Skip to content

Commit 2467d76

Browse files
author
Sakshis
committed
python-mysql-hardcoded-secret-python
1 parent e637b6a commit 2467d76

File tree

3 files changed

+222
-0
lines changed

3 files changed

+222
-0
lines changed

rules/python/security/python-mysql-hardcoded-secret-python.yml

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
id: python-mysql-hardcoded-secret-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).
6+
note: >-
7+
[CWE-798]: Use of Hard-coded Credentials
8+
[A07:2021]: Identification and Authentication Failures
9+
[REFERENCES]
10+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
11+
12+
rule:
13+
any:
14+
- kind: call
15+
has:
16+
kind: attribute
17+
field: function
18+
regex: ^mysql.connector.connect$
19+
precedes:
20+
kind: argument_list
21+
has:
22+
kind: keyword_argument
23+
all:
24+
- has:
25+
kind: identifier
26+
nthChild: 1
27+
regex: ^(password|passwd)$
28+
- has:
29+
kind: string
30+
nthChild: 2
31+
all:
32+
- has:
33+
kind: string_start
34+
nthChild: 1
35+
- has:
36+
kind: string_content
37+
nthChild: 2
38+
- has:
39+
kind: string_end
40+
nthChild: 3
41+
inside:
42+
stopBy: end
43+
follows:
44+
stopBy: end
45+
kind: import_statement
46+
has:
47+
kind: dotted_name
48+
nthChild: 1
49+
regex: ^mysql.connector$
50+
- kind: call
51+
has:
52+
kind: attribute
53+
field: function
54+
pattern: $CONNECTOR_ALIAS.connect
55+
precedes:
56+
kind: argument_list
57+
has:
58+
kind: keyword_argument
59+
all:
60+
- has:
61+
kind: identifier
62+
nthChild: 1
63+
regex: ^(password|passwd)$
64+
- has:
65+
kind: string
66+
nthChild: 2
67+
all:
68+
- has:
69+
kind: string_start
70+
nthChild: 1
71+
- has:
72+
kind: string_content
73+
nthChild: 2
74+
- has:
75+
kind: string_end
76+
nthChild: 3
77+
inside:
78+
stopBy: end
79+
follows:
80+
stopBy: end
81+
kind: import_statement
82+
has:
83+
kind: aliased_import
84+
nthChild: 1
85+
all:
86+
- has:
87+
kind: dotted_name
88+
nthChild: 1
89+
regex: ^mysql.connector$
90+
- has:
91+
kind: identifier
92+
field: alias
93+
nthChild: 2
94+
pattern: $CONNECTOR_ALIAS

tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
id: python-mysql-hardcoded-secret-python
2+
snapshots:
3+
? |
4+
import mysql.connector
5+
conn = mysql.connector.connect(username="abcz", passwd="abc")
6+
: labels:
7+
- source: mysql.connector.connect(username="abcz", passwd="abc")
8+
style: primary
9+
start: 30
10+
end: 84
11+
- source: mysql.connector
12+
style: secondary
13+
start: 7
14+
end: 22
15+
- source: import mysql.connector
16+
style: secondary
17+
start: 0
18+
end: 22
19+
- source: import mysql.connector
20+
style: secondary
21+
start: 0
22+
end: 22
23+
- source: passwd
24+
style: secondary
25+
start: 71
26+
end: 77
27+
- source: '"'
28+
style: secondary
29+
start: 78
30+
end: 79
31+
- source: abc
32+
style: secondary
33+
start: 79
34+
end: 82
35+
- source: '"'
36+
style: secondary
37+
start: 82
38+
end: 83
39+
- source: '"abc"'
40+
style: secondary
41+
start: 78
42+
end: 83
43+
- source: passwd="abc"
44+
style: secondary
45+
start: 71
46+
end: 83
47+
- source: (username="abcz", passwd="abc")
48+
style: secondary
49+
start: 53
50+
end: 84
51+
- source: mysql.connector.connect
52+
style: secondary
53+
start: 30
54+
end: 53
55+
? |
56+
import mysql.connector as mysql123
57+
def my_function():
58+
mysql123.connect(host="localhost",user="root",passwd="abc",database="aaa")
59+
: labels:
60+
- source: mysql123.connect(host="localhost",user="root",passwd="abc",database="aaa")
61+
style: primary
62+
start: 56
63+
end: 130
64+
- source: mysql.connector
65+
style: secondary
66+
start: 7
67+
end: 22
68+
- source: mysql123
69+
style: secondary
70+
start: 26
71+
end: 34
72+
- source: mysql.connector as mysql123
73+
style: secondary
74+
start: 7
75+
end: 34
76+
- source: import mysql.connector as mysql123
77+
style: secondary
78+
start: 0
79+
end: 34
80+
- source: import mysql.connector as mysql123
81+
style: secondary
82+
start: 0
83+
end: 34
84+
- source: passwd
85+
style: secondary
86+
start: 102
87+
end: 108
88+
- source: '"'
89+
style: secondary
90+
start: 109
91+
end: 110
92+
- source: abc
93+
style: secondary
94+
start: 110
95+
end: 113
96+
- source: '"'
97+
style: secondary
98+
start: 113
99+
end: 114
100+
- source: '"abc"'
101+
style: secondary
102+
start: 109
103+
end: 114
104+
- source: passwd="abc"
105+
style: secondary
106+
start: 102
107+
end: 114
108+
- source: (host="localhost",user="root",passwd="abc",database="aaa")
109+
style: secondary
110+
start: 72
111+
end: 130
112+
- source: mysql123.connect
113+
style: secondary
114+
start: 56
115+
end: 72

tests/python/python-mysql-hardcoded-secret-python-test.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: python-mysql-hardcoded-secret-python
2+
valid:
3+
- |
4+
import mysql.connector
5+
conn = mysql.connector.connect(username="abcz", passwd="")
6+
invalid:
7+
- |
8+
import mysql.connector
9+
conn = mysql.connector.connect(username="abcz", passwd="abc")
10+
- |
11+
import mysql.connector as mysql123
12+
def my_function():
13+
mysql123.connect(host="localhost",user="root",passwd="abc",database="aaa")

0 commit comments

Comments
 (0)