Skip to content

Commit 125cecc

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add Security Rules for Database Connection Vulnerabilities in Ruby (#145)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * ruby-pg-empty-password-ruby * ruby-pg-hardcoded-secret-ruby * ruby-redis-empty-password-ruby * ruby-redis-hardcoded-secret-ruby --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent b3c2260 commit 125cecc

12 files changed

+893
-0
lines changed

rules/ruby/security/ruby-pg-empty-password-ruby.yml

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,159 @@
1+
id: ruby-pg-empty-password-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287] Improper Authentication.
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
16+
ast-grep-essentials: true
17+
18+
utils:
19+
PG.connect(password:""):
20+
# PG.connect(..., password: "", ...)
21+
kind: call
22+
all:
23+
- has:
24+
stopBy: neighbor
25+
kind: constant
26+
regex: ^PG$
27+
- has:
28+
stopBy: neighbor
29+
regex: ^.$
30+
- has:
31+
stopBy: neighbor
32+
kind: identifier
33+
regex: ^connect$
34+
- has:
35+
stopBy: neighbor
36+
kind: argument_list
37+
has:
38+
stopBy: neighbor
39+
kind: pair
40+
all:
41+
- has:
42+
stopBy: neighbor
43+
any:
44+
- regex: ^password$
45+
not:
46+
precedes:
47+
regex: ^=>$
48+
- regex: ^:password$
49+
- has:
50+
stopBy: neighbor
51+
kind: string
52+
not:
53+
has:
54+
stopBy: neighbor
55+
kind: string_content
56+
PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""):
57+
# PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "", ...)
58+
kind: call
59+
all:
60+
- has:
61+
stopBy: neighbor
62+
kind: constant
63+
regex: ^PG$
64+
- has:
65+
stopBy: neighbor
66+
regex: ^.$
67+
- has:
68+
stopBy: neighbor
69+
kind: identifier
70+
regex: ^connect$
71+
- has:
72+
stopBy: neighbor
73+
kind: argument_list
74+
has:
75+
stopBy: neighbor
76+
kind: string
77+
nthChild: 7
78+
not:
79+
has:
80+
stopBy: neighbor
81+
kind: string_content
82+
PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""):
83+
# PG::Connection.connect_start($HOST, $PORT, $OPS, $TTY, $DB, $USER,"", ...)
84+
kind: call
85+
all:
86+
- has:
87+
stopBy: neighbor
88+
kind: scope_resolution
89+
regex: ^PG::Connection$
90+
- has:
91+
stopBy: neighbor
92+
regex: ^.$
93+
- has:
94+
stopBy: neighbor
95+
kind: identifier
96+
regex: ^connect_start$|^new$
97+
- has:
98+
stopBy: neighbor
99+
kind: argument_list
100+
has:
101+
stopBy: neighbor
102+
kind: string
103+
nthChild: 7
104+
not:
105+
has:
106+
stopBy: neighbor
107+
kind: string_content
108+
PG::Connection.new(password:""):
109+
# PG::Connection.new(..., password: '', ...)
110+
kind: call
111+
all:
112+
- has:
113+
stopBy: neighbor
114+
kind: scope_resolution
115+
regex: ^PG::Connection$
116+
- has:
117+
stopBy: neighbor
118+
regex: ^.$
119+
- has:
120+
stopBy: neighbor
121+
kind: identifier
122+
regex: ^new$|^connect_start$
123+
- has:
124+
stopBy: neighbor
125+
kind: argument_list
126+
has:
127+
stopBy: neighbor
128+
kind: pair
129+
all:
130+
- has:
131+
stopBy: neighbor
132+
any:
133+
- regex: ^password$
134+
not:
135+
precedes:
136+
regex: ^=>$
137+
- regex: ^:password$
138+
- has:
139+
stopBy: neighbor
140+
kind: string
141+
not:
142+
has:
143+
stopBy: neighbor
144+
kind: string_content
145+
rule:
146+
kind: call
147+
any:
148+
- matches: PG.connect(password:"")
149+
- matches: PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "")
150+
- matches: PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, "")
151+
- matches: PG::Connection.new(password:"")
152+
not:
153+
all:
154+
- has:
155+
stopBy: end
156+
kind: ERROR
157+
- inside:
158+
stopBy: end
159+
kind: ERROR

rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml

Lines changed: 199 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,199 @@
1+
id: ruby-pg-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
PG.connect(password:""):
19+
# PG::Connection.new(..., password: '', ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: constant
25+
regex: ^PG$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^connect$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: end
38+
kind: pair
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
any:
43+
- regex: ^password$
44+
not:
45+
precedes:
46+
regex: ^=>$
47+
- regex: ^:password$
48+
- has:
49+
stopBy: neighbor
50+
kind: string
51+
has:
52+
stopBy: neighbor
53+
kind: string_content
54+
- any:
55+
- inside:
56+
stopBy: end
57+
follows:
58+
stopBy: end
59+
kind: call
60+
pattern: require "pg"
61+
- follows:
62+
stopBy: end
63+
kind: call
64+
pattern: require "pg"
65+
PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""):
66+
# PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "", ...)
67+
kind: call
68+
all:
69+
- has:
70+
stopBy: neighbor
71+
kind: constant
72+
regex: ^PG$
73+
- has:
74+
stopBy: neighbor
75+
regex: ^.$
76+
- has:
77+
stopBy: neighbor
78+
kind: identifier
79+
regex: ^connect$
80+
- has:
81+
stopBy: neighbor
82+
kind: argument_list
83+
has:
84+
stopBy: neighbor
85+
kind: string
86+
nthChild: 7
87+
has:
88+
stopBy: neighbor
89+
kind: string_content
90+
- any:
91+
- inside:
92+
stopBy: end
93+
follows:
94+
stopBy: end
95+
kind: call
96+
pattern: require "pg"
97+
- follows:
98+
stopBy: end
99+
kind: call
100+
pattern: require "pg"
101+
PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""):
102+
# PG::Connection.connect_start($HOST, $PORT, $OPS, $TTY, $DB, $USER,"", ...)
103+
kind: call
104+
all:
105+
- has:
106+
stopBy: neighbor
107+
kind: scope_resolution
108+
regex: ^PG::Connection$
109+
- has:
110+
stopBy: neighbor
111+
regex: ^.$
112+
- has:
113+
stopBy: neighbor
114+
kind: identifier
115+
regex: ^connect_start$|^new$
116+
- has:
117+
stopBy: neighbor
118+
kind: argument_list
119+
has:
120+
stopBy: neighbor
121+
kind: string
122+
nthChild: 7
123+
has:
124+
stopBy: neighbor
125+
kind: string_content
126+
- any:
127+
- inside:
128+
stopBy: end
129+
follows:
130+
stopBy: end
131+
kind: call
132+
pattern: require "pg"
133+
- follows:
134+
stopBy: end
135+
kind: call
136+
pattern: require "pg"
137+
PG::Connection.new(password:""):
138+
# PG::Connection.new(..., password: '', ...)
139+
kind: call
140+
all:
141+
- has:
142+
stopBy: neighbor
143+
kind: scope_resolution
144+
regex: ^PG::Connection$
145+
- has:
146+
stopBy: neighbor
147+
regex: ^.$
148+
- has:
149+
stopBy: neighbor
150+
kind: identifier
151+
regex: ^new$|^connect_start$
152+
- has:
153+
stopBy: neighbor
154+
kind: argument_list
155+
has:
156+
stopBy: end
157+
kind: pair
158+
all:
159+
- has:
160+
stopBy: neighbor
161+
any:
162+
- regex: ^password$
163+
not:
164+
precedes:
165+
regex: ^=>$
166+
- regex: ^:password$
167+
- has:
168+
stopBy: neighbor
169+
kind: string
170+
has:
171+
stopBy: neighbor
172+
kind: string_content
173+
- any:
174+
- inside:
175+
stopBy: end
176+
follows:
177+
stopBy: end
178+
kind: call
179+
pattern: require "pg"
180+
- follows:
181+
stopBy: end
182+
kind: call
183+
pattern: require "pg"
184+
rule:
185+
kind: call
186+
any:
187+
- matches: PG.connect(password:"")
188+
- matches: PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "")
189+
- matches: PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, "")
190+
- matches: PG::Connection.new(password:"")
191+
not:
192+
all:
193+
- has:
194+
stopBy: end
195+
kind: ERROR
196+
- inside:
197+
stopBy: end
198+
kind: ERROR
199+

0 commit comments

Comments
 (0)