Skip to content

Commit 2c7b952

Browse files
author
Sakshis
committed
python-couchbase-hardcoded-secret-python
1 parent 714434c commit 2c7b952

File tree

3 files changed

+208
-0
lines changed

3 files changed

+208
-0
lines changed

rules/python/security/python-couchbase-hardcoded-secret-python.yml

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
id: python-couchbase-hardcoded-secret-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).
6+
note: >-
7+
[CWE-798]: Use of Hard-coded Credentials
8+
[A07:2021]: Identification and Authentication Failures
9+
[REFERENCES]
10+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
11+
12+
rule:
13+
any:
14+
- kind: call
15+
has:
16+
kind: identifier
17+
regex: ^PasswordAuthenticator$
18+
precedes:
19+
kind: argument_list
20+
has:
21+
nthChild: 2
22+
kind: string
23+
all:
24+
- has:
25+
nthChild: 1
26+
kind: string_start
27+
- has:
28+
kind: string_content
29+
nthChild: 2
30+
- has:
31+
kind: string_end
32+
nthChild: 3
33+
inside:
34+
stopBy: end
35+
follows:
36+
stopBy: end
37+
kind: import_from_statement
38+
all:
39+
- has:
40+
nthChild: 1
41+
kind: dotted_name
42+
field: module_name
43+
regex: ^couchbase_core.cluster$
44+
- has:
45+
stopBy: end
46+
kind: dotted_name
47+
regex: ^PasswordAuthenticator$
48+
- kind: call
49+
has:
50+
kind: identifier
51+
pattern: $ALIAS
52+
precedes:
53+
kind: argument_list
54+
has:
55+
nthChild: 2
56+
kind: string
57+
all:
58+
- has:
59+
nthChild: 1
60+
kind: string_start
61+
- has:
62+
kind: string_content
63+
nthChild: 2
64+
- has:
65+
kind: string_end
66+
nthChild: 3
67+
inside:
68+
stopBy: end
69+
follows:
70+
stopBy: end
71+
kind: import_from_statement
72+
all:
73+
- has:
74+
nthChild: 1
75+
kind: dotted_name
76+
field: module_name
77+
regex: ^couchbase_core.cluster$
78+
- has:
79+
stopBy: end
80+
kind: aliased_import
81+
all:
82+
- has:
83+
kind: dotted_name
84+
nthChild: 1
85+
regex: ^PasswordAuthenticator$
86+
- has:
87+
kind: identifier
88+
field: alias
89+
nthChild: 2
90+
pattern: $ALIAS

tests/__snapshots__/python-couchbase-hardcoded-secret-python-snapshot.yml

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
id: python-couchbase-hardcoded-secret-python
2+
snapshots:
3+
? |
4+
from couchbase_core.cluster import PasswordAuthenticator
5+
cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', 'password')))
6+
: labels:
7+
- source: PasswordAuthenticator('username', 'password')
8+
style: primary
9+
start: 115
10+
end: 160
11+
- source: couchbase_core.cluster
12+
style: secondary
13+
start: 5
14+
end: 27
15+
- source: PasswordAuthenticator
16+
style: secondary
17+
start: 35
18+
end: 56
19+
- source: from couchbase_core.cluster import PasswordAuthenticator
20+
style: secondary
21+
start: 0
22+
end: 56
23+
- source: from couchbase_core.cluster import PasswordAuthenticator
24+
style: secondary
25+
start: 0
26+
end: 56
27+
- source: ''''
28+
style: secondary
29+
start: 149
30+
end: 150
31+
- source: password
32+
style: secondary
33+
start: 150
34+
end: 158
35+
- source: ''''
36+
style: secondary
37+
start: 158
38+
end: 159
39+
- source: '''password'''
40+
style: secondary
41+
start: 149
42+
end: 159
43+
- source: ('username', 'password')
44+
style: secondary
45+
start: 136
46+
end: 160
47+
- source: PasswordAuthenticator
48+
style: secondary
49+
start: 115
50+
end: 136
51+
? |
52+
from couchbase_core.cluster import PasswordAuthenticator as abc
53+
cluster = Cluster('couchbase://localhost', ClusterOptions(abc('username', 'password')))
54+
: labels:
55+
- source: abc('username', 'password')
56+
style: primary
57+
start: 122
58+
end: 149
59+
- source: couchbase_core.cluster
60+
style: secondary
61+
start: 5
62+
end: 27
63+
- source: PasswordAuthenticator
64+
style: secondary
65+
start: 35
66+
end: 56
67+
- source: abc
68+
style: secondary
69+
start: 60
70+
end: 63
71+
- source: PasswordAuthenticator as abc
72+
style: secondary
73+
start: 35
74+
end: 63
75+
- source: from couchbase_core.cluster import PasswordAuthenticator as abc
76+
style: secondary
77+
start: 0
78+
end: 63
79+
- source: from couchbase_core.cluster import PasswordAuthenticator as abc
80+
style: secondary
81+
start: 0
82+
end: 63
83+
- source: ''''
84+
style: secondary
85+
start: 138
86+
end: 139
87+
- source: password
88+
style: secondary
89+
start: 139
90+
end: 147
91+
- source: ''''
92+
style: secondary
93+
start: 147
94+
end: 148
95+
- source: '''password'''
96+
style: secondary
97+
start: 138
98+
end: 148
99+
- source: ('username', 'password')
100+
style: secondary
101+
start: 125
102+
end: 149
103+
- source: abc
104+
style: secondary
105+
start: 122
106+
end: 125

tests/python/python-couchbase-hardcoded-secret-python-test.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
id: python-couchbase-hardcoded-secret-python
2+
valid:
3+
- |
4+
from couchbase_core.cluster import PasswordAuthenticator
5+
cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', get_pass())))
6+
invalid:
7+
- |
8+
from couchbase_core.cluster import PasswordAuthenticator
9+
cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', 'password')))
10+
- |
11+
from couchbase_core.cluster import PasswordAuthenticator as abc
12+
cluster = Cluster('couchbase://localhost', ClusterOptions(abc('username', 'password')))

0 commit comments

Comments
 (0)