File tree 3 files changed +237
-0
lines changed
3 files changed +237
-0
lines changed Original file line number Diff line number Diff line change 1+ id : python-webrepl-empty-password-python
2+ language : python
3+ severity : warning
4+ message : >-
5+ The application creates a database connection with an empty password.
6+ This can lead to unauthorized access by either an internal or external
7+ malicious actor. To prevent this vulnerability, enforce authentication
8+ when connecting to a database by using environment variables to securely
9+ provide credentials or retrieving them from a secure vault or HSM
10+ (Hardware Security Module).
11+ note : >-
12+ [CWE-287]: Improper Authentication
13+ [OWASP A07:2021]: Identification and Authentication Failures
14+ [REFERENCES]
15+ https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
16+ utils :
17+ match_call :
18+ kind : call
19+ all :
20+ - has :
21+ kind : attribute
22+ all :
23+ - has :
24+ kind : identifier
25+ field : object
26+ regex : " ^webrepl$"
27+ - has :
28+ kind : identifier
29+ field : attribute
30+ regex : " ^start$"
31+ - has :
32+ kind : argument_list
33+ has :
34+ kind : keyword_argument
35+ all :
36+ - has :
37+ kind : identifier
38+ field : name
39+ regex : " ^password$"
40+ - has :
41+ kind : string
42+ field : value
43+ all :
44+ - has :
45+ kind : string_start
46+ - has :
47+ kind : string_end
48+ inside :
49+ stopBy : end
50+ kind : expression_statement
51+ match_call_with_identifier :
52+ kind : call
53+ all :
54+ - has :
55+ stopBy : end
56+ kind : attribute
57+ field : function
58+ all :
59+ - has :
60+ stopBy : end
61+ kind : identifier
62+ field : object
63+ regex : " ^webrepl$"
64+ - has :
65+ stopBy : end
66+ kind : identifier
67+ field : attribute
68+ regex : " ^start$"
69+ - has :
70+ stopBy : end
71+ kind : argument_list
72+ field : arguments
73+ has :
74+ stopBy : end
75+ kind : keyword_argument
76+ all :
77+ - has :
78+ stopBy : end
79+ kind : identifier
80+ field : name
81+ regex : " ^password$"
82+ - has :
83+ stopBy : end
84+ kind : identifier
85+ field : value
86+ pattern : $PASS
87+ inside :
88+ stopBy : end
89+ kind : expression_statement
90+ follows :
91+ stopBy : end
92+ kind : expression_statement
93+ has :
94+ stopBy : end
95+ kind : assignment
96+ all :
97+ - has :
98+ kind : identifier
99+ pattern : $PASS
100+ - has :
101+ kind : string
102+ all :
103+ - has :
104+ kind : string_start
105+ not :
106+ precedes :
107+ kind : string_content
108+ - has :
109+ kind : string_end
110+ rule :
111+ any :
112+ - matches : match_call
113+ - matches : match_call_with_identifier
Original file line number Diff line number Diff line change 1+ id : python-webrepl-empty-password-python
2+ snapshots :
3+ ? |
4+ EMPTY_PASSWORD = ""
5+ webrepl.start(password=EMPTY_PASSWORD)
6+ : labels :
7+ - source : webrepl.start(password=EMPTY_PASSWORD)
8+ style : primary
9+ start : 20
10+ end : 58
11+ - source : webrepl
12+ style : secondary
13+ start : 20
14+ end : 27
15+ - source : start
16+ style : secondary
17+ start : 28
18+ end : 33
19+ - source : webrepl.start
20+ style : secondary
21+ start : 20
22+ end : 33
23+ - source : password
24+ style : secondary
25+ start : 34
26+ end : 42
27+ - source : EMPTY_PASSWORD
28+ style : secondary
29+ start : 43
30+ end : 57
31+ - source : password=EMPTY_PASSWORD
32+ style : secondary
33+ start : 34
34+ end : 57
35+ - source : (password=EMPTY_PASSWORD)
36+ style : secondary
37+ start : 33
38+ end : 58
39+ - source : EMPTY_PASSWORD
40+ style : secondary
41+ start : 0
42+ end : 14
43+ - source : ' "'
44+ style : secondary
45+ start : 17
46+ end : 18
47+ - source : ' "'
48+ style : secondary
49+ start : 18
50+ end : 19
51+ - source : ' ""'
52+ style : secondary
53+ start : 17
54+ end : 19
55+ - source : EMPTY_PASSWORD = ""
56+ style : secondary
57+ start : 0
58+ end : 19
59+ - source : EMPTY_PASSWORD = ""
60+ style : secondary
61+ start : 0
62+ end : 19
63+ - source : webrepl.start(password=EMPTY_PASSWORD)
64+ style : secondary
65+ start : 20
66+ end : 58
67+ ? |
68+ webrepl.start(password="")
69+ : labels :
70+ - source : webrepl.start(password="")
71+ style : primary
72+ start : 0
73+ end : 26
74+ - source : webrepl
75+ style : secondary
76+ start : 0
77+ end : 7
78+ - source : start
79+ style : secondary
80+ start : 8
81+ end : 13
82+ - source : webrepl.start
83+ style : secondary
84+ start : 0
85+ end : 13
86+ - source : password
87+ style : secondary
88+ start : 14
89+ end : 22
90+ - source : ' "'
91+ style : secondary
92+ start : 23
93+ end : 24
94+ - source : ' "'
95+ style : secondary
96+ start : 24
97+ end : 25
98+ - source : ' ""'
99+ style : secondary
100+ start : 23
101+ end : 25
102+ - source : password=""
103+ style : secondary
104+ start : 14
105+ end : 25
106+ - source : (password="")
107+ style : secondary
108+ start : 13
109+ end : 26
110+ - source : webrepl.start(password="")
111+ style : secondary
112+ start : 0
113+ end : 26
Original file line number Diff line number Diff line change 1+ id : python-webrepl-empty-password-python
2+ valid :
3+ - |
4+ SECURE_PASSWORD_CONFIG = {"password": os.getenv("SECURE_PASSWORD")}
5+ webrepl.start(password=SECURE_PASSWORD_CONFIG["password"])
6+ invalid :
7+ - |
8+ webrepl.start(password="")
9+ |
10+ EMPTY_PASSWORD = ""
11+ webrepl.start(password=EMPTY_PASSWORD)
You can’t perform that action at this time.
0 commit comments