Skip to content

Commit 2ab03ac

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add security rules for empty and hard-coded OpenAI secrets (#164)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * openai-empty-secret-go * openai-hardcoded-secret-go --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 7c95a04 commit 2ab03ac

6 files changed

+541
-0
lines changed

rules/go/security/openai-empty-secret-go.yml

Lines changed: 204 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,204 @@
1+
id: openai-empty-secret-go
2+
language: go
3+
severity: warning
4+
message: >-
5+
The application uses an empty credential. This can lead to unauthorized
6+
access by either an internal or external malicious actor. It is
7+
recommended to rotate the secret and retrieve them from a secure secret
8+
vault or Hardware Security Module (HSM), alternatively environment
9+
variables can be used if allowed by your company policy.
10+
note: >-
11+
[CWE-287] Improper Authentication.
12+
[REFERENCES]
13+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
MATCH_openai.NewClient:
19+
kind: call_expression
20+
all:
21+
- has:
22+
stopBy: neighbor
23+
kind: selector_expression
24+
all:
25+
- has:
26+
stopBy: neighbor
27+
kind: identifier
28+
regex: ^openai$
29+
- has:
30+
stopBy: neighbor
31+
kind: field_identifier
32+
regex: ^NewClient$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
kind: interpreted_string_literal
38+
regex: \s*\"\"\s*
39+
nthChild:
40+
position: 1
41+
ofRule:
42+
not:
43+
kind: comment
44+
not:
45+
has:
46+
nthChild:
47+
position: 2
48+
ofRule:
49+
not:
50+
kind: comment
51+
- any:
52+
- inside:
53+
stopBy: end
54+
follows:
55+
stopBy: end
56+
has:
57+
stopBy: end
58+
kind: import_spec
59+
regex: "github.com/sashabaranov/go-openai"
60+
- follows:
61+
stopBy: end
62+
has:
63+
stopBy: end
64+
kind: import_spec
65+
regex: "github.com/sashabaranov/go-openai"
66+
MATCH_openai.NewClient_instance:
67+
kind: call_expression
68+
all:
69+
- has:
70+
stopBy: neighbor
71+
kind: selector_expression
72+
all:
73+
- has:
74+
stopBy: neighbor
75+
kind: identifier
76+
regex: ^openai$
77+
- has:
78+
stopBy: neighbor
79+
kind: field_identifier
80+
regex: ^NewClient$
81+
- has:
82+
stopBy: neighbor
83+
kind: argument_list
84+
has:
85+
kind: identifier
86+
pattern: $VAR
87+
nthChild:
88+
position: 1
89+
ofRule:
90+
not:
91+
kind: comment
92+
not:
93+
has:
94+
nthChild:
95+
position: 2
96+
ofRule:
97+
not:
98+
kind: comment
99+
- any:
100+
- inside:
101+
stopBy: end
102+
follows:
103+
stopBy: end
104+
has:
105+
stopBy: end
106+
kind: import_spec
107+
regex: "github.com/sashabaranov/go-openai"
108+
- follows:
109+
stopBy: end
110+
has:
111+
stopBy: end
112+
kind: import_spec
113+
regex: "github.com/sashabaranov/go-openai"
114+
- any:
115+
- follows:
116+
stopBy: end
117+
kind: assignment_statement
118+
all:
119+
- has:
120+
kind: expression_list
121+
has:
122+
pattern: $VAR
123+
- has:
124+
kind: expression_list
125+
has:
126+
pattern: $SECRET
127+
- inside:
128+
stopBy: end
129+
follows:
130+
stopBy: end
131+
kind: assignment_statement
132+
all:
133+
- has:
134+
kind: expression_list
135+
has:
136+
pattern: $VAR
137+
- has:
138+
kind: expression_list
139+
has:
140+
pattern: $SECRET
141+
- follows:
142+
kind: const_declaration
143+
all:
144+
- has:
145+
kind: const_spec
146+
has:
147+
pattern: $VAR
148+
- has:
149+
kind: expression_list
150+
has:
151+
pattern: $SECRET
152+
- inside:
153+
stopBy: end
154+
follows:
155+
kind: const_declaration
156+
all:
157+
- has:
158+
kind: const_spec
159+
has:
160+
pattern: $VAR
161+
- has:
162+
kind: expression_list
163+
has:
164+
pattern: $SECRET
165+
- follows:
166+
kind: var_declaration
167+
all:
168+
- has:
169+
kind: var_spec
170+
has:
171+
pattern: $VAR
172+
- has:
173+
kind: expression_list
174+
has:
175+
pattern: $SECRET
176+
- inside:
177+
stopBy: end
178+
follows:
179+
kind: var_declaration
180+
all:
181+
- has:
182+
kind: var_spec
183+
has:
184+
pattern: $VAR
185+
- has:
186+
kind: expression_list
187+
has:
188+
pattern: $SECRET
189+
rule:
190+
kind: call_expression
191+
any:
192+
- matches: MATCH_openai.NewClient
193+
- matches: MATCH_openai.NewClient_instance
194+
not:
195+
all:
196+
- has:
197+
stopBy: end
198+
kind: ERROR
199+
- inside:
200+
stopBy: end
201+
kind: ERROR
202+
constraints:
203+
SECRET:
204+
regex: ^""$

0 commit comments

Comments
 (0)