coderabbitai
diff --git a/‎rules/python/security/python-mysqlclient-hardcoded-secret-python.yml
Lines changed: 200 additions & 0 deletions b/‎rules/python/security/python-mysqlclient-hardcoded-secret-python.yml
Lines changed: 200 additions & 0 deletions
@@ -0,0 +1,200 @@
+id: python-mysqlclient-hardcoded-secret-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+    - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  define_string:
+    kind: string
+    all:
+      - has:
+          kind: string_start
+          nthChild: 1
+      - has:
+          kind: string_content
+          nthChild: 2
+      - has:
+          kind: string_end
+          nthChild: 3
+
+  define_password:
+    any:
+      - matches: define_string
+      - kind: identifier
+        pattern: $PWD_IDENTIFIER
+        inside:
+          stopBy: end
+          follows:
+            stopBy: end
+            kind: expression_statement
+            has:
+              stopBy: end
+              kind: assignment
+              nthChild: 1
+              all:
+                - has:
+                    nthChild: 1
+                    kind: identifier
+                    field: left
+                    pattern: $PWD_IDENTIFIER
+                - has:
+                    nthChild: 2
+                    matches: define_string
+
+  keyword_argument_passwd:
+    kind: keyword_argument
+    all:
+      - has:
+          nthChild: 1
+          kind: identifier
+          field: name
+          regex: ^(passwd)$
+      - has:
+          nthChild: 2
+          matches: define_password
+
+  argument_list_util:
+    kind: argument_list
+    any:
+      - has:
+          matches: keyword_argument_passwd
+      - all:
+          - has:
+              nthChild:
+                position: 3
+                ofRule:
+                  not:
+                    kind: comment
+              matches: define_password
+          - not:
+              has:
+                matches: keyword_argument_passwd
+rule:
+  any:
+    # MySQLdb.$CONNECT
+    - kind: call
+      any:
+        - kind: call
+          has:
+            nthChild: 1
+            kind: attribute
+            all:
+              - has:
+                  nthChild: 1
+                  kind: identifier
+                  field: object
+                  regex: ^MySQLdb$
+              - has:
+                  nthChild: 2
+                  kind: identifier
+                  field: attribute
+                  pattern: $CONNECT
+            precedes:
+              matches: argument_list_util
+
+    # MySQLdb._mysql.$CONNECT
+    - kind: call
+      any:
+        - kind: call
+          has:
+            nthChild: 1
+            kind: attribute
+            all:
+              - has:
+                  nthChild: 1
+                  regex: ^MySQLdb._mysql$
+              - has:
+                  nthChild: 2
+                  kind: identifier
+                  field: attribute
+                  pattern: $CONNECT
+            precedes:
+              matches: argument_list_util
+    - kind: call
+      any:
+        - kind: call
+          has:
+            nthChild: 1
+            kind: attribute
+            all:
+              - has:
+                  nthChild: 1
+                  kind: identifier
+                  field: object
+                  regex: ^_mysql$
+              - has:
+                  nthChild: 2
+                  kind: identifier
+                  field: attribute
+                  pattern: $CONNECT
+            precedes:
+              matches: argument_list_util
+          inside:
+            stopBy: end
+            follows:
+              stopBy: end
+              kind: import_from_statement
+              has:
+                nthChild: 1
+                kind: dotted_name
+                field: module_name
+                regex: ^MySQLdb$
+                precedes:
+                  stopBy: end
+                  kind: dotted_name
+                  regex: ^(_mysql)$
+
+    - kind: call
+      any:
+        - kind: call
+          has:
+            nthChild: 1
+            kind: attribute
+            all:
+              - has:
+                  nthChild: 1
+                  kind: identifier
+                  field: object
+                  pattern: $MYSQL_ALIAS
+              - has:
+                  nthChild: 2
+                  kind: identifier
+                  field: attribute
+                  pattern: $CONNECT
+            precedes:
+              matches: argument_list_util
+          inside:
+            stopBy: end
+            follows:
+              stopBy: end
+              kind: import_from_statement
+              has:
+                nthChild: 1
+                kind: dotted_name
+                field: module_name
+                regex: ^MySQLdb$
+                precedes:
+                  stopBy: end
+                  kind: aliased_import
+                  all:
+                    - has:
+                        nthChild: 1
+                        kind: dotted_name
+                        field: name
+                        regex: ^_mysql$
+                    - has:
+                        nthChild: 2
+                        kind: identifier
+                        field: alias
+                        pattern: $MYSQL_ALIAS
+constraints:
+  CONNECT:
+    regex: ^(Connect|connect|Connection|connection)$