python-ldap3-empty-password

ESS-ENN · ganeshpatro321 · commit 29e5c3473397 · 2024-12-16T13:08:28.000+05:30
diff --git a/rules/python/security/python-ldap3-empty-password-python.yml b/rules/python/security/python-ldap3-empty-password-python.yml
@@ -0,0 +1,44 @@
+id: python-ldap3-empty-password
+language: python
+severity: warning
+message: >-
+    The application creates a database connection with an empty password.
+    This can lead to unauthorized access by either an internal or external
+    malicious actor. To prevent this vulnerability, enforce authentication
+    when connecting to a database by using environment variables to securely
+    provide credentials or retrieving them from a secure vault or HSM
+    (Hardware Security Module).
+note: >-
+  [CWE-287]: Improper Authentication
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+    match_empty_password:
+        kind: call
+        all:
+            - has:
+                stopBy: end
+                kind: attribute
+            - has:
+                stopBy: end
+                kind: argument_list 
+                all:
+                    - has:
+                        stopBy: end
+                        kind: keyword_argument
+                        all:
+                            - has:
+                               stopBy: end
+                               kind: identifier
+                               regex: '^password$'
+                            - has:
+                                  stopBy: neighbor
+                                  kind: string
+                                  not:
+                                      has:
+                                          stopBy: neighbor
+                                          kind: string_content
+rule:
+    any:
+        - matches: match_empty_password
diff --git a/tests/python/python-ldap3-empty-password-python-test.yml b/tests/python/python-ldap3-empty-password-python-test.yml
@@ -0,0 +1,9 @@
+id: python-ldap3-empty-password
+valid:
+  - |
+    ldap3.Connection(password=a)
+    ldap3.Connection(password=os.env['SECRET'])
+    ldap3.Connection(password=os.getenv('SECRET'))
+invalid:
+  - |
+    ldap3.Connection(password="")
