gorilla-csrf-hardcoded-auth-key-go

ESS-ENN · ESS-ENN · commit 1162b6fbd93d · 2024-10-16T10:35:01.000+05:30
diff --git a/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml b/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml
@@ -0,0 +1,65 @@
+id: gorilla-csrf-hardcoded-auth-key-go
+language: go
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. It is
+  recommended to rotate the secret and retrieve them from a secure secret
+  vault or Hardware Security Module (HSM), alternatively environment
+  variables can be used if allowed by your company policy.
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+utils:
+  MATCH_PATTERN_ONE:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: selector_expression
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: "^csrf$"
+            - has:
+                stopBy: neighbor
+                kind: field_identifier
+                regex: "^Protect$"
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          any:
+            - has:
+                stopBy: neighbor
+                kind: type_conversion_expression
+                all:
+                  - has:
+                      stopBy: neighbor
+                      kind: slice_type
+                      has:
+                        stopBy: neighbor
+                        kind: type_identifier
+                        regex: "^byte$"
+                  - has:
+                      stopBy: neighbor
+                      kind: interpreted_string_literal
+            - has:
+                stopBy: neighbor
+                kind: interpreted_string_literal
+      - inside:
+          stopBy: end
+          kind: function_declaration
+          follows:
+            stopBy: end
+            kind: import_declaration
+            has:
+              stopBy: end
+              kind: import_spec
+              regex: "github.com/gorilla/csrf"
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_PATTERN_ONE
diff --git a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml
@@ -0,0 +1,66 @@
+id: gorilla-csrf-hardcoded-auth-key-go
+snapshots:
+  ? |
+    import (
+    "github.com/gorilla/csrf"
+    )
+    func main() {
+     http.ListenAndServe(":8000",
+       csrf.Protect([]byte("32-byte-long-auth-key"))(r))
+       }
+  : labels:
+    - source: csrf.Protect([]byte("32-byte-long-auth-key"))
+      style: primary
+      start: 84
+      end: 129
+    - source: csrf
+      style: secondary
+      start: 84
+      end: 88
+    - source: Protect
+      style: secondary
+      start: 89
+      end: 96
+    - source: csrf.Protect
+      style: secondary
+      start: 84
+      end: 96
+    - source: byte
+      style: secondary
+      start: 99
+      end: 103
+    - source: '[]byte'
+      style: secondary
+      start: 97
+      end: 103
+    - source: '"32-byte-long-auth-key"'
+      style: secondary
+      start: 104
+      end: 127
+    - source: '[]byte("32-byte-long-auth-key")'
+      style: secondary
+      start: 97
+      end: 128
+    - source: ([]byte("32-byte-long-auth-key"))
+      style: secondary
+      start: 96
+      end: 129
+    - source: '"github.com/gorilla/csrf"'
+      style: secondary
+      start: 9
+      end: 34
+    - source: |-
+        import (
+        "github.com/gorilla/csrf"
+        )
+      style: secondary
+      start: 0
+      end: 36
+    - source: |-
+        func main() {
+         http.ListenAndServe(":8000",
+           csrf.Protect([]byte("32-byte-long-auth-key"))(r))
+           }
+      style: secondary
+      start: 37
+      end: 138
diff --git a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml
@@ -0,0 +1,19 @@
+id: gorilla-csrf-hardcoded-auth-key-go
+valid:
+  - |
+    import (
+    "github.com/gorilla/csrf"
+    )
+    func main() {
+     http.ListenAndServe(":8000",
+       csrf.Protect([]byte(os.Getenv("CSRF_AUTH_KEY")))(r))
+       }
+invalid:
+  - |
+    import (
+    "github.com/gorilla/csrf"
+    )
+    func main() {
+     http.ListenAndServe(":8000",
+       csrf.Protect([]byte("32-byte-long-auth-key"))(r))
+       }
