Skip to content

Commit 1a39f83

Browse files
ESS-ENNESS-ENN
committed
ruby-cassandra-hardcoded-secret-ruby
1 parent 3867ff9 commit 1a39f83

File tree

2 files changed

+159
-0
lines changed

2 files changed

+159
-0
lines changed

rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
id: ruby-cassandra-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
Cassandra.cluster():
19+
# Cassandra.cluster(..., password: "", ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: constant
25+
regex: ^Cassandra$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^cluster$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: neighbor
38+
kind: pair
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
any:
43+
- kind: hash_key_symbol
44+
regex: ^password$
45+
- kind: simple_symbol
46+
regex: ^:password$
47+
- has:
48+
stopBy: neighbor
49+
kind: string
50+
has:
51+
stopBy: neighbor
52+
kind: string_content
53+
- any:
54+
- inside:
55+
stopBy: end
56+
follows:
57+
stopBy: end
58+
kind: call
59+
pattern: require 'cassandra'
60+
- follows:
61+
stopBy: end
62+
kind: call
63+
pattern: require 'cassandra'
64+
65+
Cassandra.cluster()_Instance:
66+
# Cassandra.cluster(..., password: "", ...)
67+
kind: call
68+
all:
69+
- has:
70+
stopBy: neighbor
71+
kind: constant
72+
regex: ^Cassandra$
73+
- has:
74+
stopBy: neighbor
75+
regex: ^.$
76+
- has:
77+
stopBy: neighbor
78+
kind: identifier
79+
regex: ^cluster$
80+
- has:
81+
stopBy: neighbor
82+
kind: argument_list
83+
has:
84+
stopBy: neighbor
85+
kind: pair
86+
all:
87+
- has:
88+
stopBy: neighbor
89+
any:
90+
- kind: hash_key_symbol
91+
regex: ^password$
92+
- kind: simple_symbol
93+
regex: ^:password$
94+
- has:
95+
stopBy: neighbor
96+
kind: identifier
97+
pattern: $VAR
98+
- any:
99+
- inside:
100+
stopBy: end
101+
follows:
102+
stopBy: end
103+
kind: call
104+
pattern: require 'cassandra'
105+
- follows:
106+
stopBy: end
107+
kind: call
108+
pattern: require 'cassandra'
109+
- any:
110+
- follows:
111+
stopBy: end
112+
kind: assignment
113+
all:
114+
- has:
115+
kind: identifier
116+
pattern: $VAR
117+
- has:
118+
kind: string
119+
has:
120+
kind: string_content
121+
- inside:
122+
stopBy: end
123+
follows:
124+
stopBy: end
125+
kind: assignment
126+
all:
127+
- has:
128+
kind: identifier
129+
pattern: $VAR
130+
- has:
131+
kind: string
132+
has:
133+
kind: string_content
134+
rule:
135+
kind: call
136+
any:
137+
- matches: Cassandra.cluster()
138+
- matches: Cassandra.cluster()_Instance
139+
not:
140+
all:
141+
- has:
142+
stopBy: end
143+
kind: ERROR
144+
- inside:
145+
stopBy: end
146+
kind: ERROR
147+

tests/ruby/ruby-cassandra-hardcoded-secret-ruby-test.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
id: ruby-cassandra-hardcoded-secret-ruby
2+
valid:
3+
- |
4+
cluster = Cassandra.cluster(username: 'user',password: '')
5+
invalid:
6+
- |
7+
require 'cassandra'
8+
cluster = Cassandra.cluster( username: 'user',password: 'password')
9+
- |
10+
require 'cassandra'
11+
password = 'password'
12+
cluster = Cassandra.cluster( username: 'user',password: password)

0 commit comments

Comments
 (0)