
+          kind: argument_list
+          field: arguments
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+              - has:
+                  kind: identifier
+                  field: name
+                  regex: "^password$"
+              - has:
+                  kind: string
+                  field: value
+                  all:
+                    - has:
+                        kind: string_start
+                    - has:
+                        kind: string_content
+                    - has:
+                        kind: string_end
+    inside:
+      stopBy: end
+      kind: expression_statement
+  match_call_with_identifier:
+    kind: call
+    all:
+      - has:
+          stopBy: end
+          kind: attribute
+          field: function
+          all:
+            - has:
+                stopBy: end
+                kind: identifier
+                field: object
+                regex: "^webrepl$"
+            - has:
+                stopBy: end
+                kind: identifier
+                field: attribute
+                regex: "^start$"
+      - has:
+          stopBy: end
+          kind: argument_list
+          field: arguments
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+              - has:
+                  kind: identifier
+                  field: name
+                  regex: "^password$"
+              - has:
+                  kind: identifier
+                  field: value
+                  pattern: $PASS
+    inside:
+      stopBy: end
+      kind: expression_statement
+      follows:
+        stopBy: end
+        kind: expression_statement
+        has:
+          stopBy: end
+          kind: assignment
+          all:
+            - has:
+                kind: identifier
+                pattern: $PASS
+            - has:
+                kind: string
+rule:
+  any:
+    - matches: match_call
+    - matches: match_call_with_identifier
diff --git a/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml
@@ -0,0 +1,160 @@
+id: python-webrepl-hardcoded-secret-python
+snapshots:
+  ? |
+    PASSWORD2 = "hardcodedsecret"
+    webrepl.start(password=PASSWORD2)
+  : labels:
+    - source: webrepl.start(password=PASSWORD2)
+      style: primary
+      start: 30
+      end: 63
+    - source: webrepl
+      style: secondary
+      start: 30
+      end: 37
+    - source: start
+      style: secondary
+      start: 38
+      end: 43
+    - source: webrepl.start
+      style: secondary
+      start: 30
+      end: 43
+    - source: password
+      style: secondary
+      start: 44
+      end: 52
+    - source: PASSWORD2
+      style: secondary
+      start: 53
+      end: 62
+    - source: password=PASSWORD2
+      style: secondary
+      start: 44
+      end: 62
+    - source: (password=PASSWORD2)
+      style: secondary
+      start: 43
+      end: 63
+    - source: PASSWORD2
+      style: secondary
+      start: 0
+      end: 9
+    - source: '"hardcodedsecret"'
+      style: secondary
+      start: 12
+      end: 29
+    - source: PASSWORD2 = "hardcodedsecret"
+      style: secondary
+      start: 0
+      end: 29
+    - source: PASSWORD2 = "hardcodedsecret"
+      style: secondary
+      start: 0
+      end: 29
+    - source: webrepl.start(password=PASSWORD2)
+      style: secondary
+      start: 30
+      end: 63
+  ? |
+    webrepl.start(password="12345")
+  : labels:
+    - source: webrepl.start(password="12345")
+      style: primary
+      start: 0
+      end: 31
+    - source: webrepl
+      style: secondary
+      start: 0
+      end: 7
+    - source: start
+      style: secondary
+      start: 8
+      end: 13
+    - source: webrepl.start
+      style: secondary
+      start: 0
+      end: 13
+    - source: password
+      style: secondary
+      start: 14
+      end: 22
+    - source: '"'
+      style: secondary
+      start: 23
+      end: 24
+    - source: '12345'
+      style: secondary
+      start: 24
+      end: 29
+    - source: '"'
+      style: secondary
+      start: 29
+      end: 30
+    - source: '"12345"'
+      style: secondary
+      start: 23
+      end: 30
+    - source: password="12345"
+      style: secondary
+      start: 14
+      end: 30
+    - source: (password="12345")
+      style: secondary
+      start: 13
+      end: 31
+    - source: webrepl.start(password="12345")
+      style: secondary
+      start: 0
+      end: 31
+  ? |
+    webrepl.start(password="mypassword")
+  : labels:
+    - source: webrepl.start(password="mypassword")
+      style: primary
+      start: 0
+      end: 36
+    - source: webrepl
+      style: secondary
+      start: 0
+      end: 7
+    - source: start
+      style: secondary
+      start: 8
+      end: 13
+    - source: webrepl.start
+      style: secondary
+      start: 0
+      end: 13
+    - source: password
+      style: secondary
+      start: 14
+      end: 22
+    - source: '"'
+      style: secondary
+      start: 23
+      end: 24
+    - source: mypassword
+      style: secondary
+      start: 24
+      end: 34
+    - source: '"'
+      style: secondary
+      start: 34
+      end: 35
+    - source: '"mypassword"'
+      style: secondary
+      start: 23
+      end: 35
+    - source: password="mypassword"
+      style: secondary
+      start: 14
+      end: 35
+    - source: (password="mypassword")
+      style: secondary
+      start: 13
+      end: 36
+    - source: webrepl.start(password="mypassword")
+      style: secondary
+      start: 0
+      end: 36
diff --git a/tests/python/python-webrepl-hardcoded-secret-python-test.yml b/tests/python/python-webrepl-hardcoded-secret-python-test.yml
@@ -0,0 +1,12 @@
+id: python-webrepl-hardcoded-secret-python
+valid:
+  - |
+    webrepl.start(password=os.getenv('PASSWORD'))
+invalid:
+  - |
+    webrepl.start(password="mypassword")
+  - |
+    webrepl.start(password="12345")
+  - |
+    PASSWORD2 = "hardcodedsecret"
+    webrepl.start(password=PASSWORD2)
