Skip to content

Commit 0ec72ac

Browse files
ESS-ENNESS-ENN
committed
ruby-mysql2-hardcoded-secret-ruby
1 parent 86b4d87 commit 0ec72ac

File tree

3 files changed

+443
-0
lines changed

3 files changed

+443
-0
lines changed

rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml

Lines changed: 257 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,257 @@
1+
id: ruby-mysql2-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[OWASP A07:2021]: Identification and Authentication Failures
13+
[REFERENCES]
14+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
16+
ast-grep-essentials: true
17+
18+
utils:
19+
match_Mysql2:Client:
20+
kind: call
21+
all:
22+
- has:
23+
kind: scope_resolution
24+
all:
25+
- has:
26+
kind: constant
27+
field: scope
28+
regex: "^Mysql2$"
29+
- has:
30+
kind: constant
31+
field: name
32+
regex: "^Client$"
33+
- has:
34+
kind: identifier
35+
regex: "^new$"
36+
- has:
37+
kind: argument_list
38+
has:
39+
kind: pair
40+
all:
41+
- has:
42+
stopBy: end
43+
kind: hash_key_symbol
44+
regex: "^password$"
45+
- has:
46+
kind: string
47+
has:
48+
kind: string_content
49+
inside:
50+
stopBy: end
51+
follows:
52+
stopBy: end
53+
kind: call
54+
all:
55+
- has:
56+
kind: identifier
57+
regex: "^require$"
58+
- has:
59+
kind: argument_list
60+
has:
61+
kind: string
62+
has:
63+
kind: string_content
64+
regex: "^mysql2$"
65+
match_Mysql2:Client_with_identifier:
66+
kind: call
67+
all:
68+
- has:
69+
kind: scope_resolution
70+
all:
71+
- has:
72+
kind: constant
73+
field: scope
74+
regex: "^Mysql2$"
75+
- has:
76+
kind: constant
77+
field: name
78+
regex: "^Client$"
79+
- has:
80+
kind: identifier
81+
regex: "^new$"
82+
- has:
83+
kind: argument_list
84+
has:
85+
kind: pair
86+
all:
87+
- has:
88+
stopBy: end
89+
kind: hash_key_symbol
90+
regex: "^password$"
91+
- has:
92+
kind: identifier
93+
pattern: $A
94+
any:
95+
- inside:
96+
stopBy: end
97+
follows:
98+
stopBy: end
99+
kind: assignment
100+
all:
101+
- has:
102+
kind: identifier
103+
pattern: $A
104+
- has:
105+
kind: string
106+
has:
107+
kind: string_content
108+
follows:
109+
stopBy: end
110+
kind: call
111+
all:
112+
- has:
113+
kind: identifier
114+
regex: "^require$"
115+
- has:
116+
kind: argument_list
117+
has:
118+
kind: string
119+
has:
120+
kind: string_content
121+
regex: "^mysql2$"
122+
- follows:
123+
stopBy: end
124+
kind: assignment
125+
all:
126+
- has:
127+
kind: identifier
128+
pattern: $A
129+
- has:
130+
kind: string
131+
has:
132+
kind: string_content
133+
follows:
134+
stopBy: end
135+
kind: call
136+
all:
137+
- has:
138+
kind: identifier
139+
regex: "^require$"
140+
- has:
141+
kind: argument_list
142+
has:
143+
kind: string
144+
has:
145+
kind: string_content
146+
regex: "^mysql2$"
147+
148+
match_Mysql3:
149+
kind: call
150+
all:
151+
- has:
152+
kind: scope_resolution
153+
all:
154+
- has:
155+
kind: constant
156+
field: scope
157+
regex: "^Mysql2$"
158+
- has:
159+
kind: constant
160+
field: name
161+
regex: "^Client$"
162+
- has:
163+
kind: identifier
164+
regex: "^new$"
165+
- has:
166+
kind: argument_list
167+
has:
168+
kind: pair
169+
all:
170+
- has:
171+
stopBy: end
172+
kind: hash_key_symbol
173+
regex: "^password$"
174+
- has:
175+
kind: string
176+
has:
177+
kind: string_content
178+
follows:
179+
stopBy: end
180+
kind: call
181+
all:
182+
- has:
183+
kind: identifier
184+
regex: "^require$"
185+
- has:
186+
kind: argument_list
187+
has:
188+
kind: string
189+
has:
190+
kind: string_content
191+
regex: "^mysql2$"
192+
match_Mysql2:Client_with_identifier2:
193+
kind: call
194+
all:
195+
- has:
196+
kind: scope_resolution
197+
all:
198+
- has:
199+
kind: constant
200+
field: scope
201+
regex: "^Mysql2$"
202+
- has:
203+
kind: constant
204+
field: name
205+
regex: "^Client$"
206+
- has:
207+
kind: identifier
208+
regex: "^new$"
209+
- has:
210+
kind: argument_list
211+
has:
212+
kind: pair
213+
all:
214+
- has:
215+
kind: hash_key_symbol
216+
regex: "^password$"
217+
- has:
218+
kind: identifier
219+
pattern: $R
220+
follows:
221+
stopBy: end
222+
kind: assignment
223+
all:
224+
- has:
225+
kind: identifier
226+
pattern: $R
227+
- has:
228+
kind: string
229+
has:
230+
kind: string_content
231+
inside:
232+
stopBy: end
233+
kind: singleton_method
234+
inside:
235+
stopBy: end
236+
follows:
237+
stopBy: end
238+
kind: call
239+
all:
240+
- has:
241+
kind: identifier
242+
regex: "^require$"
243+
- has:
244+
kind: argument_list
245+
has:
246+
kind: string
247+
has:
248+
kind: string_content
249+
regex: "^mysql2$"
250+
251+
rule:
252+
any:
253+
- matches: match_Mysql2:Client
254+
- matches: match_Mysql3
255+
- matches: match_Mysql2:Client_with_identifier
256+
- matches: match_Mysql2:Client_with_identifier2
257+

0 commit comments

Comments
 (0)