Skip to content

Commit 2ca58b6

Browse files
ESS-ENNESS-ENN
committed
tokio-postgres-hardcoded-password-rust
1 parent 405df38 commit 2ca58b6

File tree

3 files changed

+253
-0
lines changed

3 files changed

+253
-0
lines changed

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml

Lines changed: 135 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,135 @@
1+
id: tokio-postgres-hardcoded-password-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. It is
8+
recommended to rotate the secret and retrieve them from a secure secret
9+
vault or Hardware Security Module (HSM), alternatively environment
10+
variables can be used if allowed by your company policy.
11+
note: >-
12+
[CWE-798] Use of Hard-coded Credentials.
13+
[REFERENCES]
14+
- https://docs.rs/tokio-postgres/latest/tokio_postgres/
15+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
16+
utils:
17+
MATCH_PATTERN_WITH_INSTANCE:
18+
kind: call_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: field_expression
23+
all:
24+
- has:
25+
stopBy: neighbor
26+
kind: call_expression
27+
all:
28+
- has:
29+
stopBy: neighbor
30+
kind: field_expression
31+
all:
32+
- has:
33+
stopBy: end
34+
kind: call_expression
35+
all:
36+
- has:
37+
stopBy: neighbor
38+
kind: field_expression
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
kind: identifier
43+
pattern: $C
44+
- has:
45+
stopBy: neighbor
46+
kind: arguments
47+
- has:
48+
stopBy: neighbor
49+
kind: field_identifier
50+
- has:
51+
stopBy: neighbor
52+
kind: arguments
53+
- has:
54+
stopBy: neighbor
55+
kind: field_identifier
56+
regex: "^password$"
57+
- has:
58+
stopBy: neighbor
59+
kind: arguments
60+
has:
61+
stopBy: neighbor
62+
kind: string_literal
63+
has:
64+
stopBy: neighbor
65+
kind: string_content
66+
- inside:
67+
stopBy: end
68+
kind: expression_statement
69+
follows:
70+
stopBy: end
71+
kind: let_declaration
72+
all:
73+
- has:
74+
stopBy: neighbor
75+
kind: identifier
76+
pattern: $C
77+
- has:
78+
stopBy: neighbor
79+
kind: call_expression
80+
pattern: tokio_postgres::Config::new()
81+
82+
MATCH_PATTERN_DIRECTLY:
83+
kind: call_expression
84+
all:
85+
- has:
86+
stopBy: neighbor
87+
kind: field_expression
88+
all:
89+
- has:
90+
stopBy: neighbor
91+
kind: call_expression
92+
all:
93+
- has:
94+
stopBy: neighbor
95+
kind: field_expression
96+
all:
97+
- has:
98+
stopBy: neighbor
99+
kind: call_expression
100+
all:
101+
- has:
102+
stopBy: neighbor
103+
kind: field_expression
104+
has:
105+
stopBy: neighbor
106+
kind: call_expression
107+
pattern: tokio_postgres::Config::new()
108+
- has:
109+
stopBy: neighbor
110+
kind: arguments
111+
- has:
112+
stopBy: neighbor
113+
kind: field_identifier
114+
- has:
115+
stopBy: neighbor
116+
kind: arguments
117+
- has:
118+
stopBy: neighbor
119+
kind: field_identifier
120+
regex: "^password$"
121+
- has:
122+
stopBy: neighbor
123+
kind: arguments
124+
has:
125+
stopBy: neighbor
126+
kind: string_literal
127+
has:
128+
stopBy: neighbor
129+
kind: string_content
130+
131+
rule:
132+
kind: call_expression
133+
any:
134+
- matches: MATCH_PATTERN_WITH_INSTANCE
135+
- matches: MATCH_PATTERN_DIRECTLY

tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
id: tokio-postgres-hardcoded-password-rust
2+
snapshots:
3+
? |
4+
async fn test2() -> Result<(), anyhow::Error> {
5+
let (client, connection) = tokio_postgres::Config::new()
6+
.host(shard_host_name.as_str())
7+
.user("postgres")
8+
.password("postgres")
9+
.dbname("moray")
10+
.keepalives_idle(std::time::Duration::from_secs(30))
11+
.connect(NoTls)
12+
.await
13+
.map_err(|e| {
14+
error!(log, "failed to connect to {}: {}", &shard_host_name, e);
15+
Error::new(ErrorKind::Other, e)
16+
})?;
17+
: labels:
18+
- source: |-
19+
tokio_postgres::Config::new()
20+
.host(shard_host_name.as_str())
21+
.user("postgres")
22+
.password("postgres")
23+
style: primary
24+
start: 75
25+
end: 176
26+
- source: tokio_postgres::Config::new()
27+
style: secondary
28+
start: 75
29+
end: 104
30+
- source: |-
31+
tokio_postgres::Config::new()
32+
.host
33+
style: secondary
34+
start: 75
35+
end: 110
36+
- source: (shard_host_name.as_str())
37+
style: secondary
38+
start: 110
39+
end: 136
40+
- source: |-
41+
tokio_postgres::Config::new()
42+
.host(shard_host_name.as_str())
43+
style: secondary
44+
start: 75
45+
end: 136
46+
- source: user
47+
style: secondary
48+
start: 138
49+
end: 142
50+
- source: |-
51+
tokio_postgres::Config::new()
52+
.host(shard_host_name.as_str())
53+
.user
54+
style: secondary
55+
start: 75
56+
end: 142
57+
- source: ("postgres")
58+
style: secondary
59+
start: 142
60+
end: 154
61+
- source: |-
62+
tokio_postgres::Config::new()
63+
.host(shard_host_name.as_str())
64+
.user("postgres")
65+
style: secondary
66+
start: 75
67+
end: 154
68+
- source: password
69+
style: secondary
70+
start: 156
71+
end: 164
72+
- source: |-
73+
tokio_postgres::Config::new()
74+
.host(shard_host_name.as_str())
75+
.user("postgres")
76+
.password
77+
style: secondary
78+
start: 75
79+
end: 164
80+
- source: postgres
81+
style: secondary
82+
start: 166
83+
end: 174
84+
- source: '"postgres"'
85+
style: secondary
86+
start: 165
87+
end: 175
88+
- source: ("postgres")
89+
style: secondary
90+
start: 164
91+
end: 176

tests/rust/tokio-postgres-hardcoded-password-rust-test.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
id: tokio-postgres-hardcoded-password-rust
2+
valid:
3+
- |
4+
async fn test1() -> Result<(), anyhow::Error> {
5+
let mut config = tokio_postgres::Config::new();
6+
config
7+
.host(std::env::var("HOST").expect("set HOST"))
8+
.user(std::env::var("USER").expect("set USER"))
9+
.password("")
10+
.port(std::env::var("PORT").expect("set PORT"));
11+
Ok(())
12+
}
13+
invalid:
14+
- |
15+
async fn test2() -> Result<(), anyhow::Error> {
16+
let (client, connection) = tokio_postgres::Config::new()
17+
.host(shard_host_name.as_str())
18+
.user("postgres")
19+
.password("postgres")
20+
.dbname("moray")
21+
.keepalives_idle(std::time::Duration::from_secs(30))
22+
.connect(NoTls)
23+
.await
24+
.map_err(|e| {
25+
error!(log, "failed to connect to {}: {}", &shard_host_name, e);
26+
Error::new(ErrorKind::Other, e)
27+
})?;

0 commit comments

Comments
 (0)